I was looking at the possibilities for adding stricter bounds checks so
that we could avoid allocations when the field values are obviously
incorrect, the most obvious of which would be where the offset and size
of some data would exceed the file size.
Is the size of the TIFF stored anywhere accessible on read, e.g. in the
tiff struct? If not, would it be possible to add this?
I found _tiffSizeProc(fd) but it's not public, and not even exposed for
internal use by other translation units. Would adding it to an internal
header be possible, so we can call it either when initialising the tiff
struct on read, or before performing allocations inside field accessor
While being safe in the face of any possible error in the TIFF file
being read is a significant challenge, it looks like there are a few
simple checks which could be added to greatly improve the robustness of
the library (and any application using it) by preventing
untrusted/invalid input from causing potentially multi-gigabyte memory
allocations where this is obviously wrong.