Projects
openEuler:Roll:Everything:RVA20
libtiff
_service:obs_scm:backport-0003-CVE-2023-6277.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:obs_scm:backport-0003-CVE-2023-6277.patch of Package libtiff
From 38f5b5b9f95891d2616f1df70ebcfb53690cb67c Mon Sep 17 00:00:00 2001 From: Even Rouault <even.rouault@spatialys.com> Date: Wed, 29 Nov 2023 18:10:25 +0800 Subject: [PATCH] backport patch for fix CVE-2023-6277 issue --- libtiff/tif_dirread.c | 129 +++++++++++++++++++++--------------------- 1 file changed, 66 insertions(+), 63 deletions(-) diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index a98ea1f..b38060f 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -1308,19 +1308,22 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry, datasize = (*count) * typesize; assert((tmsize_t)datasize > 0); - /* Before allocating a huge amount of memory for corrupted files, check if - * size of requested memory is not greater than file size. - */ - uint64_t filesize = TIFFGetFileSize(tif); - if (datasize > filesize) - { - TIFFWarningExtR(tif, "ReadDirEntryArray", - "Requested memory size for tag %d (0x%x) %" PRIu32 - " is greather than filesize %" PRIu64 - ". Memory not allocated, tag not read", - direntry->tdir_tag, direntry->tdir_tag, datasize, - filesize); - return (TIFFReadDirEntryErrAlloc); + if (datasize > 100 * 1024 * 1024) + { + /* Before allocating a huge amount of memory for corrupted files, check + * if size of requested memory is not greater than file size. + */ + const uint64_t filesize = TIFFGetFileSize(tif); + if (datasize > filesize) + { + TIFFWarningExtR(tif, "ReadDirEntryArray", + "Requested memory size for tag %d (0x%x) %" PRIu32 + " is greater than filesize %" PRIu64 + ". Memory not allocated, tag not read", + direntry->tdir_tag, direntry->tdir_tag, datasize, + filesize); + return (TIFFReadDirEntryErrAlloc); + } } if (isMapped(tif) && datasize > (uint64_t)tif->tif_size) @@ -5281,18 +5284,22 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, if (!_TIFFFillStrilesInternal(tif, 0)) return -1; - /* Before allocating a huge amount of memory for corrupted files, check if - * size of requested memory is not greater than file size. */ - uint64_t filesize = TIFFGetFileSize(tif); - uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); - if (allocsize > filesize) - { - TIFFWarningExtR(tif, module, - "Requested memory size for StripByteCounts of %" PRIu64 - " is greather than filesize %" PRIu64 - ". Memory not allocated", - allocsize, filesize); - return -1; + const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); + uint64_t filesize = 0; + if (allocsize > 100 * 1024 * 1024) + { + /* Before allocating a huge amount of memory for corrupted files, check + * if size of requested memory is not greater than file size. */ + filesize = TIFFGetFileSize(tif); + if (allocsize > filesize) + { + TIFFWarningExtR( + tif, module, + "Requested memory size for StripByteCounts of %" PRIu64 + " is greater than filesize %" PRIu64 ". Memory not allocated", + allocsize, filesize); + return -1; + } } if (td->td_stripbytecount_p) @@ -5341,6 +5348,8 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, return -1; space += datasize; } + if (filesize == 0) + filesize = TIFFGetFileSize(tif); if (filesize < space) /* we should perhaps return in error ? */ space = filesize; @@ -5834,20 +5843,6 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, dircount16 = (uint16_t)dircount64; dirsize = 20; } - /* Before allocating a huge amount of memory for corrupted files, check - * if size of requested memory is not greater than file size. */ - uint64_t filesize = TIFFGetFileSize(tif); - uint64_t allocsize = (uint64_t)dircount16 * dirsize; - if (allocsize > filesize) - { - TIFFWarningExtR( - tif, module, - "Requested memory size for TIFF directory of %" PRIu64 - " is greather than filesize %" PRIu64 - ". Memory not allocated, TIFF directory not read", - allocsize, filesize); - return 0; - } origdir = _TIFFCheckMalloc(tif, dircount16, dirsize, "to read TIFF directory"); if (origdir == NULL) @@ -5971,7 +5966,7 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, TIFFWarningExtR( tif, module, "Requested memory size for TIFF directory of %" PRIu64 - " is greather than filesize %" PRIu64 + " is greater than filesize %" PRIu64 ". Memory not allocated, TIFF directory not read", allocsize, filesize); return 0; @@ -7221,19 +7216,24 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips, return (0); } - /* Before allocating a huge amount of memory for corrupted files, check - * if size of requested memory is not greater than file size. */ - uint64_t filesize = TIFFGetFileSize(tif); - uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); - if (allocsize > filesize) + const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); + if (allocsize > 100 * 1024 * 1024) { - TIFFWarningExtR(tif, module, - "Requested memory size for StripArray of %" PRIu64 - " is greather than filesize %" PRIu64 - ". Memory not allocated", - allocsize, filesize); - _TIFFfreeExt(tif, data); - return (0); + /* Before allocating a huge amount of memory for corrupted files, + * check if size of requested memory is not greater than file size. + */ + const uint64_t filesize = TIFFGetFileSize(tif); + if (allocsize > filesize) + { + TIFFWarningExtR( + tif, module, + "Requested memory size for StripArray of %" PRIu64 + " is greater than filesize %" PRIu64 + ". Memory not allocated", + allocsize, filesize); + _TIFFfreeExt(tif, data); + return (0); + } } resizeddata = (uint64_t *)_TIFFCheckMalloc( tif, nstrips, sizeof(uint64_t), "for strip array"); @@ -7338,17 +7338,20 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips, * size of StripByteCount and StripOffset tags is not greater than * file size. */ - uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; - uint64_t filesize = TIFFGetFileSize(tif); - if (allocsize > filesize) - { - TIFFWarningExtR(tif, "allocChoppedUpStripArrays", - "Requested memory size for StripByteCount and " - "StripOffsets %" PRIu64 - " is greather than filesize %" PRIu64 - ". Memory not allocated", - allocsize, filesize); - return; + const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; + if (allocsize > 100 * 1024 * 1024) + { + const uint64_t filesize = TIFFGetFileSize(tif); + if (allocsize > filesize) + { + TIFFWarningExtR(tif, "allocChoppedUpStripArrays", + "Requested memory size for StripByteCount and " + "StripOffsets %" PRIu64 + " is greater than filesize %" PRIu64 + ". Memory not allocated", + allocsize, filesize); + return; + } } newcounts = -- 2.27.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2