program. This is in response to the report associated with
CVE-2017-16232 but does not solve the extremely high memory usage
with the associated POC file.
function that checks if the offset is not bigger than INT64_MAX, so as
to avoid a -1 error return code of TIFFSeekFile() to match a required
seek to UINT64_MAX/-1.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2726
Adapted from proposal by Nicolas Ruff.
file if the codestream height is larger than the truncated height of the
strip. Emit a warning in this situation since this is non compliant.
* test/Makefile.am: add missing reference to images/quad-lzw-compat.tiff
to fix "make distcheck". Patch by Roger Leigh
on uint32 when selecting the value of SubIFD tag by runtime check
(in TIFFWriteDirectoryTagSubifd()).
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2728
Reported by team OWL337
SubIFD tag by runtime check (in TIFFWriteDirectorySec())
allocation attempts in TIFFReadDirEntryArray() on short files.
Effective for mmap'ed case. And non-mmap'ed case, but restricted
to 64bit builds.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675
arrays that hold StripOffsets/StripByteCounts, when they are smaller
than the expected number of striles, up to 1 million striles, and
error out beyond. Can be tweaked by setting the environment variable
LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
This partially goes against a change added on 2002-12-17 to accept
those arrays of wrong sizes, but is needed to avoid denial of services.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
Credit to OSS Fuzz
Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708
in the isMapped() case, so as to avoid excessive memory allocation
when we need a temporary buffer but the file is truncated.
strips. Crashing issue only on memory mapped files, where the strip
offset is the last byte of the file, and the file size is a multiple
of one page size on the CPU architecture (typically 4096). Credit
to myself :-)
and _TIFFReadTileAndAllocBuffer() variants of TIFFReadEncodedTile() and
TIFFReadTile() that allocates the decoded buffer only after a first
successful TIFFFillTile(). This avoids excessive memory allocation
on corrupted files.
* libtiff/tif_getimage.c: use _TIFFReadTileAndAllocBuffer().
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2470
Credit to OSS Fuzz.
tif_rawdataloaded when it is set. Similarly to TIFFStartStrip().
This issue was revealed by the change of 2017-06-30 in TIFFFileTile(),
limiting the number of bytes read. But it could probably have been hit
too in CHUNKY_STRIP_READ_SUPPORT mode previously ?
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454
Credit to OSS Fuzz
of bytes read in case td_stripbytecount[strip] is bigger than
reasonable, so as to avoid excessive memory allocation (similarly to
what was done for TIFFFileStrip() on 2017-05-10)
libtiff/tif_read.c: make TIFFReadScanline() works in
CHUNKY_STRIP_READ_SUPPORT mode with JPEG stream with multiple scans.
Also make configurable through a LIBTIFF_JPEG_MAX_ALLOWED_SCAN_NUMBER
environment variable the maximum number of scans allowed. Defaults to
100.
memory allocation is above 100 MB. libjpeg in case of multiple scans,
which is allowed even in baseline JPEG, if components are spread over several
scans and not interleavedin a single one, needs to allocate memory (or
backing store) for the whole strip/tile.
See http://www.libjpeg-turbo.org/pmwiki/uploads/About/TwoIssueswiththeJPEGStandard.pdf
This limitation may be overriden by setting the
LIBTIFF_ALLOW_LARGE_LIBJPEG_MEM_ALLOC environment variable, or recompiling
libtiff with a custom value of TIFF_LIBJPEG_LARGEST_MEM_ALLOC macro.
disable CLang warnings raised by -fsanitize=undefined,unsigned-integer-overflow
* libtiff/tif_predict.c: decorate legitimate functions where unsigned int
overflow occur with TIFF_NOSANITIZE_UNSIGNED_INT_OVERFLOW
* libtiff/tif_dirread.c: avoid unsigned int overflow in EstimateStripByteCounts()
and BYTECOUNTLOOKSBAD when file is too short.
* libtiff/tif_jpeg.c: avoid (harmless) unsigned int overflow on tiled images.
* libtiff/tif_fax3.c: avoid unsigned int overflow in Fax3Encode2DRow(). Could
potentially be a bug with huge rows.
* libtiff/tif_getimage.c: avoid many (harmless) unsigned int overflows.
ChopUpSingleUncompressedStrip() regarding update of newly single-strip
uncompressed files whose bytecount is 0. Before the change of 2016-12-03,
the condition bytecount==0 used to trigger an early exit/disabling of
strip chop. Re-introduce that in update mode. Otherwise this cause
later incorrect setting for the value of StripByCounts/StripOffsets.