1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
[Ubuntu note: Backport of the following patch from upstream, with a few changes
to match the current version of the file in the present Ubuntu release:
. using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
. using uint64 instead of uint64_t to preserve the current code usage;
. calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
-- Rodrigo Figueiredo Zaiden]
Backport of:
From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 31 Oct 2023 21:30:58 +0100
Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
RAM requests
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-4.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a]
CVE: CVE-2023-6277
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------
1 file changed, 31 insertions(+), 23 deletions(-)
--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
@@ -5822,19 +5822,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
_TIFFfree(data);
return(0);
}
- /* Before allocating a huge amount of memory for corrupted files, check
- * if size of requested memory is not greater than file size. */
- uint64 filesize = TIFFGetFileSize(tif);
- uint64 allocsize = (uint64)nstrips * sizeof(uint64);
- if (allocsize > filesize)
+ const uint64 allocsize = (uint64)nstrips * sizeof(uint64);
+ if (allocsize > 100 * 1024 * 1024)
{
- TIFFWarningExt(tif->tif_clientdata, module,
- "Requested memory size for StripArray of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- _TIFFfree(data);
- return (0);
+ /* Before allocating a huge amount of memory for corrupted files,
+ * check if size of requested memory is not greater than file size.
+ */
+ const uint64 filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(
+ tif->tif_clientdata, module,
+ "Requested memory size for StripArray of %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ _TIFFfree(data);
+ return (0);
+ }
}
resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
if (resizeddata==0) {
@@ -5935,17 +5940,20 @@ static void allocChoppedUpStripArrays(TI
* size of StripByteCount and StripOffset tags is not greater than
* file size.
*/
- uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
- uint64 filesize = TIFFGetFileSize(tif);
- if (allocsize > filesize)
- {
- TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
- "Requested memory size for StripByteCount and "
- "StripOffsets %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- return;
+ const uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
+ if (allocsize > 100 * 1024 * 1024)
+ {
+ const uint64 filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+ "Requested memory size for StripByteCount and "
+ "StripOffsets %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return;
+ }
}
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|