From 98a254f5b92cea22f5436555ff7fceb12afee84d Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Sun, 15 Nov 2020 17:02:51 +0100 Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba fixes #207 fixes #209 Signed-off-by: akash hadke --- tools/tiff2rgba.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) --- CVE: CVE-2020-35521 CVE: CVE-2020-35522 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef.patch] --- diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c index fbc383aa..764395f6 100644 --- a/tools/tiff2rgba.c +++ b/tools/tiff2rgba.c @@ -60,6 +60,10 @@ uint32 rowsperstrip = (uint32) -1; int process_by_block = 0; /* default is whole image at once */ int no_alpha = 0; int bigtiff_output = 0; +#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024) +/* malloc size limit (in bytes) + * disabled when set to 0 */ +static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC; static int tiffcvt(TIFF* in, TIFF* out); @@ -75,8 +79,11 @@ main(int argc, char* argv[]) extern char *optarg; #endif - while ((c = getopt(argc, argv, "c:r:t:bn8h")) != -1) + while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1) switch (c) { + case 'M': + maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20; + break; case 'b': process_by_block = 1; break; @@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out ) (unsigned long)width, (unsigned long)height); return 0; } + if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) { + TIFFError(TIFFFileName(in), + "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.", + (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc); + return 0; + } rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); @@ -530,6 +543,13 @@ tiffcvt(TIFF* in, TIFF* out) TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); CopyField(TIFFTAG_DOCUMENTNAME, stringv); + if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc) + { + TIFFError(TIFFFileName(in), + "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")", + (uint64)TIFFStripSize(in), (uint64)maxMalloc); + return 0; + } if( process_by_block && TIFFIsTiled( in ) ) return( cvt_by_tile( in, out ) ); else if( process_by_block ) @@ -539,7 +559,7 @@ tiffcvt(TIFF* in, TIFF* out) } static const char* stuff[] = { - "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", + "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output", "where comp is one of the following compression algorithms:", " jpeg\t\tJPEG encoding", " zip\t\tZip/Deflate encoding", @@ -551,6 +571,7 @@ static const char* stuff[] = { " -b (progress by block rather than as a whole image)", " -n don't emit alpha component.", " -8 write BigTIFF file instead of ClassicTIFF", + " -M set the memory allocation limit in MiB. 0 to disable limit", NULL }; -- GitLab From e9e504193ef1f87e9cb5e986586b0cbe3254e421 Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Sun, 15 Nov 2020 17:08:42 +0100 Subject: [PATCH 2/2] tiff2rgba.1: -M option --- man/tiff2rgba.1 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1 index d9c9baae..fe9ebb2c 100644 --- a/man/tiff2rgba.1 +++ b/man/tiff2rgba.1 @@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file. Currently this does not work if the .B \-b flag is also in effect. +.TP +.BI \-M " size" +Set maximum memory allocation size (in MiB). The default is 256MiB. +Set to 0 to disable the limit. .SH "SEE ALSO" .BR tiff2bw (1), .BR TIFFReadRGBAImage (3t), -- GitLab