1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
|
[Ubuntu note: Backport of the following patch from upstream, with a few changes
to match the current version of the file in the present Ubuntu release:
. included inttypes.h header to support PRIu32 and PRIu64;
. using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
. using uint64 instead of uint64_t to preserve the current code usage;
. calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
. calls to the check size, that is the idea of the patch, were added before
_TIFFCheckMalloc and may note match the original patch methods;
-- Rodrigo Figueiredo Zaiden]
Backport of:
From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 31 Oct 2023 15:43:29 +0000
Subject: [PATCH] Prevent some out-of-memory attacks
Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-1.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a]
CVE: CVE-2023-6277
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 90 insertions(+), 2 deletions(-)
--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
@@ -37,6 +37,7 @@
#include "tiffiop.h"
#include <float.h>
#include <stdlib.h>
+#include <inttypes.h>
#define FAILED_FII ((uint32) -1)
@@ -863,6 +864,21 @@ static enum TIFFReadDirEntryErr TIFFRead
datasize=(*count)*typesize;
assert((tmsize_t)datasize>0);
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of requested memory is not greater than file size.
+ */
+ uint64 filesize = TIFFGetFileSize(tif);
+ if (datasize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+ "Requested memory size for tag %d (0x%x) %" PRIu32
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, tag not read",
+ direntry->tdir_tag, direntry->tdir_tag, datasize,
+ filesize);
+ return (TIFFReadDirEntryErrAlloc);
+ }
+
if( isMapped(tif) && datasize > (uint32)tif->tif_size )
return TIFFReadDirEntryErrIo;
@@ -4534,6 +4550,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
if( !_TIFFFillStrilesInternal( tif, 0 ) )
return -1;
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of requested memory is not greater than file size. */
+ uint64 filesize = TIFFGetFileSize(tif);
+ uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Requested memory size for StripByteCounts of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return -1;
+ }
+
if (td->td_stripbytecount_p)
_TIFFfree(td->td_stripbytecount_p);
td->td_stripbytecount_p = (uint64*)
@@ -4544,9 +4574,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
if (td->td_compression != COMPRESSION_NONE) {
uint64 space;
- uint64 filesize;
uint16 n;
- filesize = TIFFGetFileSize(tif);
if (!(tif->tif_flags&TIFF_BIGTIFF))
space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
else
@@ -4854,6 +4882,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
dircount16 = (uint16)dircount64;
dirsize = 20;
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64 filesize = TIFFGetFileSize(tif);
+ uint64 allocsize = (uint64)dircount16 * dirsize;
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(
+ tif->tif_clientdata, module,
+ "Requested memory size for TIFF directory of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, TIFF directory not read",
+ allocsize, filesize);
+ return 0;
+ }
origdir = _TIFFCheckMalloc(tif, dircount16,
dirsize, "to read TIFF directory");
if (origdir == NULL)
@@ -4957,6 +4999,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
"Sanity check on directory count failed, zero tag directories not supported");
return 0;
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64 filesize = TIFFGetFileSize(tif);
+ uint64 allocsize = (uint64)dircount16 * dirsize;
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(
+ tif->tif_clientdata, module,
+ "Requested memory size for TIFF directory of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, TIFF directory not read",
+ allocsize, filesize);
+ return 0;
+ }
origdir = _TIFFCheckMalloc(tif, dircount16,
dirsize,
"to read TIFF directory");
@@ -5000,6 +5056,8 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
}
}
}
+ /* No check against filesize needed here because "dir" should have same size
+ * than "origdir" checked above. */
dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
sizeof(TIFFDirEntry),
"to read TIFF directory");
@@ -5769,7 +5827,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
_TIFFfree(data);
return(0);
}
-
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64 filesize = TIFFGetFileSize(tif);
+ uint64 allocsize = (uint64)nstrips * sizeof(uint64);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Requested memory size for StripArray of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ _TIFFfree(data);
+ return (0);
+ }
resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
if (resizeddata==0) {
_TIFFfree(data);
@@ -5865,6 +5936,23 @@ static void allocChoppedUpStripArrays(TI
}
bytecount = last_offset + last_bytecount - offset;
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of StripByteCount and StripOffset tags is not greater than
+ * file size.
+ */
+ uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
+ uint64 filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+ "Requested memory size for StripByteCount and "
+ "StripOffsets %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return;
+ }
+
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array");
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|
