1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
From b33baa5d9c6aac8ce49b5180dd48e39697ab7a11 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Fri, 27 Oct 2023 22:11:10 +0200
Subject: [PATCH 1/3] At image reading, compare data size of some tags / data
structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with
file size to prevent provoked out-of-memory attacks.
See issue #614.
CVE: CVE-2023-6277
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
libtiff/tif_dirread.c | 90 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 90 insertions(+)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 2c49dc6..c52d41f 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1308,6 +1308,21 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
datasize = (*count) * typesize;
assert((tmsize_t)datasize > 0);
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of requested memory is not greater than file size.
+ */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ if (datasize > filesize)
+ {
+ TIFFWarningExtR(tif, "ReadDirEntryArray",
+ "Requested memory size for tag %d (0x%x) %" PRIu32
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, tag not read",
+ direntry->tdir_tag, direntry->tdir_tag, datasize,
+ filesize);
+ return (TIFFReadDirEntryErrAlloc);
+ }
+
if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
return TIFFReadDirEntryErrIo;
@@ -5266,6 +5281,20 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
if (!_TIFFFillStrilesInternal(tif, 0))
return -1;
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(tif, module,
+ "Requested memory size for StripByteCounts of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return -1;
+ }
+
if (td->td_stripbytecount_p)
_TIFFfreeExt(tif, td->td_stripbytecount_p);
td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc(
@@ -5807,6 +5836,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
dircount16 = (uint16_t)dircount64;
dirsize = 20;
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(
+ tif, module,
+ "Requested memory size for TIFF directory of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, TIFF directory not read",
+ allocsize, filesize);
+ return 0;
+ }
origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
"to read TIFF directory");
if (origdir == NULL)
@@ -5921,6 +5964,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
"directories not supported");
return 0;
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(
+ tif, module,
+ "Requested memory size for TIFF directory of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, TIFF directory not read",
+ allocsize, filesize);
+ return 0;
+ }
origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
"to read TIFF directory");
if (origdir == NULL)
@@ -5968,6 +6025,8 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
}
}
}
+ /* No check against filesize needed here because "dir" should have same size
+ * than "origdir" checked above. */
dir = (TIFFDirEntry *)_TIFFCheckMalloc(
tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory");
if (dir == 0)
@@ -7164,6 +7223,20 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
return (0);
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(tif, module,
+ "Requested memory size for StripArray of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ _TIFFfreeExt(tif, data);
+ return (0);
+ }
resizeddata = (uint64_t *)_TIFFCheckMalloc(
tif, nstrips, sizeof(uint64_t), "for strip array");
if (resizeddata == 0)
@@ -7263,6 +7336,23 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips,
}
bytecount = last_offset + last_bytecount - offset;
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of StripByteCount and StripOffset tags is not greater than
+ * file size.
+ */
+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+ uint64_t filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
+ "Requested memory size for StripByteCount and "
+ "StripOffsets %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return;
+ }
+
newcounts =
(uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t),
"for chopped \"StripByteCounts\" array");
--
2.43.0
|
