Fix CVE-2017-11613 (#1475531)

2018-06-06 16:30:30 +02:00 · 2018-06-06 16:30:30 +02:00 · 7a969a193d
commit 7a969a193d
parent 6bfda150e7
2 changed files with 50 additions and 1 deletions
--- a/libtiff-CVE-2017-11613.patch
+++ b/libtiff-CVE-2017-11613.patch
@ -0,0 +1,44 @@
+From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 11 Mar 2018 11:14:01 +0100
+Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion
+ (CVE-2017-11613)
+
+In ChopUpSingleUncompressedStrip(), if the computed number of strips is big
+enough and we are in read only mode, validate that the file size is consistent
+with that number of strips to avoid useless attempts at allocating a lot of
+memory for the td_stripbytecount and td_stripoffset arrays.
+
+Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more
+cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979.
+Credit to OSS Fuzz
+
+Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724
+---
+ libtiff/tif_dirread.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 80aaf8d..5896a78 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
+         if( nstrips == 0 )
+             return;
+ 
+        /* If we are going to allocate a lot of memory, make sure that the */
+        /* file is as big as needed */
+        if( tif->tif_mode == O_RDONLY &&
+            nstrips > 1000000 &&
+            (offset >= TIFFGetFileSize(tif) ||
+             stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
+        {
+            return;
+        }
+
+ 	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ 				"for chopped \"StripByteCounts\" array");
+ 	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+-- 
+2.17.1
+
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.9
-Release:       9%{?dist}
+Release:       10%{?dist}
 License:       libtiff
 Group:         System Environment/Libraries
 URL:           http://www.simplesystems.org/libtiff/
@ -16,6 +16,7 @@ Patch4:        libtiff-CVE-2017-9935.patch
 Patch5:        libtiff-CVE-2017-18013.patch
 Patch6:        libtiff-CVE-2018-8905.patch
 Patch7:        libtiff-CVE-2018-10963.patch
+Patch8:        libtiff-CVE-2017-11613.patch

 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -75,6 +76,7 @@ image files using the libtiff library.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1

 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@ -178,6 +180,9 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Wed Jun 06 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-10
+- Fix CVE-2017-11613 (#1475531)
+
 * Wed May 30 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-9
 - Fix CVE-2017-9935, CVE-2017-18013 (#1530441),
  CVE-2018-8905 (#1559705) and CVE-2018-10963 (#1579061)