CVE: CVE-2023-6277
Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a 
ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>

[Ubuntu note: Backport of the following patch from upstream, with a few changes
to match the current version of the file in the present Ubuntu release:
 . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
 . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
-- Rodrigo Figueiredo Zaiden]

Backport of:

From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 31 Oct 2023 15:43:29 +0000
Subject: [PATCH] Prevent some out-of-memory attacks

Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.

At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.

See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
---
 libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 90 insertions(+), 2 deletions(-)

--- tiff-4.3.0.orig/libtiff/tif_dirread.c
+++ tiff-4.3.0/libtiff/tif_dirread.c
@@ -866,6 +866,21 @@ static enum TIFFReadDirEntryErr TIFFRead
 	datasize=(*count)*typesize;
 	assert((tmsize_t)datasize>0);
 
+	/* Before allocating a huge amount of memory for corrupted files, check if
+	 * size of requested memory is not greater than file size.
+	 */
+	uint64_t filesize = TIFFGetFileSize(tif);
+	if (datasize > filesize)
+	{
+		TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+						"Requested memory size for tag %d (0x%x) %" PRIu32
+						" is greather than filesize %" PRIu64
+						". Memory not allocated, tag not read",
+						direntry->tdir_tag, direntry->tdir_tag, datasize,
+						filesize);
+		return (TIFFReadDirEntryErrAlloc);
+	}
+
 	if( isMapped(tif) && datasize > (uint64_t)tif->tif_size )
 		return TIFFReadDirEntryErrIo;
 
@@ -4593,6 +4608,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
         if( !_TIFFFillStrilesInternal( tif, 0 ) )
             return -1;
 
+	/* Before allocating a huge amount of memory for corrupted files, check if
+	 * size of requested memory is not greater than file size. */
+	uint64_t filesize = TIFFGetFileSize(tif);
+	uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+	if (allocsize > filesize)
+	{
+		TIFFWarningExt(tif->tif_clientdata, module,
+						"Requested memory size for StripByteCounts of %" PRIu64
+						" is greather than filesize %" PRIu64
+						". Memory not allocated",
+						allocsize, filesize);
+		return -1;
+	}
+
 	if (td->td_stripbytecount_p)
 		_TIFFfree(td->td_stripbytecount_p);
 	td->td_stripbytecount_p = (uint64_t*)
@@ -4603,9 +4632,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
 
 	if (td->td_compression != COMPRESSION_NONE) {
 		uint64_t space;
-		uint64_t filesize;
 		uint16_t n;
-		filesize = TIFFGetFileSize(tif);
 		if (!(tif->tif_flags&TIFF_BIGTIFF))
 			space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
 		else
@@ -4913,6 +4940,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
 			dircount16 = (uint16_t)dircount64;
 			dirsize = 20;
 		}
+		/* Before allocating a huge amount of memory for corrupted files, check
+		 * if size of requested memory is not greater than file size. */
+		uint64_t filesize = TIFFGetFileSize(tif);
+		uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+		if (allocsize > filesize)
+		{
+			TIFFWarningExt(
+				tif->tif_clientdata, module,
+				"Requested memory size for TIFF directory of %" PRIu64
+				" is greather than filesize %" PRIu64
+				". Memory not allocated, TIFF directory not read",
+				allocsize, filesize);
+			return 0;
+		}
 		origdir = _TIFFCheckMalloc(tif, dircount16,
 		    dirsize, "to read TIFF directory");
 		if (origdir == NULL)
@@ -5016,6 +5057,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
 			             "Sanity check on directory count failed, zero tag directories not supported");
 			return 0;
 		}
+		/* Before allocating a huge amount of memory for corrupted files, check
+		 * if size of requested memory is not greater than file size. */
+		uint64_t filesize = TIFFGetFileSize(tif);
+		uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+		if (allocsize > filesize)
+		{
+			TIFFWarningExt(
+				tif->tif_clientdata, module,
+				"Requested memory size for TIFF directory of %" PRIu64
+				" is greather than filesize %" PRIu64
+				". Memory not allocated, TIFF directory not read",
+				allocsize, filesize);
+			return 0;
+		}
 		origdir = _TIFFCheckMalloc(tif, dircount16,
 						dirsize,
 						"to read TIFF directory");
@@ -5059,6 +5114,8 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
 			}
 		}
 	}
+	/* No check against filesize needed here because "dir" should have same size
+	 * than "origdir" checked above. */
 	dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
 						sizeof(TIFFDirEntry),
 						"to read TIFF directory");
@@ -5853,6 +5910,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
 			return(0);
 		}
 
+		/* Before allocating a huge amount of memory for corrupted files, check
+		 * if size of requested memory is not greater than file size. */
+		uint64_t filesize = TIFFGetFileSize(tif);
+		uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+		if (allocsize > filesize)
+		{
+			TIFFWarningExt(tif->tif_clientdata, module,
+							"Requested memory size for StripArray of %" PRIu64
+							" is greather than filesize %" PRIu64
+							". Memory not allocated",
+							allocsize, filesize);
+			_TIFFfree(data);
+			return (0);
+		}
 		resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
 		if (resizeddata==0) {
 			_TIFFfree(data);
@@ -5948,6 +6019,23 @@ static void allocChoppedUpStripArrays(TI
     }
     bytecount = last_offset + last_bytecount - offset;
 
+	/* Before allocating a huge amount of memory for corrupted files, check if
+	 * size of StripByteCount and StripOffset tags is not greater than
+	 * file size.
+	 */
+	uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+	uint64_t filesize = TIFFGetFileSize(tif);
+	if (allocsize > filesize)
+	{
+		TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+						"Requested memory size for StripByteCount and "
+						"StripOffsets %" PRIu64
+						" is greather than filesize %" PRIu64
+						". Memory not allocated",
+						allocsize, filesize);
+		return;
+	}
+
     newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
                                              "for chopped \"StripByteCounts\" array");
     newoffsets = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),