From 8f70b086e6553b4d41aaff2c5fb4266859436626 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Sun, 15 Nov 2020 17:02:51 +0100
Subject: [PATCH] (CVE-2020-35521 CVE-2020-35522) enforce (configurable) memory
 limit in tiff2rgba

fixes #207
fixes #209

(cherry picked from commit 98a254f5b92cea22f5436555ff7fceb12afee84d)
---
 tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
index 4de96aec..e6de2209 100644
--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
 int process_by_block = 0; /* default is whole image at once */
 int no_alpha = 0;
 int bigtiff_output = 0;
+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
+/* malloc size limit (in bytes)
+ * disabled when set to 0 */
+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
 
 
 static int tiffcvt(TIFF* in, TIFF* out);
@@ -70,8 +74,11 @@ main(int argc, char* argv[])
 	extern char *optarg;
 #endif
 
-	while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
+	while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1)
 		switch (c) {
+			case 'M':
+				maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
+				break;
 			case 'b':
 				process_by_block = 1;
 				break;
@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
 		  (unsigned long)width, (unsigned long)height);
         return 0;
     }
+    if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
+	TIFFError(TIFFFileName(in),
+		  "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
+		  (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
+        return 0;
+    }
 
     rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
     TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out)
 	TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
 	CopyField(TIFFTAG_DOCUMENTNAME, stringv);
 
+	if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
+	{
+		TIFFError(TIFFFileName(in),
+			  "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
+			  (uint64)TIFFStripSize(in), (uint64)maxMalloc);
+		return 0;
+	}
         if( process_by_block && TIFFIsTiled( in ) )
             return( cvt_by_tile( in, out ) );
         else if( process_by_block )
@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out)
 }
 
 static char* stuff[] = {
-    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
     "where comp is one of the following compression algorithms:",
     " jpeg\t\tJPEG encoding",
     " zip\t\tZip/Deflate encoding",
@@ -543,6 +563,7 @@ static char* stuff[] = {
     " -b (progress by block rather than as a whole image)",
     " -n don't emit alpha component.",
     " -8 write BigTIFF file instead of ClassicTIFF",
+    " -M set the memory allocation limit in MiB. 0 to disable limit",
     NULL
 };