1From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001 2From: Even Rouault <even.rouault@spatialys.com> 3Date: Sun, 11 Mar 2018 11:14:01 +0100 4Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion 5 (CVE-2017-11613) 6 7In ChopUpSingleUncompressedStrip(), if the computed number of strips is big 8enough and we are in read only mode, validate that the file size is consistent 9with that number of strips to avoid useless attempts at allocating a lot of 10memory for the td_stripbytecount and td_stripoffset arrays. 11 12Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more 13cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979. 14Credit to OSS Fuzz 15 16Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724 17--- 18 libtiff/tif_dirread.c | 10 ++++++++++ 19 1 file changed, 10 insertions(+) 20 21diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c 22index 80aaf8d..5896a78 100644 23--- a/libtiff/tif_dirread.c 24+++ b/libtiff/tif_dirread.c 25@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) 26 if( nstrips == 0 ) 27 return; 28 29+ /* If we are going to allocate a lot of memory, make sure that the */ 30+ /* file is as big as needed */ 31+ if( tif->tif_mode == O_RDONLY && 32+ nstrips > 1000000 && 33+ (offset >= TIFFGetFileSize(tif) || 34+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) 35+ { 36+ return; 37+ } 38+ 39 newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), 40 "for chopped \"StripByteCounts\" array"); 41 newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), 42-- 432.17.1 44 45