[Ubuntu note: Backport of the following patch from upstream, with a few changes
to match the current version of the file in the present Ubuntu release:
 . included inttypes.h header to support PRIu32 and PRIu64;
 . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
 . using uint64 instead of uint64_t to preserve the current code usage;
 . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
 . calls to the check size, that is the idea of the patch, were added before
   _TIFFCheckMalloc and may note match the original patch methods;
-- Rodrigo Figueiredo Zaiden]

Backport of:

From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 31 Oct 2023 15:43:29 +0000
Subject: [PATCH] Prevent some out-of-memory attacks

Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.

At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.

See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-1.patch?h=ubuntu/focal-security
Upstream commit  https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a]
CVE: CVE-2023-6277
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 90 insertions(+), 2 deletions(-)

--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
@@ -37,6 +37,7 @@
 #include "tiffiop.h"
 #include <float.h>
 #include <stdlib.h>
+#include <inttypes.h>
 
 #define FAILED_FII    ((uint32) -1)
 
@@ -863,6 +864,21 @@ static enum TIFFReadDirEntryErr TIFFRead
 	datasize=(*count)*typesize;
 	assert((tmsize_t)datasize>0);
 
+	/* Before allocating a huge amount of memory for corrupted files, check if
+	 * size of requested memory is not greater than file size.
+	 */
+	uint64 filesize = TIFFGetFileSize(tif);
+	if (datasize > filesize)
+	{
+		TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+						"Requested memory size for tag %d (0x%x) %" PRIu32
+						" is greather than filesize %" PRIu64
+						". Memory not allocated, tag not read",
+						direntry->tdir_tag, direntry->tdir_tag, datasize,
+						filesize);
+		return (TIFFReadDirEntryErrAlloc);
+	}
+
 	if( isMapped(tif) && datasize > (uint32)tif->tif_size )
 		return TIFFReadDirEntryErrIo;
 
@@ -4534,6 +4550,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
         if( !_TIFFFillStrilesInternal( tif, 0 ) )
             return -1;
 
+	/* Before allocating a huge amount of memory for corrupted files, check if
+	 * size of requested memory is not greater than file size. */
+	uint64 filesize = TIFFGetFileSize(tif);
+	uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
+	if (allocsize > filesize)
+	{
+		TIFFWarningExt(tif->tif_clientdata, module,
+						"Requested memory size for StripByteCounts of %" PRIu64
+						" is greather than filesize %" PRIu64
+						". Memory not allocated",
+						allocsize, filesize);
+		return -1;
+	}
+
 	if (td->td_stripbytecount_p)
 		_TIFFfree(td->td_stripbytecount_p);
 	td->td_stripbytecount_p = (uint64*)
@@ -4544,9 +4574,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
 
 	if (td->td_compression != COMPRESSION_NONE) {
 		uint64 space;
-		uint64 filesize;
 		uint16 n;
-		filesize = TIFFGetFileSize(tif);
 		if (!(tif->tif_flags&TIFF_BIGTIFF))
 			space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
 		else
@@ -4854,6 +4882,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
 			dircount16 = (uint16)dircount64;
 			dirsize = 20;
 		}
+		/* Before allocating a huge amount of memory for corrupted files, check
+		 * if size of requested memory is not greater than file size. */
+		uint64 filesize = TIFFGetFileSize(tif);
+		uint64 allocsize = (uint64)dircount16 * dirsize;
+		if (allocsize > filesize)
+		{
+			TIFFWarningExt(
+				tif->tif_clientdata, module,
+				"Requested memory size for TIFF directory of %" PRIu64
+				" is greather than filesize %" PRIu64
+				". Memory not allocated, TIFF directory not read",
+				allocsize, filesize);
+			return 0;
+		}
 		origdir = _TIFFCheckMalloc(tif, dircount16,
 		    dirsize, "to read TIFF directory");
 		if (origdir == NULL)
@@ -4957,6 +4999,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
 			             "Sanity check on directory count failed, zero tag directories not supported");
 			return 0;
 		}
+		/* Before allocating a huge amount of memory for corrupted files, check
+		 * if size of requested memory is not greater than file size. */
+		uint64 filesize = TIFFGetFileSize(tif);
+		uint64 allocsize = (uint64)dircount16 * dirsize;
+		if (allocsize > filesize)
+		{
+			TIFFWarningExt(
+				tif->tif_clientdata, module,
+				"Requested memory size for TIFF directory of %" PRIu64
+				" is greather than filesize %" PRIu64
+				". Memory not allocated, TIFF directory not read",
+				allocsize, filesize);
+			return 0;
+		}
 		origdir = _TIFFCheckMalloc(tif, dircount16,
 						dirsize,
 						"to read TIFF directory");
@@ -5000,6 +5056,8 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
 			}
 		}
 	}
+	/* No check against filesize needed here because "dir" should have same size
+	 * than "origdir" checked above. */
 	dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
 						sizeof(TIFFDirEntry),
 						"to read TIFF directory");
@@ -5769,7 +5827,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
 			_TIFFfree(data);
 			return(0);
 		}
-
+		/* Before allocating a huge amount of memory for corrupted files, check
+		 * if size of requested memory is not greater than file size. */
+		uint64 filesize = TIFFGetFileSize(tif);
+		uint64 allocsize = (uint64)nstrips * sizeof(uint64);
+		if (allocsize > filesize)
+		{
+			TIFFWarningExt(tif->tif_clientdata, module,
+							"Requested memory size for StripArray of %" PRIu64
+							" is greather than filesize %" PRIu64
+							". Memory not allocated",
+							allocsize, filesize);
+			_TIFFfree(data);
+			return (0);
+		}
 		resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
 		if (resizeddata==0) {
 			_TIFFfree(data);
@@ -5865,6 +5936,23 @@ static void allocChoppedUpStripArrays(TI
     }
     bytecount = last_offset + last_bytecount - offset;
 
+	/* Before allocating a huge amount of memory for corrupted files, check if
+	 * size of StripByteCount and StripOffset tags is not greater than
+	 * file size.
+	 */
+	uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
+	uint64 filesize = TIFFGetFileSize(tif);
+	if (allocsize > filesize)
+	{
+		TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+						"Requested memory size for StripByteCount and "
+						"StripOffsets %" PRIu64
+						" is greather than filesize %" PRIu64
+						". Memory not allocated",
+						allocsize, filesize);
+		return;
+	}
+
     newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
                             "for chopped \"StripByteCounts\" array");
     newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),