summaryrefslogtreecommitdiff
path: root/third_party/libtiff/0020-unreasonable-td-bitspersample.patch
blob: 1ad5e34e3c2a76a60a8dcf1fce0bfe16c66dbd44 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
diff --git a/third_party/libtiff/tif_dirread.c b/third_party/libtiff/tif_dirread.c
index 0e3f8ccd4..e0403aef3 100644
--- a/third_party/libtiff/tif_dirread.c
+++ b/third_party/libtiff/tif_dirread.c
@@ -3754,6 +3754,17 @@ TIFFReadDirectory(TIFF* tif)
                                        fip ? fip->field_name : "unknown tagname");
                         continue;
                     }
+                                       /* ColorMap or TransferFunction for high bit */
+                                       /* depths do not make much sense and could be */
+                                       /* used as a denial of service vector */
+                                       if (tif->tif_dir.td_bitspersample > 24)
+                                       {
+                                           TIFFWarningExt(tif->tif_clientdata,module,
+                                               "Ignoring %s because BitsPerSample=%d>24",
+                                               fip ? fip->field_name : "unknown tagname",
+                                               tif->tif_dir.td_bitspersample);
+                                           continue;
+                                       }
                                        countpersample=(1L<<tif->tif_dir.td_bitspersample);
                                        if ((dp->tdir_tag==TIFFTAG_TRANSFERFUNCTION)&&(dp->tdir_count==(uint64)countpersample))
                                        {