Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found
Select Git revision
  • 215-cygwin-appveyor-fail
  • branch-3.9
  • ci-arm64
  • ci-coverity
  • ci-x64
  • cmake-msvc-options
  • cmake-test
  • cmake-win32-libtiffxx-static
  • cmake-xc-faxtable
  • manpage-fixes
  • master
  • revert-5331ed49
  • tif_config_h_includes
  • tiff-3.4
  • tiff-3.4-iptc
  • tiff-3.5-newcvs
  • tiff-3.5-oldcvs
  • tools-reduce-initialized-data
  • vcpkg-manifest
  • Pre360
  • Release-
  • Release-3-7-0
  • Release-v3-5-
  • Release-v3-5-4
  • Release-v3-5-5
  • Release-v3-5-7
  • Release-v3-6-0
  • Release-v3-6-0beta2
  • Release-v3-6-1
  • Release-v3-7-0-alpha
  • Release-v3-7-0beta
  • Release-v3-7-0beta2
  • Release-v3-7-1
  • Release-v3-7-2
  • Release-v3-7-3
  • Release-v3-7-4
  • Release-v3-8-0
  • Release-v3-8-1
  • Release-v3-8-2
  • Release-v3-9-0
  • Release-v3-9-0beta
  • Release-v3-9-1
  • Release-v3-9-2
  • Release-v3-9-3
  • Release-v3-9-4
  • Release-v3-9-5
  • Release-v3-9-6
  • Release-v3-9-7
  • Release-v4-0-0
  • Release-v4-0-0alpha
  • Release-v4-0-0alpha4
  • Release-v4-0-0alpha5
  • Release-v4-0-0alpha6
  • Release-v4-0-0beta7
  • Release-v4-0-1
  • Release-v4-0-2
  • Release-v4-0-3
  • Release-v4-0-4
  • Release-v4-0-4beta
  • Release-v4-0-5
  • Release-v4-0-6
  • Release-v4-0-7
  • Release-v4-0-8
  • Release-v4-0-9
  • orig
  • v3.4beta018
  • v3.4beta024
  • v3.4beta028
  • v3.4beta029
  • v3.4beta031
  • v3.4beta032
  • v3.4beta033
  • v3.4beta034
  • v3.4beta035
  • v3.4beta036
  • v3.4beta037
  • v3.4beta037iptc
  • v3.5.1
  • v3.5.2
  • v3.5.3
  • v3.5.4
  • v3.5.5
  • v3.5.7
  • v3.6.0
  • v3.6.0beta2
  • v3.6.1
  • v3.7.0
  • v3.7.0alpha
  • v3.7.0beta
  • v3.7.0beta2
  • v3.7.1
  • v3.7.2
  • v3.7.3
  • v3.7.4
  • v3.8.0
  • v3.8.1
  • v3.8.2
  • v3.9.0
  • v3.9.0beta
  • v3.9.1
  • v3.9.2
  • v3.9.3
  • v3.9.4
  • v3.9.5
  • v3.9.6
  • v3.9.7
  • v4.0.0
  • v4.0.0alpha
  • v4.0.0alpha4
  • v4.0.0alpha5
  • v4.0.0alpha6
  • v4.0.0beta7
  • v4.0.1
  • v4.0.10
  • v4.0.2
  • v4.0.3
  • v4.0.4
  • v4.0.4beta
  • v4.0.5
119 results

Target

Select target project
  • freedesktop-sdk/mirrors/gitlab/libtiff/libtiff
  • WebDevAdminAlpha/libtiff
2 results
Select Git revision
  • 215-cygwin-appveyor-fail
  • branch-3.9
  • ci-arm64
  • ci-coverity
  • ci-x64
  • cmake-msvc-options
  • cmake-test
  • cmake-win32-libtiffxx-static
  • cmake-xc-faxtable
  • manpage-fixes
  • master
  • revert-5331ed49
  • tif_config_h_includes
  • tiff-3.4
  • tiff-3.4-iptc
  • tiff-3.5-newcvs
  • tiff-3.5-oldcvs
  • tools-reduce-initialized-data
  • vcpkg-manifest
  • Pre360
  • Release-
  • Release-3-7-0
  • Release-v3-5-
  • Release-v3-5-4
  • Release-v3-5-5
  • Release-v3-5-7
  • Release-v3-6-0
  • Release-v3-6-0beta2
  • Release-v3-6-1
  • Release-v3-7-0-alpha
  • Release-v3-7-0beta
  • Release-v3-7-0beta2
  • Release-v3-7-1
  • Release-v3-7-2
  • Release-v3-7-3
  • Release-v3-7-4
  • Release-v3-8-0
  • Release-v3-8-1
  • Release-v3-8-2
  • Release-v3-9-0
  • Release-v3-9-0beta
  • Release-v3-9-1
  • Release-v3-9-2
  • Release-v3-9-3
  • Release-v3-9-4
  • Release-v3-9-5
  • Release-v3-9-6
  • Release-v3-9-7
  • Release-v4-0-0
  • Release-v4-0-0alpha
  • Release-v4-0-0alpha4
  • Release-v4-0-0alpha5
  • Release-v4-0-0alpha6
  • Release-v4-0-0beta7
  • Release-v4-0-1
  • Release-v4-0-2
  • Release-v4-0-3
  • Release-v4-0-4
  • Release-v4-0-4beta
  • Release-v4-0-5
  • Release-v4-0-6
  • Release-v4-0-7
  • Release-v4-0-8
  • Release-v4-0-9
  • orig
  • v3.4beta018
  • v3.4beta024
  • v3.4beta028
  • v3.4beta029
  • v3.4beta031
  • v3.4beta032
  • v3.4beta033
  • v3.4beta034
  • v3.4beta035
  • v3.4beta036
  • v3.4beta037
  • v3.4beta037iptc
  • v3.5.1
  • v3.5.2
  • v3.5.3
  • v3.5.4
  • v3.5.5
  • v3.5.7
  • v3.6.0
  • v3.6.0beta2
  • v3.6.1
  • v3.7.0
  • v3.7.0alpha
  • v3.7.0beta
  • v3.7.0beta2
  • v3.7.1
  • v3.7.2
  • v3.7.3
  • v3.7.4
  • v3.8.0
  • v3.8.1
  • v3.8.2
  • v3.9.0
  • v3.9.0beta
  • v3.9.1
  • v3.9.2
  • v3.9.3
  • v3.9.4
  • v3.9.5
  • v3.9.6
  • v3.9.7
  • v4.0.0
  • v4.0.0alpha
  • v4.0.0alpha4
  • v4.0.0alpha5
  • v4.0.0alpha6
  • v4.0.0beta7
  • v4.0.1
  • v4.0.10
  • v4.0.2
  • v4.0.3
  • v4.0.4
  • v4.0.4beta
  • v4.0.5
119 results
Show changes
Commits on Source (6)
Hide whitespace changes
Inline Side-by-side
Showing
with 103 additions and 2 deletions
libtiff/tif_dirread.c
View file @ e7b57edc
......@@ -1308,6 +1308,24 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
datasize = (*count) * typesize;
assert((tmsize_t)datasize > 0);
if (datasize > 100 * 1024 * 1024)
{
/* Before allocating a huge amount of memory for corrupted files, check
* if size of requested memory is not greater than file size.
*/
const uint64_t filesize = TIFFGetFileSize(tif);
if (datasize > filesize)
{
TIFFWarningExtR(tif, "ReadDirEntryArray",
"Requested memory size for tag %d (0x%x) %" PRIu32
" is greater than filesize %" PRIu64
". Memory not allocated, tag not read",
direntry->tdir_tag, direntry->tdir_tag, datasize,
filesize);
return (TIFFReadDirEntryErrAlloc);
}
}
if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
return TIFFReadDirEntryErrIo;
......@@ -5266,6 +5284,24 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
if (!_TIFFFillStrilesInternal(tif, 0))
return -1;
const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
uint64_t filesize = 0;
if (allocsize > 100 * 1024 * 1024)
{
/* Before allocating a huge amount of memory for corrupted files, check
* if size of requested memory is not greater than file size. */
filesize = TIFFGetFileSize(tif);
if (allocsize > filesize)
{
TIFFWarningExtR(
tif, module,
"Requested memory size for StripByteCounts of %" PRIu64
" is greater than filesize %" PRIu64 ". Memory not allocated",
allocsize, filesize);
return -1;
}
}
if (td->td_stripbytecount_p)
_TIFFfreeExt(tif, td->td_stripbytecount_p);
td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc(
......@@ -5276,9 +5312,7 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
if (td->td_compression != COMPRESSION_NONE)
{
uint64_t space;
uint64_t filesize;
uint16_t n;
filesize = TIFFGetFileSize(tif);
if (!(tif->tif_flags & TIFF_BIGTIFF))
space = sizeof(TIFFHeaderClassic) + 2 + dircount * 12 + 4;
else
......@@ -5314,6 +5348,8 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
return -1;
space += datasize;
}
if (filesize == 0)
filesize = TIFFGetFileSize(tif);
if (filesize < space)
/* we should perhaps return in error ? */
space = filesize;
......@@ -5807,6 +5843,24 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
dircount16 = (uint16_t)dircount64;
dirsize = 20;
}
const uint64_t allocsize = (uint64_t)dircount16 * dirsize;
if (allocsize > 100 * 1024 * 1024)
{
/* Before allocating a huge amount of memory for corrupted files,
* check if size of requested memory is not greater than file size.
*/
const uint64_t filesize = TIFFGetFileSize(tif);
if (allocsize > filesize)
{
TIFFWarningExtR(
tif, module,
"Requested memory size for TIFF directory of %" PRIu64
" is greater than filesize %" PRIu64
". Memory not allocated, TIFF directory not read",
allocsize, filesize);
return 0;
}
}
origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
"to read TIFF directory");
if (origdir == NULL)
......@@ -5921,6 +5975,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
"directories not supported");
return 0;
}
/* Before allocating a huge amount of memory for corrupted files, check
* if size of requested memory is not greater than file size. */
uint64_t filesize = TIFFGetFileSize(tif);
uint64_t allocsize = (uint64_t)dircount16 * dirsize;
if (allocsize > filesize)
{
TIFFWarningExtR(
tif, module,
"Requested memory size for TIFF directory of %" PRIu64
" is greater than filesize %" PRIu64
". Memory not allocated, TIFF directory not read",
allocsize, filesize);
return 0;
}
origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
"to read TIFF directory");
if (origdir == NULL)
......@@ -5968,6 +6036,8 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
}
}
}
/* No check against filesize needed here because "dir" should have same size
* than "origdir" checked above. */
dir = (TIFFDirEntry *)_TIFFCheckMalloc(
tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory");
if (dir == 0)
......@@ -7164,6 +7234,20 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
return (0);
}
/* Before allocating a huge amount of memory for corrupted files, check
* if size of requested memory is not greater than file size. */
uint64_t filesize = TIFFGetFileSize(tif);
uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
if (allocsize > filesize)
{
TIFFWarningExtR(tif, module,
"Requested memory size for StripArray of %" PRIu64
" is greater than filesize %" PRIu64
". Memory not allocated",
allocsize, filesize);
_TIFFfreeExt(tif, data);
return (0);
}
resizeddata = (uint64_t *)_TIFFCheckMalloc(
tif, nstrips, sizeof(uint64_t), "for strip array");
if (resizeddata == 0)
......@@ -7263,6 +7347,23 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips,
}
bytecount = last_offset + last_bytecount - offset;
/* Before allocating a huge amount of memory for corrupted files, check if
* size of StripByteCount and StripOffset tags is not greater than
* file size.
*/
uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
uint64_t filesize = TIFFGetFileSize(tif);
if (allocsize > filesize)
{
TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
"Requested memory size for StripByteCount and "
"StripOffsets %" PRIu64
" is greater than filesize %" PRIu64
". Memory not allocated",
allocsize, filesize);
return;
}
newcounts =
(uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t),
"for chopped \"StripByteCounts\" array");
......