Fix CVE-2017-11613 (#1475531)

This commit is contained in:
Nikola Forró 2018-06-06 16:30:30 +02:00
parent 6bfda150e7
commit 7a969a193d
2 changed files with 50 additions and 1 deletions

View File

@ -0,0 +1,44 @@
From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 11 Mar 2018 11:14:01 +0100
Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion
(CVE-2017-11613)
In ChopUpSingleUncompressedStrip(), if the computed number of strips is big
enough and we are in read only mode, validate that the file size is consistent
with that number of strips to avoid useless attempts at allocating a lot of
memory for the td_stripbytecount and td_stripoffset arrays.
Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more
cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979.
Credit to OSS Fuzz
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724
---
libtiff/tif_dirread.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 80aaf8d..5896a78 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
if( nstrips == 0 )
return;
+ /* If we are going to allocate a lot of memory, make sure that the */
+ /* file is as big as needed */
+ if( tif->tif_mode == O_RDONLY &&
+ nstrips > 1000000 &&
+ (offset >= TIFFGetFileSize(tif) ||
+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
+ {
+ return;
+ }
+
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array");
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
--
2.17.1

View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files Summary: Library of functions for manipulating TIFF format image files
Name: libtiff Name: libtiff
Version: 4.0.9 Version: 4.0.9
Release: 9%{?dist} Release: 10%{?dist}
License: libtiff License: libtiff
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.simplesystems.org/libtiff/ URL: http://www.simplesystems.org/libtiff/
@ -16,6 +16,7 @@ Patch4: libtiff-CVE-2017-9935.patch
Patch5: libtiff-CVE-2017-18013.patch Patch5: libtiff-CVE-2017-18013.patch
Patch6: libtiff-CVE-2018-8905.patch Patch6: libtiff-CVE-2018-8905.patch
Patch7: libtiff-CVE-2018-10963.patch Patch7: libtiff-CVE-2018-10963.patch
Patch8: libtiff-CVE-2017-11613.patch
BuildRequires: gcc, gcc-c++ BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -75,6 +76,7 @@ image files using the libtiff library.
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1 %patch7 -p1
%patch8 -p1
# Use build system's libtool.m4, not the one in the package. # Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4 rm -f libtool.m4
@ -178,6 +180,9 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Wed Jun 06 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-10
- Fix CVE-2017-11613 (#1475531)
* Wed May 30 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-9 * Wed May 30 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-9
- Fix CVE-2017-9935, CVE-2017-18013 (#1530441), - Fix CVE-2017-9935, CVE-2017-18013 (#1530441),
CVE-2018-8905 (#1559705) and CVE-2018-10963 (#1579061) CVE-2018-8905 (#1559705) and CVE-2018-10963 (#1579061)