Commit 7a092f8a authored by Even Rouault's avatar Even Rouault

ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)

Rework fix done in 3719385a to work in more
cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979.
Credit to OSS Fuzz

Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724
parent a6214606
Pipeline #19052580 passed with stages
in 3 minutes and 23 seconds
...@@ -5700,9 +5700,8 @@ ChopUpSingleUncompressedStrip(TIFF* tif) ...@@ -5700,9 +5700,8 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
/* file is as big as needed */ /* file is as big as needed */
if( tif->tif_mode == O_RDONLY && if( tif->tif_mode == O_RDONLY &&
nstrips > 1000000 && nstrips > 1000000 &&
(tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) || (offset >= TIFFGetFileSize(tif) ||
tif->tif_dir.td_stripbytecount[0] > stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )
{ {
return; return;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment