38 lines
1.4 KiB
Diff
38 lines
1.4 KiB
Diff
From b7bc0d684cee380f7497cb095a115361dbabef71 Mon Sep 17 00:00:00 2001
|
|
From: Even Rouault <even.rouault@mines-paris.org>
|
|
Date: Tue, 13 Mar 2018 14:39:30 +0000
|
|
Subject: [PATCH] (CVE-2018-15209) Merge branch
|
|
'avoid_memory_exhaustion_in_ChopUpSingleUncompressedStrip' into 'master'
|
|
|
|
ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)
|
|
|
|
See merge request libtiff/libtiff!26
|
|
|
|
(cherry picked from commit 0a2e5e98b353a987ea69985d2283bba569a7e063)
|
|
---
|
|
libtiff/tif_dirread.c | 11 +++++++++++
|
|
1 file changed, 11 insertions(+)
|
|
|
|
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
|
index b72e6a3b..bc1ab083 100644
|
|
--- a/libtiff/tif_dirread.c
|
|
+++ b/libtiff/tif_dirread.c
|
|
@@ -5765,6 +5765,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
|
|
if( nstrips == 0 )
|
|
return;
|
|
|
|
+ /* If we are going to allocate a lot of memory, make sure that the */
|
|
+ /* file is as big as needed */
|
|
+ if( tif->tif_mode == O_RDONLY &&
|
|
+ nstrips > 1000000 &&
|
|
+ (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||
|
|
+ tif->tif_dir.td_stripbytecount[0] >
|
|
+ TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )
|
|
+ {
|
|
+ return;
|
|
+ }
|
|
+
|
|
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|
|
"for chopped \"StripByteCounts\" array");
|
|
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|