2017.07.15 13:20 "Re: [Tiff] Need for still supporting truncated StripByteCount/StripOffsets tag ?", by Even Rouault

I'd be in favor of removing that capability, or perhaps limiting this up to a not so big number of tiles (let's say 1 million, with a warning stating this is an invalid file. And beyond that, error out with an error message)

I went on implementing this per

2017-07-15 Even Rouault <even.rouault at spatialys.com>

* libtiff/tif_read.c: in TIFFFetchStripThing(), only grow the arrays that hold StripOffsets/StripByteCounts, when they are smaller than the expected number of striles, up to 1 million striles, and error out beyond. Can be tweaked by setting the environment variable LIBTIFF_STRILE_ARRAY_MAX_RESIZE_COUNT.

This partially goes against a change added on 2002-12-17 to accept those arrays of wrong sizes, but is needed to avoid denial of services. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2350 Credit to OSS Fuzz

/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
new revision: 1.1272; previous revision: 1.1271
/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c
new revision: 1.214; previous revision: 1.213

Even

--
Spatialys - Geospatial professional services
http://www.spatialys.com