Projects
openEuler:22.03:LTS:LoongArch
libtiff
_service:tar_scm_kernel_repo:backport-0001-CVE-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-0001-CVE-2023-6277.patch of Package libtiff
From 284ae90ae567de4ca53a3f32b472096f0da573a5 Mon Sep 17 00:00:00 2001 From: Su Laus <sulau@freenet.de> Date: Sun, 5 Nov 2023 03:50:21 +0800 Subject: [PATCH 1/2] Prevent some out-of-memory attacks Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size. At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks. See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857 --- libtiff/tif_dirread.c | 94 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 90 insertions(+), 4 deletions(-) diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index a762c67..2428257 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -866,8 +866,23 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit( datasize=(*count)*typesize; assert((tmsize_t)datasize>0); - if( isMapped(tif) && datasize > (uint64_t)tif->tif_size ) - return TIFFReadDirEntryErrIo; + /* Before allocating a huge amount of memory for corrupted files, check if + * size of requested memory is not greater than file size. + */ + uint64_t filesize = TIFFGetFileSize(tif); + if (datasize > filesize) + { + TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", + "Requested memory size for tag %d (0x%x) %" PRIu32 + " is greather than filesize %" PRIu64 + ". Memory not allocated, tag not read", + direntry->tdir_tag, direntry->tdir_tag, datasize, + filesize); + return (TIFFReadDirEntryErrAlloc); + } + + if (isMapped(tif) && datasize > (uint64_t)tif->tif_size) + return TIFFReadDirEntryErrIo; if( !isMapped(tif) && (((tif->tif_flags&TIFF_BIGTIFF) && datasize > 8) || @@ -4592,6 +4607,19 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount) if( !_TIFFFillStrilesInternal( tif, 0 ) ) return -1; + /* Before allocating a huge amount of memory for corrupted files, check if + * size of requested memory is not greater than file size. */ + uint64_t filesize = TIFFGetFileSize(tif); + uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); + if (allocsize > filesize) + { + TIFFWarningExt(tif->tif_clientdata, module, + "Requested memory size for StripByteCounts of %" PRIu64 + " is greather than filesize %" PRIu64 + ". Memory not allocated", + allocsize, filesize); + return -1; + } if (td->td_stripbytecount_p) _TIFFfree(td->td_stripbytecount_p); td->td_stripbytecount_p = (uint64_t*) @@ -4602,9 +4630,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount) if (td->td_compression != COMPRESSION_NONE) { uint64_t space; - uint64_t filesize; uint16_t n; - filesize = TIFFGetFileSize(tif); if (!(tif->tif_flags&TIFF_BIGTIFF)) space=sizeof(TIFFHeaderClassic)+2+dircount*12+4; else @@ -4912,6 +4938,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir, dircount16 = (uint16_t)dircount64; dirsize = 20; } + /* Before allocating a huge amount of memory for corrupted files, check + * if size of requested memory is not greater than file size. */ + uint64_t filesize = TIFFGetFileSize(tif); + uint64_t allocsize = (uint64_t)dircount16 * dirsize; + if (allocsize > filesize) + { + TIFFWarningExt( + tif->tif_clientdata, module, + "Requested memory size for TIFF directory of %" PRIu64 + " is greather than filesize %" PRIu64 + ". Memory not allocated, TIFF directory not read", + allocsize, filesize); + return 0; + } origdir = _TIFFCheckMalloc(tif, dircount16, dirsize, "to read TIFF directory"); if (origdir == NULL) @@ -5015,6 +5055,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir, "Sanity check on directory count failed, zero tag directories not supported"); return 0; } + /* Before allocating a huge amount of memory for corrupted files, check + * if size of requested memory is not greater than file size. */ + uint64_t filesize = TIFFGetFileSize(tif); + uint64_t allocsize = (uint64_t)dircount16 * dirsize; + if (allocsize > filesize) + { + TIFFWarningExt( + tif->tif_clientdata, module, + "Requested memory size for TIFF directory of %" PRIu64 + " is greather than filesize %" PRIu64 + ". Memory not allocated, TIFF directory not read", + allocsize, filesize); + return 0; + } origdir = _TIFFCheckMalloc(tif, dircount16, dirsize, "to read TIFF directory"); @@ -5058,6 +5112,8 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir, } } } + /* No check against filesize needed here because "dir" should have same size + * than "origdir" checked above. */ dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory"); @@ -5852,6 +5908,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l return(0); } + /* Before allocating a huge amount of memory for corrupted files, check + * if size of requested memory is not greater than file size. */ + uint64_t filesize = TIFFGetFileSize(tif); + uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); + if (allocsize > filesize) + { + TIFFWarningExt(tif->tif_clientdata, module, + "Requested memory size for StripArray of %" PRIu64 + " is greather than filesize %" PRIu64 + ". Memory not allocated", + allocsize, filesize); + _TIFFfree(data); + return (0); + } resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array"); if (resizeddata==0) { _TIFFfree(data); @@ -5947,6 +6017,22 @@ static void allocChoppedUpStripArrays(TIFF* tif, uint32_t nstrips, } bytecount = last_offset + last_bytecount - offset; + /* Before allocating a huge amount of memory for corrupted files, check if + * size of StripByteCount and StripOffset tags is not greater than + * file size. + */ + uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; + uint64_t filesize = TIFFGetFileSize(tif); + if (allocsize > filesize) + { + TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", + "Requested memory size for StripByteCount and " + "StripOffsets %" PRIu64 + " is greather than filesize %" PRIu64 + ". Memory not allocated", + allocsize, filesize); + return; + } newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t), "for chopped \"StripByteCounts\" array"); newoffsets = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t), -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.