From 8f70b086e6553b4d41aaff2c5fb4266859436626 Mon Sep 17 00:00:00 2001

From: Thomas Bernard <miniupnp@free.fr>

Date: Sun, 15 Nov 2020 17:02:51 +0100

Subject: [PATCH] (CVE-2020-35521 CVE-2020-35522) enforce (configurable) memory

 limit in tiff2rgba

fixes #207

fixes #209

(cherry picked from commit 98a254f5b92cea22f5436555ff7fceb12afee84d)

---

 tools/tiff2rgba.c | 25 +++++++++++++++++++++++--

 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c

index 4de96aec..e6de2209 100644

--- a/tools/tiff2rgba.c

+++ b/tools/tiff2rgba.c

@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;

 int process_by_block = 0; /* default is whole image at once */

 int no_alpha = 0;

 int bigtiff_output = 0;

+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)

+/* malloc size limit (in bytes)

+ * disabled when set to 0 */

+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;

 static int tiffcvt(TIFF* in, TIFF* out);

@@ -70,8 +74,11 @@ main(int argc, char* argv[])

 	extern char *optarg;

 #endif

-	while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)

+	while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1)

 		switch (c) {

+			case 'M':

+				maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;

+				break;

 			case 'b':

 				process_by_block = 1;

 				break;

@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out )

 		  (unsigned long)width, (unsigned long)height);

         return 0;

     }

+    if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {

+	TIFFError(TIFFFileName(in),

+		  "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",

+		  (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);

+        return 0;

+    }

     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);

     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);

@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out)

 	TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());

 	CopyField(TIFFTAG_DOCUMENTNAME, stringv);

+	if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)

+	{

+		TIFFError(TIFFFileName(in),

+			  "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",

+			  (uint64)TIFFStripSize(in), (uint64)maxMalloc);

+		return 0;

+	}

         if( process_by_block && TIFFIsTiled( in ) )

             return( cvt_by_tile( in, out ) );

         else if( process_by_block )

@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out)

 }

 static char* stuff[] = {

-    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",

+    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",

     "where comp is one of the following compression algorithms:",

     " jpeg\t\tJPEG encoding",

     " zip\t\tZip/Deflate encoding",

@@ -543,6 +563,7 @@ static char* stuff[] = {

     " -b (progress by block rather than as a whole image)",

     " -n don't emit alpha component.",

     " -8 write BigTIFF file instead of ClassicTIFF",

+    " -M set the memory allocation limit in MiB. 0 to disable limit",

     NULL

 };