CVE: CVE-2023-6277 Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ] Signed-off-by: Lee Chee Yang [Ubuntu note: Backport of the following patch from upstream, with a few changes to match the current version of the file in the present Ubuntu release: . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); -- Rodrigo Figueiredo Zaiden] Backport of: From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Tue, 31 Oct 2023 21:30:58 +0100 Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough RAM requests --- libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------ 1 file changed, 31 insertions(+), 23 deletions(-) --- tiff-4.3.0.orig/libtiff/tif_dirread.c +++ tiff-4.3.0/libtiff/tif_dirread.c @@ -5905,19 +5905,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn return(0); } - /* Before allocating a huge amount of memory for corrupted files, check - * if size of requested memory is not greater than file size. */ - uint64_t filesize = TIFFGetFileSize(tif); - uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); - if (allocsize > filesize) + const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); + if (allocsize > 100 * 1024 * 1024) { - TIFFWarningExt(tif->tif_clientdata, module, - "Requested memory size for StripArray of %" PRIu64 - " is greather than filesize %" PRIu64 - ". Memory not allocated", - allocsize, filesize); - _TIFFfree(data); - return (0); + /* Before allocating a huge amount of memory for corrupted files, + * check if size of requested memory is not greater than file size. + */ + const uint64_t filesize = TIFFGetFileSize(tif); + if (allocsize > filesize) + { + TIFFWarningExt( + tif->tif_clientdata, module, + "Requested memory size for StripArray of %" PRIu64 + " is greater than filesize %" PRIu64 + ". Memory not allocated", + allocsize, filesize); + _TIFFfree(data); + return (0); + } } resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array"); if (resizeddata==0) { @@ -6018,17 +6023,20 @@ static void allocChoppedUpStripArrays(TI * size of StripByteCount and StripOffset tags is not greater than * file size. */ - uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; - uint64_t filesize = TIFFGetFileSize(tif); - if (allocsize > filesize) + const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; + if (allocsize > 100 * 1024 * 1024) { - TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", - "Requested memory size for StripByteCount and " - "StripOffsets %" PRIu64 - " is greather than filesize %" PRIu64 - ". Memory not allocated", - allocsize, filesize); - return; + const uint64_t filesize = TIFFGetFileSize(tif); + if (allocsize > filesize) + { + TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", + "Requested memory size for StripByteCount and " + "StripOffsets %" PRIu64 + " is greater than filesize %" PRIu64 + ". Memory not allocated", + allocsize, filesize); + return; + } } newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),