third_party/libtiff/0021-oom-TIFFFillStrip.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

diff --git a/third_party/libtiff/tif_read.c b/third_party/libtiff/tif_read.c
index 1ba100e54..c25e7e79f 100644
--- a/third_party/libtiff/tif_read.c
+++ b/third_party/libtiff/tif_read.c
@@ -616,6 +616,13 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
                                TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
                                return(0);
                        }
+                       const tmsize_t size=isMapped(tif)? tif->tif_size : (tmsize_t)TIFFGetFileSize(tif);
+                       if (bytecountm > size) {
+                               TIFFErrorExt(tif->tif_clientdata, module,
+                                       "Requested read strip size %lu is too large",
+                                       (unsigned long) strip);
+                               return (0);
+                       }
                        if (bytecountm > tif->tif_rawdatasize) {
                                tif->tif_curstrip = NOSTRIP;
                                if ((tif->tif_flags & TIFF_MYBUFFER) == 0) {