MSVSphere Packaging Team
7 months ago
parent
c9b5c008d6
commit
de1f4989b8
@ -0,0 +1,260 @@
|
||||
From 01de2299ed1cf3137235ef8a6657905ef04fc65c Mon Sep 17 00:00:00 2001
|
||||
From: Su_Laus <sulau@freenet.de>
|
||||
Date: Tue, 30 Aug 2022 16:56:48 +0200
|
||||
Subject: [PATCH] (CVE-2022-3599) Revised handling of TIFFTAG_INKNAMES and
|
||||
related TIFFTAG_NUMBEROFINKS value
|
||||
|
||||
In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
|
||||
|
||||
Behaviour for writing:
|
||||
`NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
|
||||
`NumberOfInks` is automatically set when `InkNames` is set.
|
||||
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
|
||||
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
|
||||
|
||||
Behaviour for reading:
|
||||
When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
|
||||
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
|
||||
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
|
||||
|
||||
This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
|
||||
|
||||
This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
|
||||
|
||||
It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
|
||||
|
||||
(cherry picked from commit f00484b9519df933723deb38fff943dc291a793d)
|
||||
---
|
||||
libtiff/tif_dir.c | 118 ++++++++++++++++++++++++-----------------
|
||||
libtiff/tif_dir.h | 2 +
|
||||
libtiff/tif_dirinfo.c | 2 +-
|
||||
libtiff/tif_dirwrite.c | 5 ++
|
||||
libtiff/tif_print.c | 4 ++
|
||||
5 files changed, 82 insertions(+), 49 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
||||
index ad550c65..cb329fd8 100644
|
||||
--- a/libtiff/tif_dir.c
|
||||
+++ b/libtiff/tif_dir.c
|
||||
@@ -125,32 +125,30 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
|
||||
}
|
||||
|
||||
/*
|
||||
- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
|
||||
+ * Count ink names separated by \0. Returns
|
||||
* zero if the ink names are not as expected.
|
||||
*/
|
||||
-static uint32
|
||||
-checkInkNamesString(TIFF* tif, uint32 slen, const char* s)
|
||||
+static uint16
|
||||
+countInkNamesString(TIFF *tif, uint32 slen, const char *s)
|
||||
{
|
||||
- TIFFDirectory* td = &tif->tif_dir;
|
||||
- uint16 i = td->td_samplesperpixel;
|
||||
+ uint16 i = 0;
|
||||
+ const char *ep = s + slen;
|
||||
+ const char *cp = s;
|
||||
|
||||
if (slen > 0) {
|
||||
- const char* ep = s+slen;
|
||||
- const char* cp = s;
|
||||
- for (; i > 0; i--) {
|
||||
+ do {
|
||||
for (; cp < ep && *cp != '\0'; cp++) {}
|
||||
if (cp >= ep)
|
||||
goto bad;
|
||||
cp++; /* skip \0 */
|
||||
- }
|
||||
- return ((uint32)(cp-s));
|
||||
+ i++;
|
||||
+ } while (cp < ep);
|
||||
+ return (i);
|
||||
}
|
||||
bad:
|
||||
TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
|
||||
- "%s: Invalid InkNames value; expecting %d names, found %d",
|
||||
- tif->tif_name,
|
||||
- td->td_samplesperpixel,
|
||||
- td->td_samplesperpixel-i);
|
||||
+ "%s: Invalid InkNames value; no NUL at given buffer end location %d, after %d ink",
|
||||
+ tif->tif_name, slen, i);
|
||||
return (0);
|
||||
}
|
||||
|
||||
@@ -452,13 +450,61 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
|
||||
_TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
|
||||
break;
|
||||
case TIFFTAG_INKNAMES:
|
||||
- v = (uint16) va_arg(ap, uint16_vap);
|
||||
- s = va_arg(ap, char*);
|
||||
- v = checkInkNamesString(tif, v, s);
|
||||
- status = v > 0;
|
||||
- if( v > 0 ) {
|
||||
- _TIFFsetNString(&td->td_inknames, s, v);
|
||||
- td->td_inknameslen = v;
|
||||
+ {
|
||||
+ v = (uint16) va_arg(ap, uint16_vap);
|
||||
+ s = va_arg(ap, char*);
|
||||
+ uint16 ninksinstring;
|
||||
+ ninksinstring = countInkNamesString(tif, v, s);
|
||||
+ status = ninksinstring > 0;
|
||||
+ if(ninksinstring > 0 ) {
|
||||
+ _TIFFsetNString(&td->td_inknames, s, v);
|
||||
+ td->td_inknameslen = v;
|
||||
+ /* Set NumberOfInks to the value ninksinstring */
|
||||
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
|
||||
+ {
|
||||
+ if (td->td_numberofinks != ninksinstring) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the number of inks %d.\n -> NumberOfInks value adapted to %d",
|
||||
+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
|
||||
+ td->td_numberofinks = ninksinstring;
|
||||
+ }
|
||||
+ } else {
|
||||
+ td->td_numberofinks = ninksinstring;
|
||||
+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
|
||||
+ }
|
||||
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
|
||||
+ {
|
||||
+ if (td->td_numberofinks != td->td_samplesperpixel) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d",
|
||||
+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ break;
|
||||
+ case TIFFTAG_NUMBEROFINKS:
|
||||
+ v = (uint16)va_arg(ap, uint16_vap);
|
||||
+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
|
||||
+ if (TIFFFieldSet(tif, FIELD_INKNAMES))
|
||||
+ {
|
||||
+ if (v != td->td_numberofinks) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Error %s; Tag %s:\n It is not possible to set the value %d for NumberOfInks\n which is different from the number of inks in the InkNames tag (%d)",
|
||||
+ tif->tif_name, fip->field_name, v, td->td_numberofinks);
|
||||
+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
|
||||
+ status = 0;
|
||||
+ }
|
||||
+ } else {
|
||||
+ td->td_numberofinks = (uint16)v;
|
||||
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
|
||||
+ {
|
||||
+ if (td->td_numberofinks != td->td_samplesperpixel) {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d",
|
||||
+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
break;
|
||||
case TIFFTAG_PERSAMPLE:
|
||||
@@ -854,33 +900,6 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
|
||||
if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
|
||||
return 0;
|
||||
|
||||
- if( tag == TIFFTAG_NUMBEROFINKS )
|
||||
- {
|
||||
- int i;
|
||||
- for (i = 0; i < td->td_customValueCount; i++) {
|
||||
- uint16 val;
|
||||
- TIFFTagValue *tv = td->td_customValues + i;
|
||||
- if (tv->info->field_tag != tag)
|
||||
- continue;
|
||||
- if( tv->value == NULL )
|
||||
- return 0;
|
||||
- val = *(uint16 *)tv->value;
|
||||
- /* Truncate to SamplesPerPixel, since the */
|
||||
- /* setting code for INKNAMES assume that there are SamplesPerPixel */
|
||||
- /* inknames. */
|
||||
- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
|
||||
- if( val > td->td_samplesperpixel )
|
||||
- {
|
||||
- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
|
||||
- "Truncating NumberOfInks from %u to %u",
|
||||
- val, td->td_samplesperpixel);
|
||||
- val = td->td_samplesperpixel;
|
||||
- }
|
||||
- *va_arg(ap, uint16*) = val;
|
||||
- return 1;
|
||||
- }
|
||||
- return 0;
|
||||
- }
|
||||
|
||||
/*
|
||||
* We want to force the custom code to be used for custom
|
||||
@@ -1068,6 +1087,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
|
||||
case TIFFTAG_INKNAMES:
|
||||
*va_arg(ap, char**) = td->td_inknames;
|
||||
break;
|
||||
+ case TIFFTAG_NUMBEROFINKS:
|
||||
+ *va_arg(ap, uint16 *) = td->td_numberofinks;
|
||||
+ break;
|
||||
default:
|
||||
{
|
||||
int i;
|
||||
diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
|
||||
index 5a380767..b5881b02 100644
|
||||
--- a/libtiff/tif_dir.h
|
||||
+++ b/libtiff/tif_dir.h
|
||||
@@ -113,6 +113,7 @@ typedef struct {
|
||||
/* CMYK parameters */
|
||||
int td_inknameslen;
|
||||
char* td_inknames;
|
||||
+ uint16 td_numberofinks; /* number of inks in InkNames string */
|
||||
|
||||
int td_customValueCount;
|
||||
TIFFTagValue *td_customValues;
|
||||
@@ -168,6 +169,7 @@ typedef struct {
|
||||
#define FIELD_TRANSFERFUNCTION 44
|
||||
#define FIELD_INKNAMES 46
|
||||
#define FIELD_SUBIFD 49
|
||||
+#define FIELD_NUMBEROFINKS 50
|
||||
/* FIELD_CUSTOM (see tiffio.h) 65 */
|
||||
/* end of support for well-known tags; codec-private tags follow */
|
||||
#define FIELD_CODEC 66 /* base of codec-private tags */
|
||||
diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
|
||||
index 4904f540..8bbc8323 100644
|
||||
--- a/libtiff/tif_dirinfo.c
|
||||
+++ b/libtiff/tif_dirinfo.c
|
||||
@@ -106,7 +106,7 @@ tiffFields[] = {
|
||||
{ TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
|
||||
{ TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
|
||||
{ TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
|
||||
- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
|
||||
+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
|
||||
{ TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
|
||||
{ TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
|
||||
{ TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
|
||||
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
|
||||
index 03a9f296..994fa57a 100644
|
||||
--- a/libtiff/tif_dirwrite.c
|
||||
+++ b/libtiff/tif_dirwrite.c
|
||||
@@ -634,6 +634,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
|
||||
if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
|
||||
goto bad;
|
||||
}
|
||||
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
|
||||
+ {
|
||||
+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
|
||||
+ goto bad;
|
||||
+ }
|
||||
if (TIFFFieldSet(tif,FIELD_SUBIFD))
|
||||
{
|
||||
if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
|
||||
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
|
||||
index b9b53a0f..9caba038 100644
|
||||
--- a/libtiff/tif_print.c
|
||||
+++ b/libtiff/tif_print.c
|
||||
@@ -404,6 +404,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
|
||||
}
|
||||
fputs("\n", fd);
|
||||
}
|
||||
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
|
||||
+ fprintf(fd, " NumberOfInks: %d\n",
|
||||
+ td->td_numberofinks);
|
||||
+ }
|
||||
if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
|
||||
fprintf(fd, " Thresholding: ");
|
||||
switch (td->td_threshholding) {
|
||||
@ -0,0 +1,37 @@
|
||||
From b7bc0d684cee380f7497cb095a115361dbabef71 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@mines-paris.org>
|
||||
Date: Tue, 13 Mar 2018 14:39:30 +0000
|
||||
Subject: [PATCH] (CVE-2018-15209) Merge branch
|
||||
'avoid_memory_exhaustion_in_ChopUpSingleUncompressedStrip' into 'master'
|
||||
|
||||
ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)
|
||||
|
||||
See merge request libtiff/libtiff!26
|
||||
|
||||
(cherry picked from commit 0a2e5e98b353a987ea69985d2283bba569a7e063)
|
||||
---
|
||||
libtiff/tif_dirread.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||||
index b72e6a3b..bc1ab083 100644
|
||||
--- a/libtiff/tif_dirread.c
|
||||
+++ b/libtiff/tif_dirread.c
|
||||
@@ -5765,6 +5765,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
|
||||
if( nstrips == 0 )
|
||||
return;
|
||||
|
||||
+ /* If we are going to allocate a lot of memory, make sure that the */
|
||||
+ /* file is as big as needed */
|
||||
+ if( tif->tif_mode == O_RDONLY &&
|
||||
+ nstrips > 1000000 &&
|
||||
+ (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||
|
||||
+ tif->tif_dir.td_stripbytecount[0] >
|
||||
+ TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )
|
||||
+ {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|
||||
"for chopped \"StripByteCounts\" array");
|
||||
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|
||||
@ -0,0 +1,172 @@
|
||||
From 83f6ae4cce52cd4feaebf2bc4fc2d5077a10677c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
||||
Date: Thu, 16 May 2024 14:43:44 +0200
|
||||
Subject: [PATCH] (CVE-2023-25433) Merge branch
|
||||
'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master'
|
||||
|
||||
tiffcrop correctly update buffersize after rotateImage() fix#520
|
||||
|
||||
Closes #520
|
||||
|
||||
See merge request libtiff/libtiff!467
|
||||
|
||||
(cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3)
|
||||
---
|
||||
tools/tiffcrop.c | 72 ++++++++++++++++++++++++++++++++++++++----------
|
||||
1 file changed, 58 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index 77923cf3..8b761874 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -529,7 +529,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
|
||||
static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
|
||||
uint32, uint32, uint8 *, uint8 *);
|
||||
static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
|
||||
- unsigned char **);
|
||||
+ unsigned char **, tsize_t *);
|
||||
static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
|
||||
unsigned char *);
|
||||
static int invertImage(uint16, uint16, uint16, uint32, uint32,
|
||||
@@ -6358,7 +6358,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
|
||||
return (-1);
|
||||
}
|
||||
|
||||
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
|
||||
+ if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
|
||||
{
|
||||
TIFFError ("correct_orientation", "Unable to rotate image");
|
||||
return (-1);
|
||||
@@ -7578,16 +7578,20 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
||||
|
||||
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
|
||||
{
|
||||
+ /* rotateImage() set up a new buffer and calculates its size
|
||||
+ * individually. Therefore, seg_buffs size needs to be updated
|
||||
+ * accordingly. */
|
||||
+
|
||||
+ tsize_t rot_buf_size = 0;
|
||||
if (rotateImage(crop->rotation, image, &crop->combined_width,
|
||||
- &crop->combined_length, &crop_buff))
|
||||
+ &crop->combined_length, &crop_buff, &rot_buf_size))
|
||||
{
|
||||
TIFFError("processCropSelections",
|
||||
"Failed to rotate composite regions by %d degrees", crop->rotation);
|
||||
return (-1);
|
||||
}
|
||||
seg_buffs[0].buffer = crop_buff;
|
||||
- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
|
||||
- * image->spp) * crop->combined_length;
|
||||
+ seg_buffs[0].size = rot_buf_size;
|
||||
}
|
||||
}
|
||||
else /* Separated Images */
|
||||
@@ -7684,8 +7688,18 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
||||
|
||||
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
|
||||
{
|
||||
- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
|
||||
- &crop->regionlist[i].length, &crop_buff))
|
||||
+ /* rotateImage() changes image->width, ->length, ->xres and
|
||||
+ * ->yres, what it schouldn't do here, when more than one
|
||||
+ * section is processed. ToDo: Therefore rotateImage() and its
|
||||
+ * usage has to be reworked (e.g. like mirrorImage()) !!
|
||||
+ * Furthermore, rotateImage() set up a new buffer and calculates
|
||||
+ * its size individually. Therefore, seg_buffs size needs to be
|
||||
+ * updated accordingly. */
|
||||
+ tsize_t rot_buf_size = 0;
|
||||
+ if (rotateImage(
|
||||
+ crop->rotation, image, &crop->regionlist[i].width,
|
||||
+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
|
||||
+
|
||||
{
|
||||
TIFFError("processCropSelections",
|
||||
"Failed to rotate crop region by %d degrees", crop->rotation);
|
||||
@@ -7696,8 +7710,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
||||
crop->combined_width = total_width;
|
||||
crop->combined_length = total_length;
|
||||
seg_buffs[i].buffer = crop_buff;
|
||||
- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
|
||||
- * image->spp) * crop->regionlist[i].length;
|
||||
+ seg_buffs[i].size = rot_buf_size;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -7813,7 +7826,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
|
||||
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
|
||||
{
|
||||
if (rotateImage(crop->rotation, image, &crop->combined_width,
|
||||
- &crop->combined_length, crop_buff_ptr))
|
||||
+ &crop->combined_length, crop_buff_ptr, NULL))
|
||||
{
|
||||
TIFFError("createCroppedImage",
|
||||
"Failed to rotate image or cropped selection by %d degrees", crop->rotation);
|
||||
@@ -8476,13 +8489,14 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
|
||||
/* Rotate an image by a multiple of 90 degrees clockwise */
|
||||
static int
|
||||
rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
|
||||
- uint32 *img_length, unsigned char **ibuff_ptr)
|
||||
+ uint32 *img_length, unsigned char **ibuff_ptr, tsize_t *rot_buf_size)
|
||||
{
|
||||
int shift_width;
|
||||
uint32 bytes_per_pixel, bytes_per_sample;
|
||||
uint32 row, rowsize, src_offset, dst_offset;
|
||||
uint32 i, col, width, length;
|
||||
- uint32 colsize, buffsize, col_offset, pix_offset;
|
||||
+ uint32 colsize, col_offset, pix_offset;
|
||||
+ tmsize_t buffsize;
|
||||
unsigned char *ibuff;
|
||||
unsigned char *src;
|
||||
unsigned char *dst;
|
||||
@@ -8495,12 +8509,40 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
|
||||
spp = image->spp;
|
||||
bps = image->bps;
|
||||
|
||||
+ if ((spp != 0 && bps != 0 &&
|
||||
+ width > (uint32)((UINT32_MAX - 7) / spp / bps)) ||
|
||||
+ (spp != 0 && bps != 0 &&
|
||||
+ length > (uint32)((UINT32_MAX - 7) / spp / bps)))
|
||||
+ {
|
||||
+ TIFFError("rotateImage", "Integer overflow detected.");
|
||||
+ return (-1);
|
||||
+ }
|
||||
rowsize = ((bps * spp * width) + 7) / 8;
|
||||
colsize = ((bps * spp * length) + 7) / 8;
|
||||
if ((colsize * width) > (rowsize * length))
|
||||
- buffsize = (colsize + 1) * width;
|
||||
+ {
|
||||
+ if (((tmsize_t)colsize + 1) != 0 &&
|
||||
+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - 3) /
|
||||
+ ((tmsize_t)colsize + 1)))
|
||||
+ {
|
||||
+ TIFFError("rotateImage",
|
||||
+ "Integer overflow when calculating buffer size.");
|
||||
+ return (-1);
|
||||
+ }
|
||||
+ buffsize = ((tmsize_t)colsize + 1) * width;
|
||||
+ }
|
||||
else
|
||||
- buffsize = (rowsize + 1) * length;
|
||||
+ {
|
||||
+ if (((tmsize_t)rowsize + 1) != 0 &&
|
||||
+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - 3) /
|
||||
+ ((tmsize_t)rowsize + 1)))
|
||||
+ {
|
||||
+ TIFFError("rotateImage",
|
||||
+ "Integer overflow when calculating buffer size.");
|
||||
+ return (-1);
|
||||
+ }
|
||||
+ buffsize = (rowsize + 1) * length;
|
||||
+ }
|
||||
|
||||
bytes_per_sample = (bps + 7) / 8;
|
||||
bytes_per_pixel = ((bps * spp) + 7) / 8;
|
||||
@@ -8526,6 +8568,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
|
||||
return (-1);
|
||||
}
|
||||
_TIFFmemset(rbuff, '\0', buffsize);
|
||||
+ if (rot_buf_size != NULL)
|
||||
+ *rot_buf_size = buffsize;
|
||||
|
||||
ibuff = *ibuff_ptr;
|
||||
switch (rotation)
|
||||
@ -0,0 +1,50 @@
|
||||
From df8410cee20798b1d63c291c1bf106e3a52d59b1 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
||||
Date: Thu, 16 May 2024 14:54:52 +0200
|
||||
Subject: [PATCH] (CVE-2023-52356) Merge branch 'fix_622' into 'master'
|
||||
|
||||
TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of col/row (fixes #622)
|
||||
|
||||
Closes #622
|
||||
|
||||
See merge request libtiff/libtiff!546
|
||||
|
||||
(cherry picked from commit dfacff5a84d153d7febdfcbcb341b38c1f03b34e)
|
||||
---
|
||||
libtiff/tif_getimage.c | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index 00cd5510..4f32b3a4 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -2929,6 +2929,14 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 row, uint32 * raster, int stop_on_error)
|
||||
|
||||
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
|
||||
|
||||
+ if (row >= img.height)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
|
||||
+ "Invalid row passed to TIFFReadRGBAStrip().");
|
||||
+ TIFFRGBAImageEnd(&img);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
img.row_offset = row;
|
||||
img.col_offset = 0;
|
||||
|
||||
@@ -3004,6 +3012,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
+ if (col >= img.width || row >= img.height)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
|
||||
+ "Invalid row/col passed to TIFFReadRGBATile().");
|
||||
+ TIFFRGBAImageEnd(&img);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* The TIFFRGBAImageGet() function doesn't allow us to get off the
|
||||
* edge of the image, even to fill an otherwise valid tile. So we
|
||||
@ -0,0 +1,30 @@
|
||||
From 32346d49db890969d7de19e8eebff00400280926 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sat, 9 Sep 2023 15:11:42 +0000
|
||||
Subject: [PATCH] (CVE-2023-6228) Merge branch
|
||||
'fix_606_tiffcp_check_also_input_compression_codec' into 'master'
|
||||
|
||||
tiffcp: Fixes #606. Check also codec of input image, not only from output image.
|
||||
|
||||
Closes #606
|
||||
|
||||
See merge request libtiff/libtiff!533
|
||||
|
||||
(cherry picked from commit 668d2c1a52fa48658bbf69615924b42b5a059f9e)
|
||||
---
|
||||
tools/tiffcp.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
||||
index fb98bd57..81ec6bbd 100644
|
||||
--- a/tools/tiffcp.c
|
||||
+++ b/tools/tiffcp.c
|
||||
@@ -622,6 +622,8 @@ tiffcp(TIFF* in, TIFF* out)
|
||||
else
|
||||
CopyField(TIFFTAG_COMPRESSION, compression);
|
||||
TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
|
||||
+ if (!TIFFIsCODECConfigured(input_compression))
|
||||
+ return FALSE;
|
||||
TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
|
||||
if (input_compression == COMPRESSION_JPEG) {
|
||||
/* Force conversion to RGB */
|
||||
Loading…
Reference in new issue