From 02271af177390d7b04417eee322568f16bbabe3a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 15 Jul 2017 13:19:56 +0000
Subject: * libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the arrays
 that hold StripOffsets/StripByteCounts, when they are smaller than the
 expected number of striles, up to 1 million striles, and error out beyond.
 Can be tweaked by setting the environment variable
 LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT. This partially goes against a change
 added on 2002-12-17 to accept those arrays of wrong sizes, but is needed to
 avoid denial of services. Fixes
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 Credit to OSS Fuzz

---
 ChangeLog | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'ChangeLog')

diff --git a/ChangeLog b/ChangeLog
index b467ec8d..932ddee5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2017-07-15  Even Rouault <even.rouault at spatialys.com>
+
+	* libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the
+	arrays that hold StripOffsets/StripByteCounts, when they are smaller
+	than the expected number of striles, up to 1 million striles, and
+	error out beyond. Can be tweaked by setting the environment variable
+	LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.
+	This partially goes against a change added on 2002-12-17 to accept
+	those arrays of wrong sizes, but is needed to avoid denial of services.
+	Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350
+	Credit to OSS Fuzz
+
 2017-07-15  Even Rouault <even.rouault at spatialys.com>
 
 	* libtiff/tif_read.c: TIFFFillStrip() / TIFFFillTile().
-- 
cgit v1.2.1