Commit 3719385a authored by Even Rouault's avatar Even Rouault
Browse files

ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)

In ChopUpSingleUncompressedStrip(), if the computed number of strips is big
enough and we are in read only mode, validate that the file size is consistent
with that number of strips to avoid useless attempts at allocating a lot of
memory for the td_stripbytecount and td_stripoffset arrays.

parent 277644d8
......@@ -5696,6 +5696,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
if( nstrips == 0 )
/* If we are going to allocate a lot of memory, make sure that the */
/* file is as big as needed */
if( tif->tif_mode == O_RDONLY &&
nstrips > 1000000 &&
(tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||
tif->tif_dir.td_stripbytecount[0] >
TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array");
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment