87 lines
3.0 KiB
Diff
87 lines
3.0 KiB
Diff
From 8f70b086e6553b4d41aaff2c5fb4266859436626 Mon Sep 17 00:00:00 2001
|
|
From: Thomas Bernard <miniupnp@free.fr>
|
|
Date: Sun, 15 Nov 2020 17:02:51 +0100
|
|
Subject: [PATCH] (CVE-2020-35521 CVE-2020-35522) enforce (configurable) memory
|
|
limit in tiff2rgba
|
|
|
|
fixes #207
|
|
fixes #209
|
|
|
|
(cherry picked from commit 98a254f5b92cea22f5436555ff7fceb12afee84d)
|
|
---
|
|
tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
|
|
1 file changed, 23 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
|
|
index 4de96aec..e6de2209 100644
|
|
--- a/tools/tiff2rgba.c
|
|
+++ b/tools/tiff2rgba.c
|
|
@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
|
|
int process_by_block = 0; /* default is whole image at once */
|
|
int no_alpha = 0;
|
|
int bigtiff_output = 0;
|
|
+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
|
|
+/* malloc size limit (in bytes)
|
|
+ * disabled when set to 0 */
|
|
+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
|
|
|
|
|
|
static int tiffcvt(TIFF* in, TIFF* out);
|
|
@@ -70,8 +74,11 @@ main(int argc, char* argv[])
|
|
extern char *optarg;
|
|
#endif
|
|
|
|
- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
|
|
+ while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1)
|
|
switch (c) {
|
|
+ case 'M':
|
|
+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
|
|
+ break;
|
|
case 'b':
|
|
process_by_block = 1;
|
|
break;
|
|
@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
|
|
(unsigned long)width, (unsigned long)height);
|
|
return 0;
|
|
}
|
|
+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
|
|
+ TIFFError(TIFFFileName(in),
|
|
+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
|
|
+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
|
|
+ return 0;
|
|
+ }
|
|
|
|
rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
|
|
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
|
|
@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out)
|
|
TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
|
|
CopyField(TIFFTAG_DOCUMENTNAME, stringv);
|
|
|
|
+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
|
|
+ {
|
|
+ TIFFError(TIFFFileName(in),
|
|
+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
|
|
+ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
|
|
+ return 0;
|
|
+ }
|
|
if( process_by_block && TIFFIsTiled( in ) )
|
|
return( cvt_by_tile( in, out ) );
|
|
else if( process_by_block )
|
|
@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out)
|
|
}
|
|
|
|
static char* stuff[] = {
|
|
- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
|
|
+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
|
|
"where comp is one of the following compression algorithms:",
|
|
" jpeg\t\tJPEG encoding",
|
|
" zip\t\tZip/Deflate encoding",
|
|
@@ -543,6 +563,7 @@ static char* stuff[] = {
|
|
" -b (progress by block rather than as a whole image)",
|
|
" -n don't emit alpha component.",
|
|
" -8 write BigTIFF file instead of ClassicTIFF",
|
|
+ " -M set the memory allocation limit in MiB. 0 to disable limit",
|
|
NULL
|
|
};
|
|
|