https://github.com/libsdl-org/libtiff/commit/7b47aa4151a99206347ad339bc16439ff0e96a4e
From 7b47aa4151a99206347ad339bc16439ff0e96a4e Mon Sep 17 00:00:00 2001
From: Even Rouault <[EMAIL REDACTED]>
Date: Fri, 11 Feb 2022 14:43:33 +0100
Subject: [PATCH] tiffinfo: limit more memory allocations using -M switch
(fixes #288)
---
tools/tiffinfo.c | 58 ++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 51 insertions(+), 7 deletions(-)
diff --git a/tools/tiffinfo.c b/tools/tiffinfo.c
index 3db22280..36bd9520 100644
--- a/tools/tiffinfo.c
+++ b/tools/tiffinfo.c
@@ -240,8 +240,16 @@ TIFFReadContigStripData(TIFF* tif)
{
unsigned char *buf;
tsize_t scanline = TIFFScanlineSize(tif);
+ tmsize_t stripsize = TIFFStripSize(tif);
- buf = (unsigned char *)_TIFFmalloc(TIFFStripSize(tif));
+ if (maxMalloc != 0 && stripsize > maxMalloc)
+ {
+ fprintf(stderr,
+ "Memory allocation attempt %" TIFF_SSIZE_FORMAT " over memory limit (%" TIFF_SSIZE_FORMAT ")\n",
+ stripsize, maxMalloc);
+ return;
+ }
+ buf = (unsigned char *)_TIFFmalloc(stripsize);
if (buf) {
uint32_t row, h=0;
uint32_t rowsperstrip = (uint32_t)-1;
@@ -260,6 +268,9 @@ TIFFReadContigStripData(TIFF* tif)
}
_TIFFfree(buf);
}
+ else {
+ fprintf(stderr, "Cannot allocate %" TIFF_SSIZE_FORMAT " bytes.\n", stripsize);
+ }
}
void
@@ -267,8 +278,16 @@ TIFFReadSeparateStripData(TIFF* tif)
{
unsigned char *buf;
tsize_t scanline = TIFFScanlineSize(tif);
+ tmsize_t stripsize = TIFFStripSize(tif);
- buf = (unsigned char *)_TIFFmalloc(TIFFStripSize(tif));
+ if (maxMalloc != 0 && stripsize > maxMalloc)
+ {
+ fprintf(stderr,
+ "Memory allocation attempt %" TIFF_SSIZE_FORMAT " over memory limit (%" TIFF_SSIZE_FORMAT ")\n",
+ stripsize, maxMalloc);
+ return;
+ }
+ buf = (unsigned char *)_TIFFmalloc(stripsize);
if (buf) {
uint32_t row, h=0;
uint32_t rowsperstrip = (uint32_t)-1;
@@ -291,6 +310,9 @@ TIFFReadSeparateStripData(TIFF* tif)
}
_TIFFfree(buf);
}
+ else {
+ fprintf(stderr, "Cannot allocate %" TIFF_SSIZE_FORMAT " bytes.\n", stripsize);
+ }
}
static void
@@ -318,8 +340,15 @@ TIFFReadContigTileData(TIFF* tif)
{
unsigned char *buf;
tmsize_t rowsize = TIFFTileRowSize(tif);
- tmsize_t tilesize = TIFFTileSize(tif);
+ tmsize_t tilesize = TIFFTileSize(tif);
+ if (maxMalloc != 0 && tilesize > maxMalloc)
+ {
+ fprintf(stderr,
+ "Memory allocation attempt %" TIFF_SSIZE_FORMAT " over memory limit (%" TIFF_SSIZE_FORMAT ")\n",
+ tilesize, maxMalloc);
+ return;
+ }
buf = (unsigned char *)_TIFFmalloc(tilesize);
if (buf) {
uint32_t tw=0, th=0, w=0, h=0;
@@ -346,15 +375,26 @@ TIFFReadContigTileData(TIFF* tif)
}
_TIFFfree(buf);
}
+ else {
+ fprintf(stderr, "Cannot allocate %" TIFF_SSIZE_FORMAT " bytes.\n",
+ tilesize);
+ }
}
void
TIFFReadSeparateTileData(TIFF* tif)
{
unsigned char *buf;
- tmsize_t rowsize = TIFFTileRowSize(tif);
- tmsize_t tilesize = TIFFTileSize(tif);
+ tmsize_t rowsize = TIFFTileRowSize(tif);
+ tmsize_t tilesize = TIFFTileSize(tif);
+ if (maxMalloc != 0 && tilesize > maxMalloc)
+ {
+ fprintf(stderr,
+ "Memory allocation attempt %" TIFF_SSIZE_FORMAT " over memory limit (%" TIFF_SSIZE_FORMAT ")\n",
+ tilesize, maxMalloc);
+ return;
+ }
buf = (unsigned char *)_TIFFmalloc(tilesize);
if (buf) {
uint32_t tw=0, th=0, w=0, h=0;
@@ -385,6 +425,10 @@ TIFFReadSeparateTileData(TIFF* tif)
}
_TIFFfree(buf);
}
+ else {
+ fprintf(stderr, "Cannot allocate %" TIFF_SSIZE_FORMAT " bytes.\n",
+ tilesize);
+ }
}
void
@@ -451,7 +495,7 @@ TIFFReadRawDataStriped(TIFF* tif, int bitrev)
if (maxMalloc != 0 && stripbc[s] > (uint64_t)maxMalloc)
{
fprintf(stderr,
- "Memory allocation attempt %" TIFF_SSIZE_FORMAT " over memory limit (%" TIFF_SSIZE_FORMAT ")",
+ "Memory allocation attempt %" TIFF_SSIZE_FORMAT " over memory limit (%" TIFF_SSIZE_FORMAT ")\n",
(tmsize_t)stripbc[s], maxMalloc);
break;
}
@@ -508,7 +552,7 @@ TIFFReadRawDataTiled(TIFF* tif, int bitrev)
if (maxMalloc != 0 && tilebc[t] > (uint64_t)maxMalloc)
{
fprintf(stderr,
- "Memory allocation attempt %" TIFF_SSIZE_FORMAT " over memory limit (%" TIFF_SSIZE_FORMAT ")",
+ "Memory allocation attempt %" TIFF_SSIZE_FORMAT " over memory limit (%" TIFF_SSIZE_FORMAT ")\n",
(tmsize_t)tilebc[t], maxMalloc);
break;
}