File tiff-CVE-2020-35521,CVE-2020-35522.patch of Package tiff

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-CVE-2020-35521,CVE-2020-35522.patch of Package tiff (Revision eef8a505f97181634559a40b6b90fee6)

Currently displaying revision eef8a505f97181634559a40b6b90fee6 , Show latest

Index: tiff-4.0.9/man/tiff2rgba.1
===================================================================
--- tiff-4.0.9.orig/man/tiff2rgba.1
+++ tiff-4.0.9/man/tiff2rgba.1
@@ -88,6 +88,10 @@ Drop the alpha component from the output
 Currently this does not work if the
 .B \-b
 flag is also in effect.
+.TP
+.BI \-M " size"
+Set maximum memory allocation size (in MiB). The default is 256MiB.
+Set to 0 to disable the limit.
 .SH "SEE ALSO"
 .BR tiff2bw (1),
 .BR TIFFReadRGBAImage (3t),
Index: tiff-4.0.9/tools/tiff2rgba.c
===================================================================
--- tiff-4.0.9.orig/tools/tiff2rgba.c
+++ tiff-4.0.9/tools/tiff2rgba.c
@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
 int process_by_block = 0; /* default is whole image at once */
 int no_alpha = 0;
 int bigtiff_output = 0;
+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
+/* malloc size limit (in bytes)
+ *  * disabled when set to 0 */
+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
 
 
 static int tiffcvt(TIFF* in, TIFF* out);
@@ -70,8 +74,11 @@ main(int argc, char* argv[])
 	extern char *optarg;
 #endif
 
-	while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
+	while ((c = getopt(argc, argv, "c:r:t:bn8hM:")) != -1)
 		switch (c) {
+			case 'M':
+				maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
+				break;
 			case 'b':
 				process_by_block = 1;
 				break;
@@ -398,6 +405,13 @@ cvt_whole_image( TIFF *in, TIFF *out )
         return 0;
     }
 
+	if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
+		TIFFError(TIFFFileName(in),
+				"Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
+				(uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
+		return 0;
+	}
+
     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
 
@@ -522,6 +536,15 @@ tiffcvt(TIFF* in, TIFF* out)
 	TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
 	CopyField(TIFFTAG_DOCUMENTNAME, stringv);
 
+	if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
+	{
+		TIFFError(TIFFFileName(in),
+				"Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
+				(uint64)TIFFStripSize(in), (uint64)maxMalloc);
+		return 0;
+	}
+
+
         if( process_by_block && TIFFIsTiled( in ) )
             return( cvt_by_tile( in, out ) );
         else if( process_by_block )
@@ -531,7 +554,7 @@ tiffcvt(TIFF* in, TIFF* out)
 }
 
 static char* stuff[] = {
-    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
     "where comp is one of the following compression algorithms:",
     " jpeg\t\tJPEG encoding",
     " zip\t\tZip/Deflate encoding",
@@ -543,6 +566,7 @@ static char* stuff[] = {
     " -b (progress by block rather than as a whole image)",
     " -n don't emit alpha component.",
     " -8 write BigTIFF file instead of ClassicTIFF",
+    " -M set the memory allocation limit in MiB. 0 to disable limit",
     NULL
 };

Places

File tiff-CVE-2020-35521,CVE-2020-35522.patch of Package tiff (Revision eef8a505f97181634559a40b6b90fee6)

Places