[Ubuntu note: Backport of the following patch from upstream, with a few changes to match the current version of the file in the present Ubuntu release: . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); . using uint64 instead of uint64_t to preserve the current code usage; . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); -- Rodrigo Figueiredo Zaiden] Backport of: From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Tue, 31 Oct 2023 21:30:58 +0100 Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough RAM requests Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-4.patch?h=ubuntu/focal-security Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a] CVE: CVE-2023-6277 Signed-off-by: Vijay Anusuri --- libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------ 1 file changed, 31 insertions(+), 23 deletions(-) --- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c +++ tiff-4.1.0+git191117/libtiff/tif_dirread.c @@ -5822,19 +5822,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn _TIFFfree(data); return(0); } - /* Before allocating a huge amount of memory for corrupted files, check - * if size of requested memory is not greater than file size. */ - uint64 filesize = TIFFGetFileSize(tif); - uint64 allocsize = (uint64)nstrips * sizeof(uint64); - if (allocsize > filesize) + const uint64 allocsize = (uint64)nstrips * sizeof(uint64); + if (allocsize > 100 * 1024 * 1024) { - TIFFWarningExt(tif->tif_clientdata, module, - "Requested memory size for StripArray of %" PRIu64 - " is greather than filesize %" PRIu64 - ". Memory not allocated", - allocsize, filesize); - _TIFFfree(data); - return (0); + /* Before allocating a huge amount of memory for corrupted files, + * check if size of requested memory is not greater than file size. + */ + const uint64 filesize = TIFFGetFileSize(tif); + if (allocsize > filesize) + { + TIFFWarningExt( + tif->tif_clientdata, module, + "Requested memory size for StripArray of %" PRIu64 + " is greater than filesize %" PRIu64 + ". Memory not allocated", + allocsize, filesize); + _TIFFfree(data); + return (0); + } } resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array"); if (resizeddata==0) { @@ -5935,17 +5940,20 @@ static void allocChoppedUpStripArrays(TI * size of StripByteCount and StripOffset tags is not greater than * file size. */ - uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; - uint64 filesize = TIFFGetFileSize(tif); - if (allocsize > filesize) - { - TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", - "Requested memory size for StripByteCount and " - "StripOffsets %" PRIu64 - " is greather than filesize %" PRIu64 - ". Memory not allocated", - allocsize, filesize); - return; + const uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; + if (allocsize > 100 * 1024 * 1024) + { + const uint64 filesize = TIFFGetFileSize(tif); + if (allocsize > filesize) + { + TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", + "Requested memory size for StripByteCount and " + "StripOffsets %" PRIu64 + " is greater than filesize %" PRIu64 + ". Memory not allocated", + allocsize, filesize); + return; + } } newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),