| From f500facf7723f1cae725dd288b2daad15e45131c Mon Sep 17 00:00:00 2001 |
| From: Su_Laus <sulau@freenet.de> |
| Date: Mon, 30 Oct 2023 21:21:57 +0100 |
| Subject: [PATCH 2/3] At image reading, compare data size of some tags / data |
| structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) with |
| file size to prevent provoked out-of-memory attacks. |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| See issue #614. |
| |
| Correct declaration of ‘filesize’ shadows a previous local. |
| |
| CVE: CVE-2023-6277 |
| Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/merge_requests/545] |
| Signed-off-by: Khem Raj <raj.khem@gmail.com> |
| --- |
| libtiff/tif_dirread.c | 1 - |
| 1 file changed, 1 deletion(-) |
| |
| diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c |
| index c52d41f..fe8d6f8 100644 |
| --- a/libtiff/tif_dirread.c |
| +++ b/libtiff/tif_dirread.c |
| @@ -5305,7 +5305,6 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, |
| if (td->td_compression != COMPRESSION_NONE) |
| { |
| uint64_t space; |
| - uint64_t filesize; |
| uint16_t n; |
| filesize = TIFFGetFileSize(tif); |
| if (!(tif->tif_flags & TIFF_BIGTIFF)) |
| -- |
| 2.43.0 |
| |