fix stack overflow when parsing malicious tiff image

ImageMagick · Oct 19, 2021 · f620340 · f620340
1 parent 18e15da
commit f620340
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -6,6 +6,8 @@
     https://github.com/ImageMagick/ImageMagick/issues/4372).
   * fix possible unitialized values (reference
     https://github.com/ImageMagick/ImageMagick/issues/4379).
+  * fix stack overflow when parsing malicious tiff image file (report from
+    Muhammad Aldo Firmansyah).
 
 2021-10-10  7.1.0-10  <quetzlzacatenango@image...>
   * Release ImageMagick version 7.1.0-10 GIT revision 19236:07ebe6b6e:20211010

diff --git a/coders/tiff.c b/coders/tiff.c
@@ -2001,6 +2001,11 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
         extent=MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
+#if defined(TIFF_VERSION_BIG)
+        extent+=image->columns*sizeof(uint64);
+#else
+        extent+=image->columns*sizeof(uint32);
+#endif
         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
           sizeof(*tile_pixels));
         if (tile_pixels == (unsigned char *) NULL)