From: Alexander Alekhin <alexander.alekhin@intel.com>
Date: Fri, 5 Apr 2019 14:56:48 +0000 (+0300)
Subject: imgcodecs(tiff): check TIFF tile size
X-Git-Tag: accepted/tizen/6.0/unified/20201030.111113~1^2~271^2^2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0c490accae2464cd4089af42db315e5995635692;p=platform%2Fupstream%2Fopencv.git

imgcodecs(tiff): check TIFF tile size

oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13280
oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13283
---

diff --git a/modules/imgcodecs/src/grfmt_tiff.cpp b/modules/imgcodecs/src/grfmt_tiff.cpp
index b1f3d81..2094b1a 100644
--- a/modules/imgcodecs/src/grfmt_tiff.cpp
+++ b/modules/imgcodecs/src/grfmt_tiff.cpp
@@ -401,6 +401,10 @@ bool  TiffDecoder::readData( Mat& img )
                     (!is_tiled && tile_height0 == std::numeric_limits<uint32>::max()) )
                 tile_height0 = m_height;
 
+            CV_Assert((int)tile_width0 > 0 && (int)tile_width0 < std::numeric_limits<int>::max());
+            CV_Assert((int)tile_height0 > 0 && (int)tile_height0 < std::numeric_limits<int>::max());
+            CV_Assert(((uint64_t)tile_width0 * tile_height0 * ncn * (bpp / bitsPerByte) < (CV_BIG_UINT(1) << 30)) && "TIFF tile size is too large: >= 1Gb");
+
             if (dst_bpp == 8)
             {
                 // we will use TIFFReadRGBA* functions, so allocate temporary buffer for 32bit RGBA