git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/blob

   1 From b33baa5d9c6aac8ce49b5180dd48e39697ab7a11 Mon Sep 17 00:00:00 2001
   2 From: Su_Laus <sulau@freenet.de>
   3 Date: Fri, 27 Oct 2023 22:11:10 +0200
   4 Subject: [PATCH 1/3] At image reading, compare data size of some tags / data
   5  structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with
   6  file size to prevent provoked out-of-memory attacks.
   7
   8 See issue #614.
   9
  10 CVE: CVE-2023-6277
  11 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545]
  12 Signed-off-by: Khem Raj <raj.khem@gmail.com>
  13 ---
  14  libtiff/tif_dirread.c | 90 +++++++++++++++++++++++++++++++++++++++++++
  15  1 file changed, 90 insertions(+)
  16
  17 diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
  18 index 2c49dc6..c52d41f 100644
  19 --- a/libtiff/tif_dirread.c
  20 +++ b/libtiff/tif_dirread.c
  21 @@ -1308,6 +1308,21 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
  22      datasize = (*count) * typesize;
  23      assert((tmsize_t)datasize > 0);
  24
  25 +    /* Before allocating a huge amount of memory for corrupted files, check if
  26 +     * size of requested memory is not greater than file size.
  27 +     */
  28 +    uint64_t filesize = TIFFGetFileSize(tif);
  29 +    if (datasize > filesize)
  30 +    {
  31 +        TIFFWarningExtR(tif, "ReadDirEntryArray",
  32 +                        "Requested memory size for tag %d (0x%x) %" PRIu32
  33 +                        " is greather than filesize %" PRIu64
  34 +                        ". Memory not allocated, tag not read",
  35 +                        direntry->tdir_tag, direntry->tdir_tag, datasize,
  36 +                        filesize);
  37 +        return (TIFFReadDirEntryErrAlloc);
  38 +    }
  39 +
  40      if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
  41          return TIFFReadDirEntryErrIo;
  42
  43 @@ -5266,6 +5281,20 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
  44      if (!_TIFFFillStrilesInternal(tif, 0))
  45          return -1;
  46
  47 +    /* Before allocating a huge amount of memory for corrupted files, check if
  48 +     * size of requested memory is not greater than file size. */
  49 +    uint64_t filesize = TIFFGetFileSize(tif);
  50 +    uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
  51 +    if (allocsize > filesize)
  52 +    {
  53 +        TIFFWarningExtR(tif, module,
  54 +                        "Requested memory size for StripByteCounts of %" PRIu64
  55 +                        " is greather than filesize %" PRIu64
  56 +                        ". Memory not allocated",
  57 +                        allocsize, filesize);
  58 +        return -1;
  59 +    }
  60 +
  61      if (td->td_stripbytecount_p)
  62          _TIFFfreeExt(tif, td->td_stripbytecount_p);
  63      td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc(
  64 @@ -5807,6 +5836,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
  65              dircount16 = (uint16_t)dircount64;
  66              dirsize = 20;
  67          }
  68 +        /* Before allocating a huge amount of memory for corrupted files, check
  69 +         * if size of requested memory is not greater than file size. */
  70 +        uint64_t filesize = TIFFGetFileSize(tif);
  71 +        uint64_t allocsize = (uint64_t)dircount16 * dirsize;
  72 +        if (allocsize > filesize)
  73 +        {
  74 +            TIFFWarningExtR(
  75 +                tif, module,
  76 +                "Requested memory size for TIFF directory of %" PRIu64
  77 +                " is greather than filesize %" PRIu64
  78 +                ". Memory not allocated, TIFF directory not read",
  79 +                allocsize, filesize);
  80 +            return 0;
  81 +        }
  82          origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
  83                                     "to read TIFF directory");
  84          if (origdir == NULL)
  85 @@ -5921,6 +5964,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
  86                            "directories not supported");
  87              return 0;
  88          }
  89 +        /* Before allocating a huge amount of memory for corrupted files, check
  90 +         * if size of requested memory is not greater than file size. */
  91 +        uint64_t filesize = TIFFGetFileSize(tif);
  92 +        uint64_t allocsize = (uint64_t)dircount16 * dirsize;
  93 +        if (allocsize > filesize)
  94 +        {
  95 +            TIFFWarningExtR(
  96 +                tif, module,
  97 +                "Requested memory size for TIFF directory of %" PRIu64
  98 +                " is greather than filesize %" PRIu64
  99 +                ". Memory not allocated, TIFF directory not read",
 100 +                allocsize, filesize);
 101 +            return 0;
 102 +        }
 103          origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
 104                                     "to read TIFF directory");
 105          if (origdir == NULL)
 106 @@ -5968,6 +6025,8 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
 107              }
 108          }
 109      }
 110 +    /* No check against filesize needed here because "dir" should have same size
 111 +     * than "origdir" checked above. */
 112      dir = (TIFFDirEntry *)_TIFFCheckMalloc(
 113          tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory");
 114      if (dir == 0)
 115 @@ -7164,6 +7223,20 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
 116              return (0);
 117          }
 118
 119 +        /* Before allocating a huge amount of memory for corrupted files, check
 120 +         * if size of requested memory is not greater than file size. */
 121 +        uint64_t filesize = TIFFGetFileSize(tif);
 122 +        uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
 123 +        if (allocsize > filesize)
 124 +        {
 125 +            TIFFWarningExtR(tif, module,
 126 +                            "Requested memory size for StripArray of %" PRIu64
 127 +                            " is greather than filesize %" PRIu64
 128 +                            ". Memory not allocated",
 129 +                            allocsize, filesize);
 130 +            _TIFFfreeExt(tif, data);
 131 +            return (0);
 132 +        }
 133          resizeddata = (uint64_t *)_TIFFCheckMalloc(
 134              tif, nstrips, sizeof(uint64_t), "for strip array");
 135          if (resizeddata == 0)
 136 @@ -7263,6 +7336,23 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips,
 137      }
 138      bytecount = last_offset + last_bytecount - offset;
 139
 140 +    /* Before allocating a huge amount of memory for corrupted files, check if
 141 +     * size of StripByteCount and StripOffset tags is not greater than
 142 +     * file size.
 143 +     */
 144 +    uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
 145 +    uint64_t filesize = TIFFGetFileSize(tif);
 146 +    if (allocsize > filesize)
 147 +    {
 148 +        TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
 149 +                        "Requested memory size for StripByteCount and "
 150 +                        "StripOffsets %" PRIu64
 151 +                        " is greather than filesize %" PRIu64
 152 +                        ". Memory not allocated",
 153 +                        allocsize, filesize);
 154 +        return;
 155 +    }
 156 +
 157      newcounts =
 158          (uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t),
 159                                       "for chopped \"StripByteCounts\" array");
 160 --
 161 2.43.0
 162