meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

CVE: CVE-2023-6277
Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a 
ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>

[Ubuntu note: Backport of the following patch from upstream, with a few changes
to match the current version of the file in the present Ubuntu release:
 . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
 . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
-- Rodrigo Figueiredo Zaiden]

Backport of:

From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 31 Oct 2023 15:43:29 +0000
Subject: [PATCH] Prevent some out-of-memory attacks

Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.

At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.

See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
---
 libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 90 insertions(+), 2 deletions(-)

--- tiff-4.3.0.orig/libtiff/tif_dirread.c
+++ tiff-4.3.0/libtiff/tif_dirread.c
@@ -866,6 +866,21 @@ static enum TIFFReadDirEntryErr TIFFRead
 	datasize=(*count)*typesize;
 	assert((tmsize_t)datasize>0);
 
+	/* Before allocating a huge amount of memory for corrupted files, check if
+	 * size of requested memory is not greater than file size.
+	 */
+	uint64_t filesize = TIFFGetFileSize(tif);
+	if (datasize > filesize)
+	{
+		TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+						"Requested memory size for tag %d (0x%x) %" PRIu32
+						" is greather than filesize %" PRIu64
+						". Memory not allocated, tag not read",
+						direntry->tdir_tag, direntry->tdir_tag, datasize,
+						filesize);
+		return (TIFFReadDirEntryErrAlloc);
+	}
+
 	if( isMapped(tif) && datasize > (uint64_t)tif->tif_size )
 		return TIFFReadDirEntryErrIo;
 
@@ -4593,6 +4608,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
         if( !_TIFFFillStrilesInternal( tif, 0 ) )
             return -1;
 
+	/* Before allocating a huge amount of memory for corrupted files, check if
+	 * size of requested memory is not greater than file size. */
+	uint64_t filesize = TIFFGetFileSize(tif);
+	uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+	if (allocsize > filesize)
+	{
+		TIFFWarningExt(tif->tif_clientdata, module,
+						"Requested memory size for StripByteCounts of %" PRIu64
+						" is greather than filesize %" PRIu64
+						". Memory not allocated",
+						allocsize, filesize);
+		return -1;
+	}
+
 	if (td->td_stripbytecount_p)
 		_TIFFfree(td->td_stripbytecount_p);
 	td->td_stripbytecount_p = (uint64_t*)
@@ -4603,9 +4632,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
 
 	if (td->td_compression != COMPRESSION_NONE) {
 		uint64_t space;
-		uint64_t filesize;
 		uint16_t n;
-		filesize = TIFFGetFileSize(tif);
 		if (!(tif->tif_flags&TIFF_BIGTIFF))
 			space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
 		else
@@ -4913,6 +4940,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
 			dircount16 = (uint16_t)dircount64;
 			dirsize = 20;
 		}
+		/* Before allocating a huge amount of memory for corrupted files, check
+		 * if size of requested memory is not greater than file size. */
+		uint64_t filesize = TIFFGetFileSize(tif);
+		uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+		if (allocsize > filesize)
+		{
+			TIFFWarningExt(
+				tif->tif_clientdata, module,
+				"Requested memory size for TIFF directory of %" PRIu64
+				" is greather than filesize %" PRIu64
+				". Memory not allocated, TIFF directory not read",
+				allocsize, filesize);
+			return 0;
+		}
 		origdir = _TIFFCheckMalloc(tif, dircount16,
 		    dirsize, "to read TIFF directory");
 		if (origdir == NULL)
@@ -5016,6 +5057,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
 			             "Sanity check on directory count failed, zero tag directories not supported");
 			return 0;
 		}
+		/* Before allocating a huge amount of memory for corrupted files, check
+		 * if size of requested memory is not greater than file size. */
+		uint64_t filesize = TIFFGetFileSize(tif);
+		uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+		if (allocsize > filesize)
+		{
+			TIFFWarningExt(
+				tif->tif_clientdata, module,
+				"Requested memory size for TIFF directory of %" PRIu64
+				" is greather than filesize %" PRIu64
+				". Memory not allocated, TIFF directory not read",
+				allocsize, filesize);
+			return 0;
+		}
 		origdir = _TIFFCheckMalloc(tif, dircount16,
 						dirsize,
 						"to read TIFF directory");
@@ -5059,6 +5114,8 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
 			}
 		}
 	}
+	/* No check against filesize needed here because "dir" should have same size
+	 * than "origdir" checked above. */
 	dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
 						sizeof(TIFFDirEntry),
 						"to read TIFF directory");
@@ -5853,6 +5910,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
 			return(0);
 		}
 
+		/* Before allocating a huge amount of memory for corrupted files, check
+		 * if size of requested memory is not greater than file size. */
+		uint64_t filesize = TIFFGetFileSize(tif);
+		uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+		if (allocsize > filesize)
+		{
+			TIFFWarningExt(tif->tif_clientdata, module,
+							"Requested memory size for StripArray of %" PRIu64
+							" is greather than filesize %" PRIu64
+							". Memory not allocated",
+							allocsize, filesize);
+			_TIFFfree(data);
+			return (0);
+		}
 		resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
 		if (resizeddata==0) {
 			_TIFFfree(data);
@@ -5948,6 +6019,23 @@ static void allocChoppedUpStripArrays(TI
     }
     bytecount = last_offset + last_bytecount - offset;
 
+	/* Before allocating a huge amount of memory for corrupted files, check if
+	 * size of StripByteCount and StripOffset tags is not greater than
+	 * file size.
+	 */
+	uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+	uint64_t filesize = TIFFGetFileSize(tif);
+	if (allocsize > filesize)
+	{
+		TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+						"Requested memory size for StripByteCount and "
+						"StripOffsets %" PRIu64
+						" is greather than filesize %" PRIu64
+						". Memory not allocated",
+						allocsize, filesize);
+		return;
+	}
+
     newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
                                              "for chopped \"StripByteCounts\" array");
     newoffsets = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),