blob: 11975cf38acf81fd5b718a203e10fb7b071bd8bb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
https://pdfium-review.googlesource.com/3811
https://crbug.com/707431
https://pdfium.googlesource.com/pdfium/+/master/libtiff/
Author: Nicolas Pena <npm@chromium.org>
Date: Wed Apr 5 15:50:53 2017 -0400
Libtiff: Prevent OOM in TIFFFillStrip
In TIFFFillStrip, calls to TIFFReadBufferSetup may allocate large amounts of
memory. In this CL we do sanity checks on the claimed size of the raw strip
data before that happens, to prevent out-of-memory.
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
return(0);
}
+ const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif);
+ if (bytecountm > size) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Requested read strip size %lu is too large",
+ (unsigned long) strip);
+ return (0);
+ }
if (bytecountm > tif->tif_rawdatasize) {
tif->tif_curstrip = NOSTRIP;
if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {
|
GitWeb
