2016.07.05 12:40 "[Tiff] Sanity checking and robustness", by

With regards to these bugs:


I was looking at the possibilities for adding stricter bounds checks so that we could avoid allocations when the field values are obviously incorrect, the most obvious of which would be where the offset and size of some data would exceed the file size.

Is the size of the TIFF stored anywhere accessible on read, e.g. in the tiff struct? If not, would it be possible to add this?

I found _tiffSizeProc(fd) but it's not public, and not even exposed for internal use by other translation units. Would adding it to an internal header be possible, so we can call it either when initialising the tiff struct on read, or before performing allocations inside field accessor functions?

While being safe in the face of any possible error in the TIFF file being read is a significant challenge, it looks like there are a few simple checks which could be added to greatly improve the robustness of the library (and any application using it) by preventing untrusted/invalid input from causing potentially multi-gigabyte memory allocations where this is obviously wrong.