diff options
| author | Even Rouault <even.rouault@spatialys.com> | 2017-07-15 13:19:56 +0000 |
|---|---|---|
| committer | Even Rouault <even.rouault@spatialys.com> | 2017-07-15 13:19:56 +0000 |
| commit | 02271af177390d7b04417eee322568f16bbabe3a (patch) | |
| tree | aba179175a785d69b70e34dac371bb7e4e11bc21 /ChangeLog | |
| parent | 5b7f711586f1fc7541abba85dfe2c6e90602f8ae (diff) | |
| download | libtiff-git-02271af177390d7b04417eee322568f16bbabe3a.tar.gz | |
* libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the
arrays that hold StripOffsets/StripByteCounts, when they are smaller
than the expected number of striles, up to 1 million striles, and
error out beyond. Can be tweaked by setting the environment variable
LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
This partially goes against a change added on 2002-12-17 to accept
those arrays of wrong sizes, but is needed to avoid denial of services.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
Credit to OSS Fuzz
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 12 |
1 files changed, 12 insertions, 0 deletions
@@ -1,5 +1,17 @@ 2017-07-15 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the + arrays that hold StripOffsets/StripByteCounts, when they are smaller + than the expected number of striles, up to 1 million striles, and + error out beyond. Can be tweaked by setting the environment variable + LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT. + This partially goes against a change added on 2002-12-17 to accept + those arrays of wrong sizes, but is needed to avoid denial of services. + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 + Credit to OSS Fuzz + +2017-07-15 Even Rouault <even.rouault at spatialys.com> + * libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile(). Complementary fix for http://bugzilla.maptools.org/show_bug.cgi?id=2708 in the isMapped() case, so as to avoid excessive memory allocation |