mirror of
https://git.yoctoproject.org/poky
synced 2026-05-01 15:32:12 +02:00
1921c27946
import patch from ubuntu to fix CVE-2023-52356 CVE-2023-6277 import from http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz (From OE-Core rev: 4728df36bb3888df4d3cc0db1fd66138e865c511) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
179 lines
6.8 KiB
Diff
179 lines
6.8 KiB
Diff
CVE: CVE-2023-6277
|
|
Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a
|
|
ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
|
|
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
|
|
|
|
[Ubuntu note: Backport of the following patch from upstream, with a few changes
|
|
to match the current version of the file in the present Ubuntu release:
|
|
. using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
|
|
. calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
|
|
-- Rodrigo Figueiredo Zaiden]
|
|
|
|
Backport of:
|
|
|
|
From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
|
|
From: Su Laus <sulau@freenet.de>
|
|
Date: Tue, 31 Oct 2023 15:43:29 +0000
|
|
Subject: [PATCH] Prevent some out-of-memory attacks
|
|
|
|
Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
|
|
|
|
At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
|
|
|
|
See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
|
|
---
|
|
libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
|
|
1 file changed, 90 insertions(+), 2 deletions(-)
|
|
|
|
--- tiff-4.3.0.orig/libtiff/tif_dirread.c
|
|
+++ tiff-4.3.0/libtiff/tif_dirread.c
|
|
@@ -866,6 +866,21 @@ static enum TIFFReadDirEntryErr TIFFRead
|
|
datasize=(*count)*typesize;
|
|
assert((tmsize_t)datasize>0);
|
|
|
|
+ /* Before allocating a huge amount of memory for corrupted files, check if
|
|
+ * size of requested memory is not greater than file size.
|
|
+ */
|
|
+ uint64_t filesize = TIFFGetFileSize(tif);
|
|
+ if (datasize > filesize)
|
|
+ {
|
|
+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
|
|
+ "Requested memory size for tag %d (0x%x) %" PRIu32
|
|
+ " is greather than filesize %" PRIu64
|
|
+ ". Memory not allocated, tag not read",
|
|
+ direntry->tdir_tag, direntry->tdir_tag, datasize,
|
|
+ filesize);
|
|
+ return (TIFFReadDirEntryErrAlloc);
|
|
+ }
|
|
+
|
|
if( isMapped(tif) && datasize > (uint64_t)tif->tif_size )
|
|
return TIFFReadDirEntryErrIo;
|
|
|
|
@@ -4593,6 +4608,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
|
|
if( !_TIFFFillStrilesInternal( tif, 0 ) )
|
|
return -1;
|
|
|
|
+ /* Before allocating a huge amount of memory for corrupted files, check if
|
|
+ * size of requested memory is not greater than file size. */
|
|
+ uint64_t filesize = TIFFGetFileSize(tif);
|
|
+ uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
|
|
+ if (allocsize > filesize)
|
|
+ {
|
|
+ TIFFWarningExt(tif->tif_clientdata, module,
|
|
+ "Requested memory size for StripByteCounts of %" PRIu64
|
|
+ " is greather than filesize %" PRIu64
|
|
+ ". Memory not allocated",
|
|
+ allocsize, filesize);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
if (td->td_stripbytecount_p)
|
|
_TIFFfree(td->td_stripbytecount_p);
|
|
td->td_stripbytecount_p = (uint64_t*)
|
|
@@ -4603,9 +4632,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
|
|
|
|
if (td->td_compression != COMPRESSION_NONE) {
|
|
uint64_t space;
|
|
- uint64_t filesize;
|
|
uint16_t n;
|
|
- filesize = TIFFGetFileSize(tif);
|
|
if (!(tif->tif_flags&TIFF_BIGTIFF))
|
|
space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
|
|
else
|
|
@@ -4913,6 +4940,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
|
|
dircount16 = (uint16_t)dircount64;
|
|
dirsize = 20;
|
|
}
|
|
+ /* Before allocating a huge amount of memory for corrupted files, check
|
|
+ * if size of requested memory is not greater than file size. */
|
|
+ uint64_t filesize = TIFFGetFileSize(tif);
|
|
+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
|
|
+ if (allocsize > filesize)
|
|
+ {
|
|
+ TIFFWarningExt(
|
|
+ tif->tif_clientdata, module,
|
|
+ "Requested memory size for TIFF directory of %" PRIu64
|
|
+ " is greather than filesize %" PRIu64
|
|
+ ". Memory not allocated, TIFF directory not read",
|
|
+ allocsize, filesize);
|
|
+ return 0;
|
|
+ }
|
|
origdir = _TIFFCheckMalloc(tif, dircount16,
|
|
dirsize, "to read TIFF directory");
|
|
if (origdir == NULL)
|
|
@@ -5016,6 +5057,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
|
|
"Sanity check on directory count failed, zero tag directories not supported");
|
|
return 0;
|
|
}
|
|
+ /* Before allocating a huge amount of memory for corrupted files, check
|
|
+ * if size of requested memory is not greater than file size. */
|
|
+ uint64_t filesize = TIFFGetFileSize(tif);
|
|
+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
|
|
+ if (allocsize > filesize)
|
|
+ {
|
|
+ TIFFWarningExt(
|
|
+ tif->tif_clientdata, module,
|
|
+ "Requested memory size for TIFF directory of %" PRIu64
|
|
+ " is greather than filesize %" PRIu64
|
|
+ ". Memory not allocated, TIFF directory not read",
|
|
+ allocsize, filesize);
|
|
+ return 0;
|
|
+ }
|
|
origdir = _TIFFCheckMalloc(tif, dircount16,
|
|
dirsize,
|
|
"to read TIFF directory");
|
|
@@ -5059,6 +5114,8 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
|
|
}
|
|
}
|
|
}
|
|
+ /* No check against filesize needed here because "dir" should have same size
|
|
+ * than "origdir" checked above. */
|
|
dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
|
|
sizeof(TIFFDirEntry),
|
|
"to read TIFF directory");
|
|
@@ -5853,6 +5910,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
|
|
return(0);
|
|
}
|
|
|
|
+ /* Before allocating a huge amount of memory for corrupted files, check
|
|
+ * if size of requested memory is not greater than file size. */
|
|
+ uint64_t filesize = TIFFGetFileSize(tif);
|
|
+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
|
|
+ if (allocsize > filesize)
|
|
+ {
|
|
+ TIFFWarningExt(tif->tif_clientdata, module,
|
|
+ "Requested memory size for StripArray of %" PRIu64
|
|
+ " is greather than filesize %" PRIu64
|
|
+ ". Memory not allocated",
|
|
+ allocsize, filesize);
|
|
+ _TIFFfree(data);
|
|
+ return (0);
|
|
+ }
|
|
resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
|
|
if (resizeddata==0) {
|
|
_TIFFfree(data);
|
|
@@ -5948,6 +6019,23 @@ static void allocChoppedUpStripArrays(TI
|
|
}
|
|
bytecount = last_offset + last_bytecount - offset;
|
|
|
|
+ /* Before allocating a huge amount of memory for corrupted files, check if
|
|
+ * size of StripByteCount and StripOffset tags is not greater than
|
|
+ * file size.
|
|
+ */
|
|
+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
|
|
+ uint64_t filesize = TIFFGetFileSize(tif);
|
|
+ if (allocsize > filesize)
|
|
+ {
|
|
+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
|
|
+ "Requested memory size for StripByteCount and "
|
|
+ "StripOffsets %" PRIu64
|
|
+ " is greather than filesize %" PRIu64
|
|
+ ". Memory not allocated",
|
|
+ allocsize, filesize);
|
|
+ return;
|
|
+ }
|
|
+
|
|
newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
|
|
"for chopped \"StripByteCounts\" array");
|
|
newoffsets = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
|