34 lines
1.2 KiB
Diff
34 lines
1.2 KiB
Diff
|
From 7a092f8af2568d61993a8cc2e7a35a998d7d37be Mon Sep 17 00:00:00 2001
|
||
|
From: Even Rouault <even.rouault@spatialys.com>
|
||
|
Date: Sat, 17 Mar 2018 09:36:29 +0100
|
||
|
Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)
|
||
|
|
||
|
Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more
|
||
|
cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979.
|
||
|
Credit to OSS Fuzz
|
||
|
|
||
|
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724
|
||
|
---
|
||
|
libtiff/tif_dirread.c | 5 ++---
|
||
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||
|
index 1a3259c..6baa7b3 100644
|
||
|
--- a/libtiff/tif_dirread.c
|
||
|
+++ b/libtiff/tif_dirread.c
|
||
|
@@ -5702,9 +5702,8 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
|
||
|
/* file is as big as needed */
|
||
|
if( tif->tif_mode == O_RDONLY &&
|
||
|
nstrips > 1000000 &&
|
||
|
- (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||
|
||
|
- tif->tif_dir.td_stripbytecount[0] >
|
||
|
- TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )
|
||
|
+ (offset >= TIFFGetFileSize(tif) ||
|
||
|
+ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) )
|
||
|
{
|
||
|
return;
|
||
|
}
|
||
|
--
|
||
|
libgit2 0.27.0
|
||
|
|