From daac7c494df970a6e5065d53809c4e09d7b5acc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lucio=20Andr=C3=A9s=20Illanes=20Albornoz?= Date: Fri, 7 Sep 2018 19:06:53 +0000 Subject: patches/tiff/CVE-{2017-{11613,17095,9935},2018-{10963,8905}}.patch: imported from aports (via Redfoxmoon.) --- patches/tiff/CVE-2017-11613.patch | 44 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 patches/tiff/CVE-2017-11613.patch (limited to 'patches/tiff/CVE-2017-11613.patch') diff --git a/patches/tiff/CVE-2017-11613.patch b/patches/tiff/CVE-2017-11613.patch new file mode 100644 index 00000000..b3f600a9 --- /dev/null +++ b/patches/tiff/CVE-2017-11613.patch @@ -0,0 +1,44 @@ +From 5c3bc1c78dfe05eb5f4224650ad606b75e1f7034 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 11 Mar 2018 11:14:01 +0100 +Subject: [PATCH] ChopUpSingleUncompressedStrip: avoid memory exhaustion + (CVE-2017-11613) + +In ChopUpSingleUncompressedStrip(), if the computed number of strips is big +enough and we are in read only mode, validate that the file size is consistent +with that number of strips to avoid useless attempts at allocating a lot of +memory for the td_stripbytecount and td_stripoffset arrays. + +Rework fix done in 3719385a3fac5cfb20b487619a5f08abbf967cf8 to work in more +cases like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6979. +Credit to OSS Fuzz + +Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2724 +--- + libtiff/tif_dirread.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 80aaf8d..5896a78 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5760,6 +5760,16 @@ ChopUpSingleUncompressedStrip(TIFF* tif) + if( nstrips == 0 ) + return; + ++ /* If we are going to allocate a lot of memory, make sure that the */ ++ /* file is as big as needed */ ++ if( tif->tif_mode == O_RDONLY && ++ nstrips > 1000000 && ++ (offset >= TIFFGetFileSize(tif) || ++ stripbytes > (TIFFGetFileSize(tif) - offset) / (nstrips - 1)) ) ++ { ++ return; ++ } ++ + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripByteCounts\" array"); + newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), +-- +2.17.1 + -- cgit v1.2.3