1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
Backport of:
From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 31 Oct 2023 20:13:45 +0100
Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize
check
CoverityScan rightly points that the max value for dircount16 * dirsize
is 4096 * 20. That's small enough not to do any check
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-3.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3]
CVE: CVE-2023-6277
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libtiff/tif_dirread.c | 18 ------------------
1 file changed, 18 deletions(-)
--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
+++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
@@ -4891,24 +4891,6 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
dircount16 = (uint16)dircount64;
dirsize = 20;
}
- const uint64 allocsize = (uint64)dircount16 * dirsize;
- if (allocsize > 100 * 1024 * 1024)
- {
- /* Before allocating a huge amount of memory for corrupted files,
- * check if size of requested memory is not greater than file size.
- */
- const uint64 filesize = TIFFGetFileSize(tif);
- if (allocsize > filesize)
- {
- TIFFWarningExt(
- tif->tif_clientdata, module,
- "Requested memory size for TIFF directory of %" PRIu64
- " is greater than filesize %" PRIu64
- ". Memory not allocated, TIFF directory not read",
- allocsize, filesize);
- return 0;
- }
- }
origdir = _TIFFCheckMalloc(tif, dircount16,
dirsize, "to read TIFF directory");
if (origdir == NULL)
|