Handle infinite recursive directories in tiff files (#151)

* Fix recursive IFD offsets * Properly clean up if gdip_bitmap_new or gdip_frame_add fails
mono · Dec 17, 2017 · 7e5300b · 7e5300b
1 parent bcc7fbe
commit 7e5300b
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 7 deletions.
diff --git a/src/tiffcodec.c b/src/tiffcodec.c
@@ -1084,20 +1084,26 @@ gdip_load_tiff_image (TIFF *tiff, GpImage **image)
 		return OutOfMemory;
 	}
 
+	result = NULL;
 	pixbuf_row = NULL;
 	pixbuf = NULL;
+	memset (&tiff_image, 0, sizeof (TIFFRGBAImage));
 
 	num_of_pages = TIFFNumberOfDirectories(tiff);
 
+	/* Handle cases where there are too many directories or there is a infinite loop in the directory structure.
+	 * This relies on libtiff returning 65535 in the error case, which has been the case since v4.0.4 released in 2015. */
+	if (num_of_pages >= 65535)
+		goto error;
+
 	result = gdip_bitmap_new();
 	if (!result)
-		return OutOfMemory;
+		goto error;
 
 	result->type = ImageTypeBitmap;
 	frame = gdip_frame_add(result, &gdip_image_frameDimension_page_guid);
-
-	// Avoid reading uninitialized memory if TIFFRGBAImageBegin fails.
-	memset (&tiff_image, 0, sizeof (TIFFRGBAImage));
+	if (!frame)
+		goto error;
 
 	for (page = 0; page < num_of_pages; page++) {
 		unsigned long long int size;

diff --git a/tests/testtiffcodec.c b/tests/testtiffcodec.c
@@ -19,6 +19,7 @@ using namespace DllExports;
 #endif
 
 #include <assert.h>
+#include <tiffio.h>
 #include "testhelpers.h"
 
 static const char *file = "temp_asset.tif";
@@ -262,7 +263,7 @@ static void test_invalidFileDirectory ()
 		/* IFD 1 */           0x00, 0x00,
 		/* IFD 1 */           0x00, 0x00, 0x00, 0x00
 	};
-#if defined(USE_WINDOWS_GDIPLUS)
+#if TIFFLIB_VERSION >= 20150621
 	BYTE recursiveNextIFDOffset[] = {
 		/* Header */                     0x49, 0x49, 0x2A, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x80, 0x3F, 0xE0, 0x50, 0x10, 0x00,
 		/* Number of Tags */             0x0F, 0x00,
@@ -299,8 +300,8 @@ static void test_invalidFileDirectory ()
 	createFile (shortNextIFDOffsetLE, OutOfMemory);
 	createFile (shortNextIFDOffsetBE, OutOfMemory);
 	createFile (zeroNumberOfEntries, OutOfMemory);
-	// FIXME: this loops forever with libgdiplus.
-#if defined(USE_WINDOWS_GDIPLUS)
+	// Libtiff 4.0.4, released on June 21st 2015, fixed this bug. However, outdated platforms may not have this fix.
+#if TIFFLIB_VERSION >= 20150621
 	createFile (recursiveNextIFDOffset, OutOfMemory);
 #endif
 }