rpms
/
libtiff
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-beta
rpms:c8-beta
...
pull from: rpms:i10cs
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8
rpms:i9c-beta
rpms:c9-beta
rpms:i8c-beta
rpms:c8-beta

No commits in common. 'c9' and 'i10cs' have entirely different histories.
c9 ... i10cs

27 changed files with 176 additions and 2979 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/tiff-4.4.0.tar.gz SOURCES/tiff-4.6.0.tar.gz

2
.libtiff.metadata
Unescape View File

@ -1 +1 @@
e11d05db71d243a62800b4bf4479eb4859714405 SOURCES/tiff-4.4.0.tar.gz 5eda840cc24e1c74c6a9d92faa86a0851f7de7d5 SOURCES/tiff-4.6.0.tar.gz

40
SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch
Unescape View File

@ -1,40 +0,0 @@
From b2e3171e935be3c4b79657aebf4175ef3be403b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Mon, 18 Jul 2022 13:40:10 +0200
Subject: [PATCH] Back off the minimum required automake version to 1.11.
There isn't anything in libtiff currently that actually requires 1.12, and
changing this allows the package to be built on pre-F18 machines for easier
testing.
This patch can go away once we no longer care about testing on pre-F18.
---
Makefile.am | 2 +-
test/Makefile.am | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index aaabf4d1..66e13dd8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -25,7 +25,7 @@
docdir = $(LIBTIFF_DOCDIR)
-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
ACLOCAL_AMFLAGS = -I m4
docfiles = \
diff --git a/test/Makefile.am b/test/Makefile.am
index b5823198..949667ee 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -23,7 +23,7 @@
# Process this file with automake to produce Makefile.in.
-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
LIBTIFF = $(top_builddir)/libtiff/libtiff.la

21
SOURCES/0002-Fix-Makefile.patch
Unescape View File

@ -1,21 +0,0 @@
From ab8a25b78922ba0e93fc4264d15c3e796a6f4c34 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 5 May 2022 14:42:52 +0200
Subject: [PATCH] Fix Makefile
---
html/man/Makefile.am | 1 -
1 file changed, 1 deletion(-)
diff --git a/html/man/Makefile.am b/html/man/Makefile.am
index 3ed00d44..8a64925a 100644
--- a/html/man/Makefile.am
+++ b/html/man/Makefile.am
@@ -90,7 +90,6 @@ docfiles = \
tiffcrop.1.html \
tiffdither.1.html \
tiffdump.1.html \
- tiffgt.1.html \
tiffinfo.1.html \
tiffmedian.1.html \
tiffset.1.html \

179
SOURCES/0003-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch
Unescape View File

@ -1,179 +0,0 @@
From eda0ab31e15edbb6ddee96f5c87d52888d68872c Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Sat, 11 Jun 2022 09:31:43 +0000
Subject: [PATCH] (CVE-2022-2056 CVE-2022-2057 CVE-2022-2058) fix the FPE in
tiffcrop (#415, #427, and #428)
(cherry picked from commit dd1bcc7abb26094e93636e85520f0d8f81ab0fab)
---
libtiff/tif_aux.c | 9 +++++++
libtiff/tiffiop.h | 1 +
tools/tiffcrop.c | 62 ++++++++++++++++++++++++++---------------------
3 files changed, 44 insertions(+), 28 deletions(-)
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
index 140f26c7..5b88c8d0 100644
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val )
return (float)val;
}
+uint32_t _TIFFClampDoubleToUInt32(double val)
+{
+ if( val < 0 )
+ return 0;
+ if( val > 0xFFFFFFFFU || val != val )
+ return 0xFFFFFFFFU;
+ return (uint32_t)val;
+}
+
int _TIFFSeekOK(TIFF* tif, toff_t off)
{
/* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index e3af461d..4e8bdac2 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64_t);
extern float _TIFFUInt64ToFloat(uint64_t);
extern float _TIFFClampDoubleToFloat(double);
+extern uint32_t _TIFFClampDoubleToUInt32(double);
extern tmsize_t
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip,
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 1f827b2b..90286a5e 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
{
- x1 = (uint32_t) (crop->corners[i].X1 * scale * xres);
- x2 = (uint32_t) (crop->corners[i].X2 * scale * xres);
- y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres);
- y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
}
else
{
- x1 = (uint32_t) (crop->corners[i].X1);
- x2 = (uint32_t) (crop->corners[i].X2);
- y1 = (uint32_t) (crop->corners[i].Y1);
- y2 = (uint32_t) (crop->corners[i].Y2);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
}
/* a) Region needs to be within image sizes 0.. width-1; 0..length-1
* b) Corners are expected to be submitted as top-left to bottom-right.
@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{ /* User has specified pixels as reference unit */
- tmargin = (uint32_t)(crop->margins[0]);
- lmargin = (uint32_t)(crop->margins[1]);
- bmargin = (uint32_t)(crop->margins[2]);
- rmargin = (uint32_t)(crop->margins[3]);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
}
else
{ /* inches or centimeters specified */
- tmargin = (uint32_t)(crop->margins[0] * scale * yres);
- lmargin = (uint32_t)(crop->margins[1] * scale * xres);
- bmargin = (uint32_t)(crop->margins[2] * scale * yres);
- rmargin = (uint32_t)(crop->margins[3] * scale * xres);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
}
if ((lmargin + rmargin) > image->width)
@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32_t)crop->width;
+ width = _TIFFClampDoubleToUInt32(crop->width);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32_t)crop->length;
+ length = _TIFFClampDoubleToUInt32(crop->length);
else
length = image->length - tmargin - bmargin;
}
else
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32_t)(crop->width * scale * image->xres);
+ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32_t)(crop->length * scale * image->yres);
+ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
else
length = image->length - tmargin - bmargin;
}
@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
{ /* inches or centimeters specified */
- hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
- vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
}
else
{ /* Otherwise user has specified pixels as reference unit */
- hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8));
- vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
}
if ((hmargin * 2.0) > (pwidth * page->hres))
@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->mode & PAGE_MODE_PAPERSIZE )
{
- owidth = (uint32_t)((pwidth * page->hres) - (hmargin * 2));
- olength = (uint32_t)((plength * page->vres) - (vmargin * 2));
+ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
+ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
}
else
{
- owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres));
- olength = (uint32_t)(ilength - (vmargin * 2 * page->vres));
+ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
+ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
}
}
@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
if (olength > ilength)
olength = ilength;
+ if (owidth == 0 || olength == 0)
+ {
+ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
+ exit(EXIT_FAILURE);
+ }
+
/* Compute the number of pages required for Portrait or Landscape */
switch (page->orient)
{

90
SOURCES/0004-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-According-.patch
Unescape View File

@ -1,90 +0,0 @@
From ecd9216e574039b8fba893314bdfc6edbdd6bf20 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Mon, 15 Aug 2022 22:11:03 +0200
Subject: [PATCH] =?UTF-8?q?(CVE-2022-2519=20CVE-2022-2520=20CVE-2022-2521)?=
=?UTF-8?q?=20According=20to=20Richard=20Nolde=20https://gitlab.com/libtif?=
=?UTF-8?q?f/libtiff/-/issues/401#note=5F877637400=20the=20tiffcrop=20opti?=
=?UTF-8?q?on=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutually=20exclusive=20?=
=?UTF-8?q?to=20the=20other=20crop=20options=20(-X|-Y),=20-Z=20and=20-z.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is now checked and ends tiffcrop if those arguments are not mutually exclusive.
This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
(cherry picked from commit 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf)
---
tools/tiffcrop.c | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 90286a5e..d9213ecb 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -108,7 +108,7 @@
* lower level, scanline level routines. Debug reports a limited set
* of messages to monitor progress without enabling dump logs.
*
- * Note: The (-X|-Y), -Z and -z options are mutually exclusive.
+ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
* In no case should the options be applied to a given selection successively.
*/
@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
#define ROTATECW_270 32
#define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
-#define CROP_NONE 0
-#define CROP_MARGINS 1
-#define CROP_WIDTH 2
-#define CROP_LENGTH 4
-#define CROP_ZONES 8
-#define CROP_REGIONS 16
+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
+#define CROP_MARGINS 1 /* "-m" */
+#define CROP_WIDTH 2 /* "-X" */
+#define CROP_LENGTH 4 /* "-Y" */
+#define CROP_ZONES 8 /* "-Z" */
+#define CROP_REGIONS 16 /* "-z" */
#define CROP_ROTATE 32
#define CROP_MIRROR 64
#define CROP_INVERT 128
@@ -316,7 +316,7 @@ struct crop_mask {
#define PAGE_MODE_RESOLUTION 1
#define PAGE_MODE_PAPERSIZE 2
#define PAGE_MODE_MARGINS 4
-#define PAGE_MODE_ROWSCOLS 8
+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
#define INVERT_DATA_ONLY 10
#define INVERT_DATA_AND_TAG 11
@@ -781,7 +781,7 @@ static const char usage_info[] =
" The four debug/dump options are independent, though it makes little sense to\n"
" specify a dump file without specifying a detail level.\n"
"\n"
-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
+"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
" In no case should the options be applied to a given selection successively.\n"
"\n"
;
@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
/*NOTREACHED*/
}
}
- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/
- char XY, Z, R;
+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
+ char XY, Z, R, S;
XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
Z = (crop_data->crop_mode & CROP_ZONES);
R = (crop_data->crop_mode & CROP_REGIONS);
- if ((XY && Z) || (XY && R) || (Z && R)) {
- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit");
+ S = (page->mode & PAGE_MODE_ROWSCOLS);
+ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
exit(EXIT_FAILURE);
}
} /* end process_command_opts */

32
SOURCES/0005-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-tiffcrop-S.patch
Unescape View File

@ -1,32 +0,0 @@
From 670117c3a76bc0f995bfdb6c293ab2ce9af18273 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sat, 20 Aug 2022 23:35:26 +0200
Subject: [PATCH] (CVE-2022-2519 CVE-2022-2520 CVE-2022-2521) tiffcrop -S
option: Make decision simpler.
(cherry picked from commit bad48e90b410df32172006c7876da449ba62cdba)
---
tools/tiffcrop.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index d9213ecb..0551a01c 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
}
/*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
char XY, Z, R, S;
- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
- Z = (crop_data->crop_mode & CROP_ZONES);
- R = (crop_data->crop_mode & CROP_REGIONS);
- S = (page->mode & PAGE_MODE_ROWSCOLS);
- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
+ if (XY + Z + R + S > 1) {
TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
exit(EXIT_FAILURE);
}

100
SOURCES/0006-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch
Unescape View File

@ -1,100 +0,0 @@
From c382116391639603e06aeceb80accf7af4418892 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Thu, 25 Aug 2022 16:11:41 +0200
Subject: [PATCH] (CVE-2022-3597 CVE-2022-3626 CVE-2022-3627) tiffcrop: disable
incompatibility of -Z, -X, -Y, -z options with any PAGE_MODE_x option (fixes
#411 and #413)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
tiffcrop does not support Z, -z, -X and Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or S.
Code analysis:
With the options Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[].
In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) .
Execution of the else-clause often leads to buffer-overflows.
Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows.
The MR solves issues #411 and #413.
(cherry picked from commit 4746f16253b784287bc8a5003990c1c3b9a03a62)
---
tools/tiffcrop.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 0551a01c..613ce7f8 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -107,10 +107,12 @@
* selects which functions dump data, with higher numbers selecting
* lower level, scanline level routines. Debug reports a limited set
* of messages to monitor progress without enabling dump logs.
- *
- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
+ *
+ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
* In no case should the options be applied to a given selection successively.
- */
+ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
+ */
static char tiffcrop_version_id[] = "2.5";
static char tiffcrop_rev_date[] = "02-09-2022";
@@ -781,9 +783,12 @@ static const char usage_info[] =
" The four debug/dump options are independent, though it makes little sense to\n"
" specify a dump file without specifying a detail level.\n"
"\n"
-"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
" In no case should the options be applied to a given selection successively.\n"
"\n"
+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options\n"
+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.\n"
+"\n"
;
/* This function could be modified to pass starting sample offset
@@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
if (XY + Z + R + S > 1) {
- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
exit(EXIT_FAILURE);
}
+
+ /* Check for not allowed combination:
+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
+. */
+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
+ TIFFError("tiffcrop input error",
+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
+ exit(EXIT_FAILURE);
+ }
+
} /* end process_command_opts */
/* Start a new output file if one has not been previously opened or
@@ -2411,6 +2427,7 @@ main(int argc, char* argv[])
exit (EXIT_FAILURE);
}
+ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */
if (crop.selections > 0)
{
if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
@@ -2427,6 +2444,7 @@ main(int argc, char* argv[])
exit (EXIT_FAILURE);
}
}
+ /* Format and write selected image parts to output file(s). */
if (page.mode == PAGE_MODE_NONE)
{ /* Whole image or sections not based on output page size */
if (crop.selections > 0)

261
SOURCES/0007-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch
Unescape View File

@ -1,261 +0,0 @@
From 80d781f24346e2ba76e9eedfc943f6013abb2771 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Tue, 30 Aug 2022 16:56:48 +0200
Subject: [PATCH] (CVE-2022-3599) Revised handling of TIFFTAG_INKNAMES and
related TIFFTAG_NUMBEROFINKS value
In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
Behaviour for writing:
`NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
`NumberOfInks` is automatically set when `InkNames` is set.
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
Behaviour for reading:
When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
(cherry picked from commit f00484b9519df933723deb38fff943dc291a793d)
---
libtiff/tif_dir.c | 119 ++++++++++++++++++++++++-----------------
libtiff/tif_dir.h | 2 +
libtiff/tif_dirinfo.c | 2 +-
libtiff/tif_dirwrite.c | 5 ++
libtiff/tif_print.c | 4 ++
5 files changed, 82 insertions(+), 50 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index e90f14a0..a4295dc9 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v)
}
/*
- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
+ * Count ink names separated by \0. Returns
* zero if the ink names are not as expected.
*/
-static uint32_t
-checkInkNamesString(TIFF* tif, uint32_t slen, const char* s)
+static uint16_t
+countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
{
- TIFFDirectory* td = &tif->tif_dir;
- uint16_t i = td->td_samplesperpixel;
+ uint16_t i = 0;
+ const char *ep = s + slen;
+ const char *cp = s;
if (slen > 0) {
- const char* ep = s+slen;
- const char* cp = s;
- for (; i > 0; i--) {
+ do {
for (; cp < ep && *cp != '\0'; cp++) {}
if (cp >= ep)
goto bad;
cp++; /* skip \0 */
- }
- return ((uint32_t)(cp - s));
+ i++;
+ } while (cp < ep);
+ return (i);
}
bad:
TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
- "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16,
- tif->tif_name,
- td->td_samplesperpixel,
- (uint16_t)(td->td_samplesperpixel-i));
+ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink",
+ tif->tif_name, slen, i);
return (0);
}
@@ -475,13 +473,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
_TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
break;
case TIFFTAG_INKNAMES:
- v = (uint16_t) va_arg(ap, uint16_vap);
- s = va_arg(ap, char*);
- v = checkInkNamesString(tif, v, s);
- status = v > 0;
- if( v > 0 ) {
- _TIFFsetNString(&td->td_inknames, s, v);
- td->td_inknameslen = v;
+ {
+ v = (uint16_t) va_arg(ap, uint16_vap);
+ s = va_arg(ap, char*);
+ uint16_t ninksinstring;
+ ninksinstring = countInkNamesString(tif, v, s);
+ status = ninksinstring > 0;
+ if(ninksinstring > 0 ) {
+ _TIFFsetNString(&td->td_inknames, s, v);
+ td->td_inknameslen = v;
+ /* Set NumberOfInks to the value ninksinstring */
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
+ {
+ if (td->td_numberofinks != ninksinstring) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"",
+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
+ td->td_numberofinks = ninksinstring;
+ }
+ } else {
+ td->td_numberofinks = ninksinstring;
+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
+ }
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
+ {
+ if (td->td_numberofinks != td->td_samplesperpixel) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
+ }
+ }
+ }
+ }
+ break;
+ case TIFFTAG_NUMBEROFINKS:
+ v = (uint16_t)va_arg(ap, uint16_vap);
+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
+ if (TIFFFieldSet(tif, FIELD_INKNAMES))
+ {
+ if (v != td->td_numberofinks) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")",
+ tif->tif_name, fip->field_name, v, td->td_numberofinks);
+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
+ status = 0;
+ }
+ } else {
+ td->td_numberofinks = (uint16_t)v;
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
+ {
+ if (td->td_numberofinks != td->td_samplesperpixel) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
+ }
+ }
}
break;
case TIFFTAG_PERSAMPLE:
@@ -915,34 +961,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
if (fip->field_bit == FIELD_CUSTOM) {
standard_tag = 0;
}
-
- if( standard_tag == TIFFTAG_NUMBEROFINKS )
- {
- int i;
- for (i = 0; i < td->td_customValueCount; i++) {
- uint16_t val;
- TIFFTagValue *tv = td->td_customValues + i;
- if (tv->info->field_tag != standard_tag)
- continue;
- if( tv->value == NULL )
- return 0;
- val = *(uint16_t *)tv->value;
- /* Truncate to SamplesPerPixel, since the */
- /* setting code for INKNAMES assume that there are SamplesPerPixel */
- /* inknames. */
- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
- if( val > td->td_samplesperpixel )
- {
- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
- "Truncating NumberOfInks from %u to %"PRIu16,
- val, td->td_samplesperpixel);
- val = td->td_samplesperpixel;
- }
- *va_arg(ap, uint16_t*) = val;
- return 1;
- }
- return 0;
- }
switch (standard_tag) {
case TIFFTAG_SUBFILETYPE:
@@ -1124,6 +1142,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
case TIFFTAG_INKNAMES:
*va_arg(ap, const char**) = td->td_inknames;
break;
+ case TIFFTAG_NUMBEROFINKS:
+ *va_arg(ap, uint16_t *) = td->td_numberofinks;
+ break;
default:
{
int i;
diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
index 09065648..0c251c9e 100644
--- a/libtiff/tif_dir.h
+++ b/libtiff/tif_dir.h
@@ -117,6 +117,7 @@ typedef struct {
/* CMYK parameters */
int td_inknameslen;
char* td_inknames;
+ uint16_t td_numberofinks; /* number of inks in InkNames string */
int td_customValueCount;
TIFFTagValue *td_customValues;
@@ -174,6 +175,7 @@ typedef struct {
#define FIELD_TRANSFERFUNCTION 44
#define FIELD_INKNAMES 46
#define FIELD_SUBIFD 49
+#define FIELD_NUMBEROFINKS 50
/* FIELD_CUSTOM (see tiffio.h) 65 */
/* end of support for well-known tags; codec-private tags follow */
#define FIELD_CODEC 66 /* base of codec-private tags */
diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
index c30f569b..a7e78aae 100644
--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
@@ -114,7 +114,7 @@ tiffFields[] = {
{ TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
{ TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
{ TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
{ TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
{ TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
{ TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 2fef6d82..1a00edbf 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -708,6 +708,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64_t* pdiroff)
if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
goto bad;
}
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
+ {
+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
+ goto bad;
+ }
if (TIFFFieldSet(tif,FIELD_SUBIFD))
{
if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 80a9d90f..1ed90e28 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -401,6 +401,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
}
fputs("\n", fd);
}
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
+ fprintf(fd, " NumberOfInks: %d\n",
+ td->td_numberofinks);
+ }
if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
fprintf(fd, " Thresholding: ");
switch (td->td_threshholding) {

647
SOURCES/0008-CVE-2022-3570-CVE-2022-3598-tiffcrop-subroutines-req.patch
Unescape View File

@ -1,647 +0,0 @@
From aacb1f89c5aa85d513dea8bdb1fd6818519bae2d Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Thu, 13 Oct 2022 14:33:27 +0000
Subject: [PATCH] (CVE-2022-3570 CVE-2022-3598) tiffcrop subroutines require a
larger buffer (fixes #271, #381, #386, #388, #389, #435)
(cherry picked from commit afd7086090dafd3949afd172822cbcec4ed17d56)
---
tools/tiffcrop.c | 205 +++++++++++++++++++++++++++--------------------
1 file changed, 116 insertions(+), 89 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 613ce7f8..70d56e55 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -212,6 +212,10 @@ static char tiffcrop_rev_date[] = "02-09-2022";
#define TIFF_DIR_MAX 65534
+/* Some conversion subroutines require image buffers, which are at least 3 bytes
+ * larger than the necessary size for the image itself. */
+#define NUM_BUFF_OVERSIZE_BYTES 3
+
/* Offsets into buffer for margins and fixed width and length segments */
struct offset {
uint32_t tmargin;
@@ -233,7 +237,7 @@ struct offset {
*/
struct buffinfo {
- uint32_t size; /* size of this buffer */
+ size_t size; /* size of this buffer */
unsigned char *buffer; /* address of the allocated buffer */
};
@@ -810,8 +814,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
uint32_t dst_rowsize, shift_width;
uint32_t bytes_per_sample, bytes_per_pixel;
uint32_t trailing_bits, prev_trailing_bits;
- uint32_t tile_rowsize = TIFFTileRowSize(in);
- uint32_t src_offset, dst_offset;
+ tmsize_t tile_rowsize = TIFFTileRowSize(in);
+ tmsize_t src_offset, dst_offset;
uint32_t row_offset, col_offset;
uint8_t *bufp = (uint8_t*) buf;
unsigned char *src = NULL;
@@ -861,7 +865,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
exit(EXIT_FAILURE);
}
- tilebuf = limitMalloc(tile_buffsize + 3);
+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (tilebuf == 0)
return 0;
tilebuf[tile_buffsize] = 0;
@@ -1024,7 +1028,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf,
for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++)
{
srcbuffs[sample] = NULL;
- tbuff = (unsigned char *)limitMalloc(tilesize + 8);
+ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES);
if (!tbuff)
{
TIFFError ("readSeparateTilesIntoBuffer",
@@ -1217,7 +1221,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
}
rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
- obuf = limitMalloc (rowstripsize);
+ /* Add 3 padding bytes for extractContigSamples32bits */
+ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
if (obuf == NULL)
return 1;
@@ -1229,7 +1234,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
stripsize = TIFFVStripSize(out, nrows);
src = buf + (row * rowsize);
- memset (obuf, '\0', rowstripsize);
+ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
{
_TIFFfree(obuf);
@@ -1237,10 +1242,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
}
if ((dump->outfile != NULL) && (dump->level == 1))
{
- dump_info(dump->outfile, dump->format,"",
+ if (scanlinesize > 0x0ffffffffULL) {
+ dump_info(dump->infile, dump->format, "loadImage",
+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
+ scanlinesize);
+ }
+ dump_info(dump->outfile, dump->format,"",
"Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d",
- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf);
- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf);
+ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf);
+ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf);
}
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0)
@@ -1267,7 +1277,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
uint32_t tl, tw;
uint32_t row, col, nrow, ncol;
uint32_t src_rowsize, col_offset;
- uint32_t tile_rowsize = TIFFTileRowSize(out);
+ tmsize_t tile_rowsize = TIFFTileRowSize(out);
uint8_t* bufp = (uint8_t*) buf;
tsize_t tile_buffsize = 0;
tsize_t tilesize = TIFFTileSize(out);
@@ -1310,9 +1320,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
}
src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
- tilebuf = limitMalloc(tile_buffsize);
+ /* Add 3 padding bytes for extractContigSamples32bits */
+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (tilebuf == 0)
return 1;
+ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
for (row = 0; row < imagelength; row += tl)
{
nrow = (row + tl > imagelength) ? imagelength - row : tl;
@@ -1358,7 +1370,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
uint32_t imagewidth, tsample_t spp,
struct dump_opts * dump)
{
- tdata_t obuf = limitMalloc(TIFFTileSize(out));
+ /* Add 3 padding bytes for extractContigSamples32bits */
+ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
uint32_t tl, tw;
uint32_t row, col, nrow, ncol;
uint32_t src_rowsize, col_offset;
@@ -1368,6 +1381,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
if (obuf == NULL)
return 1;
+ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
!TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
@@ -1793,14 +1807,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
*opt_offset = '\0';
/* convert option to lowercase */
- end = strlen (opt_ptr);
+ end = (unsigned int)strlen (opt_ptr);
for (i = 0; i < end; i++)
*(opt_ptr + i) = tolower((int) *(opt_ptr + i));
/* Look for dump format specification */
if (strncmp(opt_ptr, "for", 3) == 0)
{
/* convert value to lowercase */
- end = strlen (opt_offset + 1);
+ end = (unsigned int)strlen (opt_offset + 1);
for (i = 1; i <= end; i++)
*(opt_offset + i) = tolower((int) *(opt_offset + i));
/* check dump format value */
@@ -2273,6 +2287,8 @@ main(int argc, char* argv[])
size_t length;
char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */
+ assert(NUM_BUFF_OVERSIZE_BYTES >= 3);
+
little_endian = *((unsigned char *)&little_endian) & '1';
initImageData(&image);
@@ -3227,13 +3243,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
/* If we have a full buffer's worth, write it out */
if (ready_bits >= 32)
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -3642,13 +3658,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
}
else /* If we have a full buffer's worth, write it out */
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -3825,10 +3841,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3
static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
{
uint8_t* bufp = buf;
- int32_t bytes_read = 0;
+ tmsize_t bytes_read = 0;
uint32_t strip, nstrips = TIFFNumberOfStrips(in);
- uint32_t stripsize = TIFFStripSize(in);
- uint32_t rows = 0;
+ tmsize_t stripsize = TIFFStripSize(in);
+ tmsize_t rows = 0;
uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
tsize_t scanline_size = TIFFScanlineSize(in);
@@ -3841,11 +3857,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1);
rows = bytes_read / scanline_size;
if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize))
- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32,
+ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64,
strip + 1, bytes_read, stripsize);
if (bytes_read < 0 && !ignore) {
- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows",
+ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows",
strip, rows);
return 0;
}
@@ -4310,13 +4326,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
/* If we have a full buffer's worth, write it out */
if (ready_bits >= 32)
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -4359,10 +4375,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
"Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
row + 1, col + 1, src_byte, src_bit, dst - out);
- dump_long (dumpfile, format, "Match bits ", matchbits);
+ dump_wide (dumpfile, format, "Match bits ", matchbits);
dump_data (dumpfile, format, "Src bits ", src, 4);
- dump_long (dumpfile, format, "Buff1 bits ", buff1);
- dump_long (dumpfile, format, "Buff2 bits ", buff2);
+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
dump_byte (dumpfile, format, "Write bits1", bytebuff1);
dump_byte (dumpfile, format, "Write bits2", bytebuff2);
dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
@@ -4835,13 +4851,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
/* If we have a full buffer's worth, write it out */
if (ready_bits >= 32)
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -4884,10 +4900,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
"Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
row + 1, col + 1, src_byte, src_bit, dst - out);
- dump_long (dumpfile, format, "Match bits ", matchbits);
+ dump_wide (dumpfile, format, "Match bits ", matchbits);
dump_data (dumpfile, format, "Src bits ", src, 4);
- dump_long (dumpfile, format, "Buff1 bits ", buff1);
- dump_long (dumpfile, format, "Buff2 bits ", buff2);
+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
dump_byte (dumpfile, format, "Write bits1", bytebuff1);
dump_byte (dumpfile, format, "Write bits2", bytebuff2);
dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
@@ -4910,7 +4926,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
{
int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
uint32_t j;
- int32_t bytes_read = 0;
+ tmsize_t bytes_read = 0;
uint16_t bps = 0, planar;
uint32_t nstrips;
uint32_t strips_per_sample;
@@ -4976,7 +4992,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
srcbuffs[s] = NULL;
- buff = limitMalloc(stripsize + 3);
+ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES);
if (!buff)
{
TIFFError ("readSeparateStripsIntoBuffer",
@@ -4999,7 +5015,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
buff = srcbuffs[s];
strip = (s * strips_per_sample) + j;
bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
- rows_this_strip = bytes_read / src_rowsize;
+ rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
if (bytes_read < 0 && !ignore)
{
TIFFError(TIFFFileName(in),
@@ -6062,13 +6078,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
uint16_t input_compression = 0, input_photometric = 0;
uint16_t subsampling_horiz, subsampling_vert;
uint32_t width = 0, length = 0;
- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0;
+ tmsize_t stsize = 0, tlsize = 0, buffsize = 0;
+ tmsize_t scanlinesize = 0;
uint32_t tw = 0, tl = 0; /* Tile width and length */
- uint32_t tile_rowsize = 0;
+ tmsize_t tile_rowsize = 0;
unsigned char *read_buff = NULL;
unsigned char *new_buff = NULL;
int readunit = 0;
- static uint32_t prev_readsize = 0;
+ static tmsize_t prev_readsize = 0;
TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -6325,6 +6342,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
/* The buffsize_check and the possible adaptation of buffsize
* has to account also for padding of each line to a byte boundary.
* This is assumed by mirrorImage() and rotateImage().
+ * Furthermore, functions like extractContigSamplesShifted32bits()
+ * need a buffer, which is at least 3 bytes larger than the actual image.
* Otherwise buffer-overflow might occur there.
*/
buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8);
@@ -6376,7 +6395,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
return (-1);
}
- read_buff = (unsigned char *)limitMalloc(buffsize+3);
+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
{
@@ -6387,11 +6406,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
return (-1);
}
- new_buff = _TIFFrealloc(read_buff, buffsize+3);
+ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (!new_buff)
{
free (read_buff);
- read_buff = (unsigned char *)limitMalloc(buffsize+3);
+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
read_buff = new_buff;
@@ -6464,8 +6483,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
dump_info (dump->infile, dump->format, "",
"Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp);
+ if (scanlinesize > 0x0ffffffffULL) {
+ dump_info(dump->infile, dump->format, "loadImage",
+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
+ scanlinesize);
+ }
for (i = 0; i < length; i++)
- dump_buffer(dump->infile, dump->format, 1, scanlinesize,
+ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize,
i, read_buff + (i * scanlinesize));
}
return (0);
@@ -7485,13 +7509,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image,
if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
- int inknameslen = strlen(inknames) + 1;
+ int inknameslen = (int)strlen(inknames) + 1;
const char* cp = inknames;
while (ninks > 1) {
cp = strchr(cp, '\0');
if (cp) {
cp++;
- inknameslen += (strlen(cp) + 1);
+ inknameslen += ((int)strlen(cp) + 1);
}
ninks--;
}
@@ -7554,23 +7578,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
if (!sect_buff)
{
- sect_buff = (unsigned char *)limitMalloc(sectsize);
+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
if (!sect_buff)
{
TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
return (-1);
}
- _TIFFmemset(sect_buff, 0, sectsize);
+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
{
if (prev_sectsize < sectsize)
{
- new_buff = _TIFFrealloc(sect_buff, sectsize);
+ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES);
if (!new_buff)
{
_TIFFfree (sect_buff);
- sect_buff = (unsigned char *)limitMalloc(sectsize);
+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
sect_buff = new_buff;
@@ -7580,7 +7604,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
return (-1);
}
- _TIFFmemset(sect_buff, 0, sectsize);
+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
}
}
@@ -7611,17 +7635,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
cropsize = crop->bufftotal;
crop_buff = seg_buffs[0].buffer;
if (!crop_buff)
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
prev_cropsize = seg_buffs[0].size;
if (prev_cropsize < cropsize)
{
- next_buff = _TIFFrealloc(crop_buff, cropsize);
+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (! next_buff)
{
_TIFFfree (crop_buff);
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
crop_buff = next_buff;
@@ -7634,7 +7658,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
seg_buffs[0].buffer = crop_buff;
seg_buffs[0].size = cropsize;
@@ -7714,17 +7738,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
cropsize = crop->bufftotal;
crop_buff = seg_buffs[i].buffer;
if (!crop_buff)
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
prev_cropsize = seg_buffs[0].size;
if (prev_cropsize < cropsize)
{
- next_buff = _TIFFrealloc(crop_buff, cropsize);
+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (! next_buff)
{
_TIFFfree (crop_buff);
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
crop_buff = next_buff;
@@ -7737,7 +7761,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
seg_buffs[i].buffer = crop_buff;
seg_buffs[i].size = cropsize;
@@ -7853,24 +7877,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
crop_buff = *crop_buff_ptr;
if (!crop_buff)
{
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (!crop_buff)
{
TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
prev_cropsize = cropsize;
}
else
{
if (prev_cropsize < cropsize)
{
- new_buff = _TIFFrealloc(crop_buff, cropsize);
+ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (!new_buff)
{
free (crop_buff);
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
crop_buff = new_buff;
@@ -7879,7 +7903,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
}
@@ -8177,13 +8201,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
- int inknameslen = strlen(inknames) + 1;
+ int inknameslen = (int)strlen(inknames) + 1;
const char* cp = inknames;
while (ninks > 1) {
cp = strchr(cp, '\0');
if (cp) {
cp++;
- inknameslen += (strlen(cp) + 1);
+ inknameslen += ((int)strlen(cp) + 1);
}
ninks--;
}
@@ -8568,13 +8592,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
}
else /* If we have a full buffer's worth, write it out */
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -8643,12 +8667,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
return (-1);
}
- if (!(rbuff = (unsigned char *)limitMalloc(buffsize)))
+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
+ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
{
- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize);
+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
return (-1);
}
- _TIFFmemset(rbuff, '\0', buffsize);
+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
ibuff = *ibuff_ptr;
switch (rotation)
@@ -9176,13 +9201,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width,
}
else /* If we have a full buffer's worth, write it out */
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -9273,12 +9298,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
{
case MIRROR_BOTH:
case MIRROR_VERT:
- line_buff = (unsigned char *)limitMalloc(rowsize);
+ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES);
if (line_buff == NULL)
{
- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize);
+ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES);
return (-1);
}
+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
dst = ibuff + (rowsize * (length - 1));
for (row = 0; row < length / 2; row++)
@@ -9310,11 +9336,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
}
else
{ /* non 8 bit per sample data */
- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1)))
+ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES)))
{
TIFFError("mirrorImage", "Unable to allocate mirror line buffer");
return (-1);
}
+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
bytes_per_sample = (bps + 7) / 8;
bytes_per_pixel = ((bps * spp) + 7) / 8;
if (bytes_per_pixel < (bytes_per_sample + 1))
@@ -9326,7 +9353,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
{
row_offset = row * rowsize;
src = ibuff + row_offset;
- _TIFFmemset (line_buff, '\0', rowsize);
+ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
switch (shift_width)
{
case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))

37
SOURCES/0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
Unescape View File

@ -1,37 +0,0 @@
From b6204fada53418fdf140e039e87052f987770de1 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 8 Nov 2022 15:16:58 +0100
Subject: [PATCH] (CVE-2022-3970) TIFFReadRGBATileExt(): fix (unsigned) integer
overflow on strips/tiles > 2 GB
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
(cherry picked from commit 227500897dfb07fb7d27f7aa570050e62617e3be)
---
libtiff/tif_getimage.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index a1b6570b..9a2e0c59 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -3058,15 +3058,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
return( ok );
for( i_row = 0; i_row < read_ysize; i_row++ ) {
- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
- raster + (read_ysize - i_row - 1) * read_xsize,
+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
read_xsize * sizeof(uint32_t) );
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
}
for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
0, sizeof(uint32_t) * tile_xsize );
}

28
SOURCES/0010-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch
Unescape View File

@ -1,28 +0,0 @@
From cadce9836463df5653b573eff47fddadc23431c5 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 21 Jan 2023 15:58:10 +0000
Subject: [PATCH] (CVE-2022-48281) tiffcrop: Correct simple copy paste error.
Fix #488.
Closes #488
See merge request libtiff/libtiff!459
(cherry picked from commit d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5)
---
tools/tiffcrop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 70d56e55..57940697 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7741,7 +7741,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
- prev_cropsize = seg_buffs[0].size;
+ prev_cropsize = seg_buffs[i].size;
if (prev_cropsize < cropsize)
{
next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);

128
SOURCES/0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
Unescape View File

@ -1,128 +0,0 @@
From 22b164b8734f9d1ea91760d87e9531e3b3cc7017 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 5 Feb 2023 15:53:16 +0000
Subject: [PATCH] (CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803
CVE-2023-0804) tiffcrop: added check for assumption on composite images
(fixes #496)
Closes #501, #500, #498, #497 et #496
See merge request libtiff/libtiff!466
(cherry picked from commit 33aee1275d9d1384791d2206776eb8152d397f00)
---
tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 66 insertions(+), 2 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 57940697..2c0ebf4b 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5364,18 +5364,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
crop->regionlist[i].buffsize = buffsize;
crop->bufftotal += buffsize;
+
+ /* For composite images with more than one region, the
+ * combined_length or combined_width always needs to be equal,
+ * respectively.
+ * Otherwise, even the first section/region copy
+ * action might cause buffer overrun. */
if (crop->img_mode == COMPOSITE_IMAGES)
{
switch (crop->edge_ref)
{
case EDGE_LEFT:
case EDGE_RIGHT:
+ if (i > 0 && zlength != crop->combined_length)
+ {
+ TIFFError(
+ "computeInputPixelOffsets",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (-1);
+ }
crop->combined_length = zlength;
crop->combined_width += zwidth;
break;
case EDGE_BOTTOM:
case EDGE_TOP: /* width from left, length from top */
default:
+ if (i > 0 && zwidth != crop->combined_width)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Only equal width regions can be "
+ "combined for -E "
+ "top or bottom");
+ return (-1);
+ }
crop->combined_width = zwidth;
crop->combined_length += zlength;
break;
@@ -6589,6 +6611,46 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
crop->combined_width = 0;
crop->combined_length = 0;
+ /* If there is more than one region, check beforehand whether all the width
+ * and length values of the regions are the same, respectively. */
+ switch (crop->edge_ref)
+ {
+ default:
+ case EDGE_TOP:
+ case EDGE_BOTTOM:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_width0 =
+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
+ uint32_t crop_width1 =
+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ if (crop_width0 != crop_width1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal width regions can be combined for -E "
+ "top or bottom");
+ return (1);
+ }
+ }
+ break;
+ case EDGE_LEFT:
+ case EDGE_RIGHT:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_length0 =
+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
+ uint32_t crop_length1 =
+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ if (crop_length0 != crop_length1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (1);
+ }
+ }
+ }
+
for (i = 0; i < crop->selections; i++)
{
/* rows, columns, width, length are expressed in pixels */
@@ -6613,7 +6675,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
default:
case EDGE_TOP:
case EDGE_BOTTOM:
- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
+ if ((crop->selections > i + 1) &&
+ (crop_width != crop->regionlist[i + 1].width))
{
TIFFError ("extractCompositeRegions",
"Only equal width regions can be combined for -E top or bottom");
@@ -6694,7 +6757,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
break;
case EDGE_LEFT: /* splice the pieces of each row together, side by side */
case EDGE_RIGHT:
- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
+ if ((crop->selections > i + 1) &&
+ (crop_length != crop->regionlist[i + 1].length))
{
TIFFError ("extractCompositeRegions",
"Only equal length regions can be combined for -E left or right");

174
SOURCES/0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch
Unescape View File

@ -1,174 +0,0 @@
From 7160a3d1a81ba2feaee3a8c0aea10eb9efb74ab9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 14 Mar 2023 18:40:04 +0100
Subject: [PATCH] Merge branch
'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master'
tiffcrop correctly update buffersize after rotateImage() fix#520
Closes #520
See merge request libtiff/libtiff!467
(cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3)
---
tools/tiffcrop.c | 66 +++++++++++++++++++++++++++++++++++++-----------
1 file changed, 51 insertions(+), 15 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 2c0ebf4b..e183e849 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -526,7 +526,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
uint32_t, uint32_t, uint8_t *, uint8_t *);
static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
- unsigned char **);
+ unsigned char **, size_t *);
static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
unsigned char *);
static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
@@ -6557,7 +6557,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
return (-1);
}
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
+ if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
{
TIFFError ("correct_orientation", "Unable to rotate image");
return (-1);
@@ -7781,16 +7781,19 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
+ /* rotateImage() set up a new buffer and calculates its size
+ * individually. Therefore, seg_buffs size needs to be updated
+ * accordingly. */
+ size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff))
+ &crop->combined_length, &crop_buff, &rot_buf_size))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
return (-1);
}
seg_buffs[0].buffer = crop_buff;
- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
- * image->spp) * crop->combined_length;
+ seg_buffs[0].size = rot_buf_size;
}
}
else /* Separated Images */
@@ -7890,9 +7893,12 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
{
/* rotateImage() changes image->width, ->length, ->xres and ->yres, what it schouldn't do here, when more than one section is processed.
* ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !!
- */
- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff))
+ * Furthermore, rotateImage() set up a new buffer and calculates
+ * its size individually. Therefore, seg_buffs size needs to be
+ * updated accordingly. */
+ size_t rot_buf_size = 0;
+ if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
@@ -7903,8 +7909,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
crop->combined_width = total_width;
crop->combined_length = total_length;
seg_buffs[i].buffer = crop_buff;
- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
- * image->spp) * crop->regionlist[i].length;
+ seg_buffs[i].size = rot_buf_size;
}
} /* for crop->selections loop */
} /* Separated Images (else case) */
@@ -8024,7 +8029,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr))
+ &crop->combined_length, crop_buff_ptr, NULL))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
@@ -8687,13 +8692,14 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
/* Rotate an image by a multiple of 90 degrees clockwise */
static int
rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
- uint32_t *img_length, unsigned char **ibuff_ptr)
+ uint32_t * img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size)
{
int shift_width;
uint32_t bytes_per_pixel, bytes_per_sample;
uint32_t row, rowsize, src_offset, dst_offset;
uint32_t i, col, width, length;
- uint32_t colsize, buffsize, col_offset, pix_offset;
+ uint32_t colsize, col_offset, pix_offset;
+ tmsize_t buffsize;
unsigned char *ibuff;
unsigned char *src;
unsigned char *dst;
@@ -8706,12 +8712,40 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
spp = image->spp;
bps = image->bps;
+ if ((spp != 0 && bps != 0 &&
+ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
+ (spp != 0 && bps != 0 &&
+ length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
+ {
+ TIFFError("rotateImage", "Integer overflow detected.");
+ return (-1);
+ }
rowsize = ((bps * spp * width) + 7) / 8;
colsize = ((bps * spp * length) + 7) / 8;
if ((colsize * width) > (rowsize * length))
- buffsize = (colsize + 1) * width;
+ {
+ if (((tmsize_t)colsize + 1) != 0 &&
+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+ ((tmsize_t)colsize + 1)))
+ {
+ TIFFError("rotateImage",
+ "Integer overflow when calculating buffer size.");
+ return (-1);
+ }
+ buffsize = ((tmsize_t)colsize + 1) * width;
+ }
else
+ {
+ if (((tmsize_t)rowsize + 1) != 0 &&
+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+ ((tmsize_t)rowsize + 1)))
+ {
+ TIFFError("rotateImage",
+ "Integer overflow when calculating buffer size.");
+ return (-1);
+ }
buffsize = (rowsize + 1) * length;
+ }
bytes_per_sample = (bps + 7) / 8;
bytes_per_pixel = ((bps * spp) + 7) / 8;
@@ -8734,7 +8768,7 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
/* Add 3 padding bytes for extractContigSamplesShifted32bits */
if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
{
- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT " bytes ", buffsize + NUM_BUFF_OVERSIZE_BYTES);
return (-1);
}
_TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
@@ -8764,6 +8798,8 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
for (row = 0; row < length; row++)
{
src_offset = row * rowsize;
+ if (rot_buf_size != NULL)
+ *rot_buf_size = buffsize;
dst_offset = (length - row - 1) * rowsize;
src = ibuff + src_offset;
dst = rbuff + dst_offset;

154
SOURCES/0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch
Unescape View File

@ -1,154 +0,0 @@
From 9debf535618baef5a906de9f07d937e361ea0bc0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 14 Mar 2023 19:37:18 +0100
Subject: [PATCH] (CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798
CVE-2023-0799) Merge branch 'tiffcrop_R270_fix#492' into 'master'
tiffcrop: Amend rotateImage() not to toggle the input (main) image width and...
Closes #519, #518, #499, #495, #494, #493 et #492
See merge request libtiff/libtiff!465
(cherry picked from commit afaabc3e50d4e5d80a94143f7e3c997e7e410f68)
---
tools/tiffcrop.c | 49 +++++++++++++++++++++++++++---------------------
1 file changed, 28 insertions(+), 21 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index e183e849..c2688883 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -271,7 +271,6 @@ struct region {
uint32_t width; /* width in pixels */
uint32_t length; /* length in pixels */
uint32_t buffsize; /* size of buffer needed to hold the cropped region */
- unsigned char *buffptr; /* address of start of the region */
};
/* Cropping parameters from command line and image data
@@ -526,7 +525,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
uint32_t, uint32_t, uint8_t *, uint8_t *);
static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
- unsigned char **, size_t *);
+ unsigned char **, size_t *, int);
static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
unsigned char *);
static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
@@ -5224,7 +5223,6 @@ initCropMasks (struct crop_mask *cps)
cps->regionlist[i].width = 0;
cps->regionlist[i].length = 0;
cps->regionlist[i].buffsize = 0;
- cps->regionlist[i].buffptr = NULL;
cps->zonelist[i].position = 0;
cps->zonelist[i].total = 0;
}
@@ -6556,8 +6554,12 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
(uint16_t) (image->adjustments & ROTATE_ANY));
return (-1);
}
-
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
+ /* Dummy variable in order not to switch two times the
+ * image->width,->length within rotateImage(),
+ * but switch xres, yres there. */
+ uint32_t width = image->width;
+ uint32_t length = image->length;
+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, TRUE))
{
TIFFError ("correct_orientation", "Unable to rotate image");
return (-1);
@@ -6665,7 +6667,6 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
/* These should not be needed for composite images */
crop->regionlist[i].width = crop_width;
crop->regionlist[i].length = crop_length;
- crop->regionlist[i].buffptr = crop_buff;
src_rowsize = ((img_width * bps * spp) + 7) / 8;
dst_rowsize = (((crop_width * bps * count) + 7) / 8);
@@ -6904,7 +6905,6 @@ extractSeparateRegion(struct image_data *image, struct crop_mask *crop,
crop->regionlist[region].width = crop_width;
crop->regionlist[region].length = crop_length;
- crop->regionlist[region].buffptr = crop_buff;
src = read_buff;
dst = crop_buff;
@@ -7786,7 +7786,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
* accordingly. */
size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff, &rot_buf_size))
+ &crop->combined_length, &crop_buff, &rot_buf_size, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
@@ -7898,7 +7898,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
* updated accordingly. */
size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
@@ -8029,7 +8029,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr, NULL))
+ &crop->combined_length, crop_buff_ptr, NULL, TRUE))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
@@ -8692,7 +8692,8 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
/* Rotate an image by a multiple of 90 degrees clockwise */
static int
rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
- uint32_t * img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size)
+ uint32_t * img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size,
+ int rot_image_params)
{
int shift_width;
uint32_t bytes_per_pixel, bytes_per_sample;
@@ -8914,11 +8915,14 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params) {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
case 270: if ((bps % 8) == 0) /* byte aligned data */
@@ -8991,11 +8995,14 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params) {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
default:
break;

36
SOURCES/0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch
Unescape View File

@ -1,36 +0,0 @@
From af4ee2276bfb9cfdd1809326604ead5a405735be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 8 Jun 2023 14:10:59 +0200
Subject: [PATCH] (CVE-2023-2731) LZWDecode(): avoid crash when trying to read
again from a strip whith a missing end-of-information marker (fixes #548)
(cherry picked from commit 9be22b639ea69e102d3847dca4c53ef025e9527b)
---
libtiff/tif_lzw.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index 096824d2..2ba6237e 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -404,7 +404,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
assert(sp->dec_codetab != NULL);
if (sp->read_error) {
- return 0;
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
+ "previous error",
+ tif->tif_row);
+ return 0;
}
/*
@@ -705,6 +709,7 @@ after_loop:
return (1);
no_eoi:
+ sp->read_error = 1;
TIFFErrorExt(tif->tif_clientdata, module,
"LZWDecode: Strip %"PRIu32" not terminated with EOI code",
tif->tif_curstrip);

95
SOURCES/0015-CVE-2023-26965-tiffcrop-Do-not-reuse-input-buffer-fo.patch
Unescape View File

@ -1,95 +0,0 @@
From c7c1a0e3537b692196c15ea764b789f601b15850 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Wed, 28 Jun 2023 14:05:50 +0200
Subject: [PATCH] (CVE-2023-26965) tiffcrop: Do not reuse input buffer for
subsequent images. Fix issue 527
Reuse of read_buff within loadImage() from previous image is quite unsafe,
because other functions (like rotateImage() etc.) reallocate that buffer with
different size without updating the local prev_readsize value.
Closes #527
(cherry picked from commit ec8ef90c1f573c9eb1f17d6a056aa0015f184acf)
---
tools/tiffcrop.c | 45 ++++++++++++++-------------------------------
1 file changed, 14 insertions(+), 31 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index c2688883..d9b91e4e 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -6103,9 +6103,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
uint32_t tw = 0, tl = 0; /* Tile width and length */
tmsize_t tile_rowsize = 0;
unsigned char *read_buff = NULL;
- unsigned char *new_buff = NULL;
int readunit = 0;
- static tmsize_t prev_readsize = 0;
TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -6404,41 +6402,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
}
}
}
-
+
read_buff = *read_ptr;
- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
- /* outside buffer */
- if (!read_buff)
+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
+ * outside buffer */
+ /* Reuse of read_buff from previous image is quite unsafe, because other
+ * functions (like rotateImage() etc.) reallocate that buffer with different
+ * size without updating the local prev_readsize value. */
+ if (read_buff)
{
- if( buffsize > 0xFFFFFFFFU - 3 )
- {
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ _TIFFfree(read_buff);
}
- else
+ if( buffsize > 0xFFFFFFFFU - 3 )
{
- if (prev_readsize < buffsize)
- {
- if( buffsize > 0xFFFFFFFFU - 3 )
- {
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
- if (!new_buff)
- {
- free (read_buff);
- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
- }
- else
- read_buff = new_buff;
- }
+ TIFFError("loadImage", "Required read buffer size too large" );
+ return (-1);
}
+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+
if (!read_buff)
{
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ TIFFError("loadImage", "Unable to allocate read buffer" );
return (-1);
}
@@ -6446,7 +6430,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
read_buff[buffsize+1] = 0;
read_buff[buffsize+2] = 0;
- prev_readsize = buffsize;
*read_ptr = read_buff;
/* N.B. The read functions used copy separate plane data into a buffer as interleaved

55
SOURCES/0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch
Unescape View File

@ -1,55 +0,0 @@
From 9a0ec729ad38af873eac5d896cb38219cb50d49c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 1 Aug 2023 16:04:17 +0200
Subject: [PATCH] (CVE-2023-3316) TIFFClose() avoid NULL pointer dereferencing.
fix#515
Closes #515
(cherry picked from commit f171d7a2cd50e34975036748a395c156d32d9235)
---
libtiff/tif_close.c | 6 ++++--
tools/tiffcrop.c | 7 +++++--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
index 04977bc7..6c9f7349 100644
--- a/libtiff/tif_close.c
+++ b/libtiff/tif_close.c
@@ -125,13 +125,15 @@ TIFFCleanup(TIFF* tif)
void
TIFFClose(TIFF* tif)
{
- TIFFCloseProc closeproc = tif->tif_closeproc;
+ if (tif != NULL)
+ {
+ TIFFCloseProc closeproc = tif->tif_closeproc;
thandle_t fd = tif->tif_clientdata;
TIFFCleanup(tif);
(void) (*closeproc)(fd);
}
-
+}
/* vim: set ts=8 sts=8 sw=8 noet: */
/*
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index d9b91e4e..07fc7ea3 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2553,9 +2553,12 @@ main(int argc, char* argv[])
}
}
- TIFFClose(out);
+ if (out != NULL)
+ {
+ TIFFClose(out);
+ }
- return (0);
+ return (0);
} /* end main */

35
SOURCES/0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch
Unescape View File

@ -1,35 +0,0 @@
From 7d0a920d34e9960b2dd2e3583172826b3a4db570 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 8 Aug 2023 15:32:42 +0200
Subject: [PATCH] (CVE-2023-26966) tif_luv: Check and correct for NaN data in
uv_encode().
Closes #530
See merge request libtiff/libtiff!473
(cherry picked from commit d1f658afa5ab5ed21a9e32e0f790f41b01506cd9)
---
libtiff/tif_luv.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index 72ab3668..93c76115 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -908,7 +908,14 @@ uv_encode(double u, double v, int em) /* encode (u',v') coordinates */
{
register int vi, ui;
- if (v < UV_VSTART)
+ /* check for NaN */
+ if (u != u || v != v)
+ {
+ u = U_NEU;
+ v = V_NEU;
+ }
+
+ if (v < UV_VSTART)
return oog_encode(u, v);
vi = tiff_itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em);
if (vi >= UV_NVS)

34
SOURCES/0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch
Unescape View File

@ -1,34 +0,0 @@
From 186a46ebfe483703e3120e825fc5f3eb26a1c0f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 8 Aug 2023 15:42:54 +0200
Subject: [PATCH] (CVE-2023-3576) Fix memory leak in tiffcrop.c
See merge request libtiff/libtiff!475
(cherry picked from commit 1d5b1181c980090a6518f11e61a18b0e268bf31a)
---
tools/tiffcrop.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 07fc7ea3..be72ec52 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7922,9 +7922,14 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
read_buff = *read_buff_ptr;
- /* process full image, no crop buffer needed */
- crop_buff = read_buff;
- *crop_buff_ptr = read_buff;
+ /* Memory is freed before crop_buff_ptr is overwritten */
+ if (*crop_buff_ptr != NULL )
+ {
+ _TIFFfree(*crop_buff_ptr);
+ }
+
+ /* process full image, no crop buffer needed */
+ *crop_buff_ptr = read_buff;
crop->combined_width = image->width;
crop->combined_length = image->length;

548
SOURCES/0019-CVE-2023-40090-Improved-IFD-Loop-Handling-fixes-455.patch
Unescape View File

@ -1,548 +0,0 @@
From 98648d3b62d4f123915410b8cae47954f9223000 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 6 Oct 2022 10:11:06 +0000
Subject: [PATCH] (CVE-2023-40090) Improved IFD-Loop Handling (fixes #455)
Closes #455
See merge request libtiff/libtiff!386
(cherry picked from commit d093eb5d961e21ba51420bc22382c514683a4d91)
---
libtiff/tif_close.c | 6 +-
libtiff/tif_dir.c | 129 +++++++++++++++++++++++++-----------
libtiff/tif_dir.h | 2 +
libtiff/tif_dirread.c | 147 +++++++++++++++++++++++++++++++++---------
libtiff/tif_open.c | 3 +-
libtiff/tiffiop.h | 3 +-
6 files changed, 219 insertions(+), 71 deletions(-)
diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
index 6c9f7349..b5fa9603 100644
--- a/libtiff/tif_close.c
+++ b/libtiff/tif_close.c
@@ -52,8 +52,10 @@ TIFFCleanup(TIFF* tif)
(*tif->tif_cleanup)(tif);
TIFFFreeDirectory(tif);
- if (tif->tif_dirlist)
- _TIFFfree(tif->tif_dirlist);
+ if (tif->tif_dirlistoff)
+ _TIFFfree(tif->tif_dirlistoff);
+ if (tif->tif_dirlistdirn)
+ _TIFFfree(tif->tif_dirlistdirn);
/*
* Clean up client info links.
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index a4295dc9..d9022f5b 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -1521,12 +1521,22 @@ TIFFDefaultDirectory(TIFF* tif)
}
static int
-TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
+TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdiroff, uint64_t* off, uint16_t* nextdirnum)
{
static const char module[] = "TIFFAdvanceDirectory";
+
+ /* Add this directory to the directory list, if not already in. */
+ if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) {
+ TIFFErrorExt(tif->tif_clientdata, module, "Starting directory %"PRIu16" at offset 0x%"PRIx64" (%"PRIu64") might cause an IFD loop",
+ *nextdirnum, *nextdiroff, *nextdiroff);
+ *nextdiroff = 0;
+ *nextdirnum = 0;
+ return(0);
+ }
+
if (isMapped(tif))
{
- uint64_t poff=*nextdir;
+ uint64_t poff=*nextdiroff;
if (!(tif->tif_flags&TIFF_BIGTIFF))
{
tmsize_t poffa,poffb,poffc,poffd;
@@ -1537,7 +1547,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
if (((uint64_t)poffa != poff) || (poffb < poffa) || (poffb < (tmsize_t)sizeof(uint16_t)) || (poffb > tif->tif_size))
{
TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count");
- *nextdir=0;
+ *nextdiroff=0;
return(0);
}
_TIFFmemcpy(&dircount,tif->tif_base+poffa,sizeof(uint16_t));
@@ -1555,7 +1565,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
_TIFFmemcpy(&nextdir32,tif->tif_base+poffc,sizeof(uint32_t));
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong(&nextdir32);
- *nextdir=nextdir32;
+ *nextdiroff=nextdir32;
}
else
{
@@ -1587,11 +1597,10 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
}
if (off!=NULL)
*off=(uint64_t)poffc;
- _TIFFmemcpy(nextdir,tif->tif_base+poffc,sizeof(uint64_t));
+ _TIFFmemcpy(nextdiroff,tif->tif_base+poffc,sizeof(uint64_t));
if (tif->tif_flags&TIFF_SWAB)
- TIFFSwabLong8(nextdir);
+ TIFFSwabLong8(nextdiroff);
}
- return(1);
}
else
{
@@ -1599,7 +1608,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
{
uint16_t dircount;
uint32_t nextdir32;
- if (!SeekOK(tif, *nextdir) ||
+ if (!SeekOK(tif, *nextdiroff) ||
!ReadOK(tif, &dircount, sizeof (uint16_t))) {
TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count",
tif->tif_name);
@@ -1620,13 +1629,13 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
}
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabLong(&nextdir32);
- *nextdir=nextdir32;
+ *nextdiroff=nextdir32;
}
else
{
uint64_t dircount64;
uint16_t dircount16;
- if (!SeekOK(tif, *nextdir) ||
+ if (!SeekOK(tif, *nextdiroff) ||
!ReadOK(tif, &dircount64, sizeof (uint64_t))) {
TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count",
tif->tif_name);
@@ -1646,17 +1655,27 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
else
(void) TIFFSeekFile(tif,
dircount16*20, SEEK_CUR);
- if (!ReadOK(tif, nextdir, sizeof (uint64_t))) {
+ if (!ReadOK(tif, nextdiroff, sizeof (uint64_t))) {
TIFFErrorExt(tif->tif_clientdata, module,
"%s: Error fetching directory link",
tif->tif_name);
return (0);
}
if (tif->tif_flags & TIFF_SWAB)
- TIFFSwabLong8(nextdir);
+ TIFFSwabLong8(nextdiroff);
}
- return (1);
}
+ if (*nextdiroff != 0) {
+ (*nextdirnum)++;
+ /* Check next directory for IFD looping and if so, set it as last directory. */
+ if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) {
+ TIFFWarningExt(tif->tif_clientdata, module, "the next directory %"PRIu16" at offset 0x%"PRIx64" (%"PRIu64") might be an IFD loop. Treating directory %"PRIu16" as last directory",
+ *nextdirnum, *nextdiroff, *nextdiroff, *nextdirnum-1);
+ *nextdiroff = 0;
+ (*nextdirnum)--;
+ }
+ }
+ return (1);
}
/*
@@ -1666,14 +1685,16 @@ uint16_t
TIFFNumberOfDirectories(TIFF* tif)
{
static const char module[] = "TIFFNumberOfDirectories";
- uint64_t nextdir;
+ uint64_t nextdiroff;
+ uint16_t nextdirnum;
uint16_t n;
if (!(tif->tif_flags&TIFF_BIGTIFF))
- nextdir = tif->tif_header.classic.tiff_diroff;
+ nextdiroff = tif->tif_header.classic.tiff_diroff;
else
- nextdir = tif->tif_header.big.tiff_diroff;
+ nextdiroff = tif->tif_header.big.tiff_diroff;
+ nextdirnum = 0;
n = 0;
- while (nextdir != 0 && TIFFAdvanceDirectory(tif, &nextdir, NULL))
+ while (nextdiroff != 0 && TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum))
{
if (n != 65535) {
++n;
@@ -1696,28 +1717,30 @@ TIFFNumberOfDirectories(TIFF* tif)
int
TIFFSetDirectory(TIFF* tif, uint16_t dirn)
{
- uint64_t nextdir;
+ uint64_t nextdiroff;
+ uint16_t nextdirnum;
uint16_t n;
if (!(tif->tif_flags&TIFF_BIGTIFF))
- nextdir = tif->tif_header.classic.tiff_diroff;
+ nextdiroff = tif->tif_header.classic.tiff_diroff;
else
- nextdir = tif->tif_header.big.tiff_diroff;
- for (n = dirn; n > 0 && nextdir != 0; n--)
- if (!TIFFAdvanceDirectory(tif, &nextdir, NULL))
+ nextdiroff = tif->tif_header.big.tiff_diroff;
+ nextdirnum = 0;
+ for (n = dirn; n > 0 && nextdiroff != 0; n--)
+ if (!TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum))
return (0);
- tif->tif_nextdiroff = nextdir;
+ /* If the n-th directory could not be reached (does not exist),
+ * return here without touching anything further. */
+ if (nextdiroff == 0 || n > 0)
+ return (0);
+
+ tif->tif_nextdiroff = nextdiroff;
/*
* Set curdir to the actual directory index. The
* -1 is because TIFFReadDirectory will increment
* tif_curdir after successfully reading the directory.
*/
tif->tif_curdir = (dirn - n) - 1;
- /*
- * Reset tif_dirnumber counter and start new list of seen directories.
- * We need this to prevent IFD loops.
- */
- tif->tif_dirnumber = 0;
return (TIFFReadDirectory(tif));
}
@@ -1730,13 +1753,42 @@ TIFFSetDirectory(TIFF* tif, uint16_t dirn)
int
TIFFSetSubDirectory(TIFF* tif, uint64_t diroff)
{
- tif->tif_nextdiroff = diroff;
- /*
- * Reset tif_dirnumber counter and start new list of seen directories.
- * We need this to prevent IFD loops.
+ /* Match nextdiroff and curdir for consistent IFD-loop checking.
+ * Only with TIFFSetSubDirectory() the IFD list can be corrupted with invalid offsets
+ * within the main IFD tree.
+ * In the case of several subIFDs of a main image,
+ * there are two possibilities that are not even mutually exclusive.
+ * a.) The subIFD tag contains an array with all offsets of the subIFDs.
+ * b.) The SubIFDs are concatenated with their NextIFD parameters.
+ * (refer to https://www.awaresystems.be/imaging/tiff/specification/TIFFPM6.pdf.)
*/
- tif->tif_dirnumber = 0;
- return (TIFFReadDirectory(tif));
+ int retval;
+ uint16_t curdir = 0;
+ int8_t probablySubIFD = 0;
+ if (diroff == 0) {
+ /* Special case to invalidate the tif_lastdiroff member. */
+ tif->tif_curdir = 65535;
+ } else {
+ if (!_TIFFGetDirNumberFromOffset(tif, diroff, &curdir)) {
+ /* Non-existing offsets might point to a SubIFD or invalid IFD.*/
+ probablySubIFD = 1;
+ }
+ /* -1 because TIFFReadDirectory() will increment tif_curdir. */
+ tif->tif_curdir = curdir - 1;
+ }
+
+ tif->tif_nextdiroff = diroff;
+ retval = TIFFReadDirectory(tif);
+ /* If failed, curdir was not incremented in TIFFReadDirectory(), so set it back. */
+ if (!retval )tif->tif_curdir++;
+ if (retval && probablySubIFD) {
+ /* Reset IFD list to start new one for SubIFD chain and also start SubIFD chain with tif_curdir=0. */
+ tif->tif_dirnumber = 0;
+ tif->tif_curdir = 0; /* first directory of new chain */
+ /* add this offset to new IFD list */
+ _TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir, diroff);
+ }
+ return (retval);
}
/*
@@ -1760,12 +1812,15 @@ TIFFLastDirectory(TIFF* tif)
/*
* Unlink the specified directory from the directory chain.
+ * Note: First directory starts with number dirn=1.
+ * This is different to TIFFSetDirectory() where the first directory starts with zero.
*/
int
TIFFUnlinkDirectory(TIFF* tif, uint16_t dirn)
{
static const char module[] = "TIFFUnlinkDirectory";
uint64_t nextdir;
+ uint16_t nextdirnum;
uint64_t off;
uint16_t n;
@@ -1789,19 +1844,21 @@ TIFFUnlinkDirectory(TIFF* tif, uint16_t dirn)
nextdir = tif->tif_header.big.tiff_diroff;
off = 8;
}
+ nextdirnum = 0; /* First directory is dirn=0 */
+
for (n = dirn-1; n > 0; n--) {
if (nextdir == 0) {
TIFFErrorExt(tif->tif_clientdata, module, "Directory %"PRIu16" does not exist", dirn);
return (0);
}
- if (!TIFFAdvanceDirectory(tif, &nextdir, &off))
+ if (!TIFFAdvanceDirectory(tif, &nextdir, &off, &nextdirnum))
return (0);
}
/*
* Advance to the directory to be unlinked and fetch
* the offset of the directory that follows.
*/
- if (!TIFFAdvanceDirectory(tif, &nextdir, NULL))
+ if (!TIFFAdvanceDirectory(tif, &nextdir, NULL, &nextdirnum))
return (0);
/*
* Go back and patch the link field of the preceding
diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
index 0c251c9e..deaa4594 100644
--- a/libtiff/tif_dir.h
+++ b/libtiff/tif_dir.h
@@ -302,6 +302,8 @@ extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32_t);
extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32_t, TIFFDataType);
extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32_t, TIFFDataType);
extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
+extern int _TIFFCheckDirNumberAndOffset(TIFF *tif, uint16_t dirn, uint64_t diroff);
+extern int _TIFFGetDirNumberFromOffset(TIFF *tif, uint64_t diroff, uint16_t *dirn);
#if defined(__cplusplus)
}
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 32653f04..f4c1b08d 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -159,7 +159,6 @@ static void TIFFReadDirectoryFindFieldInfo(TIFF* tif, uint16_t tagid, uint32_t*
static int EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount);
static void MissingRequired(TIFF*, const char*);
-static int TIFFCheckDirOffset(TIFF* tif, uint64_t diroff);
static int CheckDirCount(TIFF*, TIFFDirEntry*, uint32_t);
static uint16_t TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir, uint64_t* nextdiroff);
static int TIFFFetchNormalTag(TIFF*, TIFFDirEntry*, int recover);
@@ -3922,12 +3921,19 @@ TIFFReadDirectory(TIFF* tif)
int bitspersample_read = FALSE;
int color_channels;
- tif->tif_diroff=tif->tif_nextdiroff;
- if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
- return 0; /* last offset or bad offset (IFD looping) */
- (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
- tif->tif_curdir++;
- nextdiroff = tif->tif_nextdiroff;
+ if (tif->tif_nextdiroff == 0) {
+ /* In this special case, tif_diroff needs also to be set to 0. */
+ tif->tif_diroff = tif->tif_nextdiroff;
+ return 0; /* last offset, thus no checking necessary */
+ }
+
+ nextdiroff = tif->tif_nextdiroff;
+ /* tif_curdir++ and tif_nextdiroff should only be updated after SUCCESSFUL reading of the directory. Otherwise, invalid IFD offsets could corrupt the IFD list. */
+ if (!_TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir + 1, nextdiroff)) {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Didn't read next directory due to IFD looping at offset 0x%"PRIx64" (%"PRIu64") to offset 0x%"PRIx64" (%"PRIu64")", tif->tif_diroff, tif->tif_diroff, nextdiroff, nextdiroff);
+ return 0; /* bad offset (IFD looping) */
+ }
dircount=TIFFFetchDirectory(tif,nextdiroff,&dir,&tif->tif_nextdiroff);
if (!dircount)
{
@@ -3935,6 +3941,11 @@ TIFFReadDirectory(TIFF* tif)
"Failed to read directory at offset %" PRIu64, nextdiroff);
return 0;
}
+ /* Set global values after a valid directory has been fetched.
+ * tif_diroff is already set to nextdiroff in TIFFFetchDirectory() in the beginning. */
+ tif->tif_curdir++;
+ (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
+
TIFFReadDirectoryCheckOrder(tif,dir,dircount);
/*
@@ -5026,53 +5037,127 @@ MissingRequired(TIFF* tif, const char* tagname)
}
/*
- * Check the directory offset against the list of already seen directory
- * offsets. This is a trick to prevent IFD looping. The one can create TIFF
- * file with looped directory pointers. We will maintain a list of already
- * seen directories and check every IFD offset against that list.
+ * Check the directory number and offset against the list of already seen
+ * directory numbers and offsets. This is a trick to prevent IFD looping.
+ * The one can create TIFF file with looped directory pointers. We will
+ * maintain a list of already seen directories and check every IFD offset
+ * and its IFD number against that list. However, the offset of an IFD number
+ * can change - e.g. when writing updates to file.
+ * Returns 1 if all is ok; 0 if last directory or IFD loop is encountered,
+ * or an error has occured.
*/
-static int
-TIFFCheckDirOffset(TIFF* tif, uint64_t diroff)
+int
+_TIFFCheckDirNumberAndOffset(TIFF *tif, uint16_t dirn, uint64_t diroff)
{
uint16_t n;
if (diroff == 0) /* no more directories */
return 0;
if (tif->tif_dirnumber == 65535) {
- TIFFErrorExt(tif->tif_clientdata, "TIFFCheckDirOffset",
- "Cannot handle more than 65535 TIFF directories");
- return 0;
+ TIFFErrorExt(tif->tif_clientdata, "_TIFFCheckDirNumberAndOffset",
+ "Cannot handle more than 65535 TIFF directories");
+ return 0;
}
- for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlist; n++) {
- if (tif->tif_dirlist[n] == diroff)
- return 0;
+ /* Check if offset is already in the list:
+ * - yes: check, if offset is at the same IFD number - if not, it is an IFD loop
+ * - no: add to list or update offset at that IFD number
+ */
+ for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff; n++) {
+ if (tif->tif_dirlistoff[n] == diroff) {
+ if (tif->tif_dirlistdirn[n] == dirn) {
+ return 1;
+ } else {
+ TIFFWarningExt(tif->tif_clientdata, "_TIFFCheckDirNumberAndOffset",
+ "TIFF directory %"PRIu16" has IFD looping to directory %"PRIu16" at offset 0x%"PRIx64" (%"PRIu64")",
+ dirn-1, tif->tif_dirlistdirn[n], diroff, diroff);
+ return 0;
+ }
+ }
+ }
+ /* Check if offset of an IFD has been changed and update offset of that IFD number. */
+ if (dirn < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff) {
+ /* tif_dirlistdirn can have IFD numbers dirn in random order */
+ for (n = 0; n < tif->tif_dirnumber; n++) {
+ if (tif->tif_dirlistdirn[n] == dirn) {
+ tif->tif_dirlistoff[n] = diroff;
+ return 1;
+ }
+ }
}
+ /* Add IFD offset and dirn to IFD directory list */
tif->tif_dirnumber++;
- if (tif->tif_dirlist == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) {
- uint64_t* new_dirlist;
-
+ if (tif->tif_dirlistoff == NULL || tif->tif_dirlistdirn == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) {
+ uint64_t *new_dirlist;
/*
* XXX: Reduce memory allocation granularity of the dirlist
* array.
*/
- new_dirlist = (uint64_t*)_TIFFCheckRealloc(tif, tif->tif_dirlist,
- tif->tif_dirnumber, 2 * sizeof(uint64_t), "for IFD list");
+ if (tif->tif_dirnumber >= 32768)
+ tif->tif_dirlistsize = 65535;
+ else
+ tif->tif_dirlistsize = 2 * tif->tif_dirnumber;
+
+ new_dirlist = (uint64_t *)_TIFFCheckRealloc(tif, tif->tif_dirlistoff,
+ tif->tif_dirlistsize, sizeof(uint64_t), "for IFD offset list");
if (!new_dirlist)
return 0;
- if( tif->tif_dirnumber >= 32768 )
- tif->tif_dirlistsize = 65535;
- else
- tif->tif_dirlistsize = 2 * tif->tif_dirnumber;
- tif->tif_dirlist = new_dirlist;
+ tif->tif_dirlistoff = new_dirlist;
+ new_dirlist = (uint64_t *)_TIFFCheckRealloc(tif, tif->tif_dirlistdirn,
+ tif->tif_dirlistsize, sizeof(uint16_t), "for IFD dirnumber list");
+ if (!new_dirlist)
+ return 0;
+ tif->tif_dirlistdirn = (uint16_t *)new_dirlist;
}
- tif->tif_dirlist[tif->tif_dirnumber - 1] = diroff;
+ tif->tif_dirlistoff[tif->tif_dirnumber - 1] = diroff;
+ tif->tif_dirlistdirn[tif->tif_dirnumber - 1] = dirn;
return 1;
-}
+} /* --- _TIFFCheckDirNumberAndOffset() ---*/
+
+/*
+ * Retrieve the matching IFD directory number of a given IFD offset
+ * from the list of directories already seen.
+ * Returns 1 if the offset was in the list and the directory number
+ * can be returned.
+ * Otherwise returns 0 or if an error occured.
+ */
+int
+_TIFFGetDirNumberFromOffset(TIFF *tif, uint64_t diroff, uint16_t* dirn)
+{
+ uint16_t n;
+
+ if (diroff == 0) /* no more directories */
+ return 0;
+ if (tif->tif_dirnumber == 65535) {
+ TIFFErrorExt(tif->tif_clientdata, "_TIFFGetDirNumberFromOffset",
+ "Cannot handle more than 65535 TIFF directories");
+ return 0;
+ }
+
+ /* Check if offset is already in the list and return matching directory number.
+ * Otherwise update IFD list using TIFFNumberOfDirectories()
+ * and search again in IFD list.
+ */
+ for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) {
+ if (tif->tif_dirlistoff[n] == diroff) {
+ *dirn = tif->tif_dirlistdirn[n];
+ return 1;
+ }
+ }
+ TIFFNumberOfDirectories(tif);
+ for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) {
+ if (tif->tif_dirlistoff[n] == diroff) {
+ *dirn = tif->tif_dirlistdirn[n];
+ return 1;
+ }
+ }
+ return 0;
+} /*--- _TIFFGetDirNumberFromOffset() ---*/
+
/*
* Check the count field of a directory entry against a known value. The
diff --git a/libtiff/tif_open.c b/libtiff/tif_open.c
index 549f56ce..85c2af47 100644
--- a/libtiff/tif_open.c
+++ b/libtiff/tif_open.c
@@ -354,7 +354,8 @@ TIFFClientOpen(
goto bad;
tif->tif_diroff = 0;
tif->tif_lastdiroff = 0;
- tif->tif_dirlist = NULL;
+ tif->tif_dirlistoff = NULL;
+ tif->tif_dirlistdirn = NULL;
tif->tif_dirlistsize = 0;
tif->tif_dirnumber = 0;
return (tif);
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index 4e8bdac2..8e0e2454 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -118,7 +118,8 @@ struct tiff {
uint64_t tif_diroff; /* file offset of current directory */
uint64_t tif_nextdiroff; /* file offset of following directory */
uint64_t tif_lastdiroff; /* file offset of last directory written so far */
- uint64_t* tif_dirlist; /* list of offsets to already seen directories to prevent IFD looping */
+ uint64_t* tif_dirlistoff; /* list of offsets to already seen directories to prevent IFD looping */
+ uint16_t* tif_dirlistdirn; /* list of directory numbers to already seen directories to prevent IFD looping */
uint16_t tif_dirlistsize; /* number of entries in offset list */
uint16_t tif_dirnumber; /* number of already seen directories */
TIFFDirectory tif_dir; /* internal rep of current directory */

36
SOURCES/0020-CVE-2023-3618-tiffcrop-fix-553-by-considering-error-.patch
Unescape View File

@ -1,36 +0,0 @@
From 979173fc37955d27c9550beb6c7ed1f2466c6ff4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Wed, 4 Oct 2023 13:13:08 +0200
Subject: [PATCH] (CVE-2023-3618) tiffcrop: fix 553 by considering error return
of writeSelections()
Closes #553
See merge request libtiff/libtiff!485
(cherry picked from commit 7ead6c42c70636c0ffec2e9ff3f16d614e37fb7b)
---
tools/tiffcrop.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index be72ec52..edb33e25 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2464,8 +2464,14 @@ main(int argc, char* argv[])
{ /* Whole image or sections not based on output page size */
if (crop.selections > 0)
{
- writeSelections(in, &out, &crop, &image, &dump, seg_buffs,
- mp, argv[argc - 1], &next_page, total_pages);
+ if (writeSelections(in, &out, &crop, &image, &dump,
+ seg_buffs, mp, argv[argc - 1],
+ &next_page, total_pages))
+ {
+ TIFFError("main",
+ "Unable to write new image selections");
+ exit(EXIT_FAILURE);
+ }
}
else /* One file all images and sections */
{

67
SOURCES/0021-CVE-2023-40745-CVE-2023-41175-raw2tiff-fix-integer-o.patch
Unescape View File

@ -1,67 +0,0 @@
From fffa3dc40d30155a17487ba3edacb320cb29b873 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Wed, 4 Oct 2023 13:20:28 +0200
Subject: [PATCH] (CVE-2023-40745 CVE-2023-41175) raw2tiff: fix integer
overflow and bypass of the check (fixes #592)
See merge request libtiff/libtiff!516
(cherry picked from commit 6ac40fefa1763ad08c6e9654d10910e462426f82)
---
tools/raw2tiff.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
index 0c6001f7..747ede7f 100644
--- a/tools/raw2tiff.c
+++ b/tools/raw2tiff.c
@@ -36,6 +36,7 @@
#include <sys/types.h>
#include <math.h>
#include <ctype.h>
+#include <limits.h>
#ifdef HAVE_UNISTD_H
# include <unistd.h>
@@ -101,6 +102,7 @@ main(int argc, char* argv[])
int fd;
char *outfilename = NULL;
TIFF *out;
+ uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/
uint32_t row, col, band;
int c;
@@ -217,6 +219,33 @@ main(int argc, char* argv[])
if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
return EXIT_FAILURE;
+ /* check for integer overflow in */
+ /* hdr_size + (*width) * (*length) * nbands * depth */
+
+ if ((width == 0) || (length == 0) ){
+ fprintf(stderr, "Too large nbands value specified.\n");
+ return (EXIT_FAILURE);
+ }
+
+ temp_limit_check = nbands * depth;
+
+ if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) {
+ fprintf(stderr, "Too large length size specified.\n");
+ return (EXIT_FAILURE);
+ }
+ temp_limit_check = temp_limit_check * length;
+
+ if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) {
+ fprintf(stderr, "Too large width size specified.\n");
+ return (EXIT_FAILURE);
+ }
+ temp_limit_check = temp_limit_check * width;
+
+ if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) {
+ fprintf(stderr, "Too large header size specified.\n");
+ return (EXIT_FAILURE);
+ }
+
if (outfilename == NULL)
outfilename = argv[optind+1];
out = TIFFOpen(outfilename, "w");

30
SOURCES/0022-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
Unescape View File

@ -1,30 +0,0 @@
From b57347d203cf577a3abb02cb62aee84b82903fcf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 23 Nov 2023 11:05:35 +0100
Subject: [PATCH] (CVE-2023-6228) Merge branch
'fix_606_tiffcp_check_also_input_compression_codec' into 'master'
tiffcp: Fixes #606. Check also codec of input image, not only from output image.
Closes #606
See merge request libtiff/libtiff!533
(cherry picked from commit 668d2c1a52fa48658bbf69615924b42b5a059f9e)
---
tools/tiffcp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 07ed0ebc..9973dd4e 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -732,6 +732,8 @@ tiffcp(TIFF* in, TIFF* out)
if( !TIFFIsCODECConfigured(compression) )
return FALSE;
TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
+ if (!TIFFIsCODECConfigured(input_compression))
+ return FALSE;
TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
if (input_compression == COMPRESSION_JPEG) {
/* Force conversion to RGB */

57
SOURCES/libtiff-4.6.0-CVE-2024-7006.patch
Unescape View File

@ -1,46 +1,47 @@
diff -up tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 tiff-4.4.0/libtiff/tif_dirinfo.c diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
--- tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 2024-08-16 00:35:35.339965778 +0200 index bff7592a8fd92d24b591b6d342fa98922246db8c..2338ca21c82295ee8ab3da86035d43398fef8efc 100644
+++ tiff-4.4.0/libtiff/tif_dirinfo.c 2024-08-16 00:54:58.255221954 +0200 --- a/libtiff/tif_dirinfo.c
@@ -824,7 +824,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint +++ b/libtiff/tif_dirinfo.c
fld = TIFFFindField(tif, tag, dt); @@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag,
if (fld == NULL) { if (fld == NULL)
{
fld = _TIFFCreateAnonField(tif, tag, dt); fld = _TIFFCreateAnonField(tif, tag, dt);
- if (!_TIFFMergeFields(tif, fld, 1)) - if (!_TIFFMergeFields(tif, fld, 1))
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
return NULL; return NULL;
} }
diff -up tiff-4.4.0/libtiff/tif_dirread.c.CVE-2024-7006 tiff-4.4.0/libtiff/tif_dirread.c diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
--- tiff-4.4.0/libtiff/tif_dirread.c.CVE-2024-7006 2024-08-16 00:35:35.341965797 +0200 index c79694145c30d70901a84bcb8932a2fcf5ad24dd..242912f3be5d15548510ce77ac791e53b112e417 100644
+++ tiff-4.4.0/libtiff/tif_dirread.c 2024-08-16 00:59:02.455017380 +0200 --- a/libtiff/tif_dirread.c
@@ -4038,11 +4038,10 @@ TIFFReadDirectory(TIFF* tif) +++ b/libtiff/tif_dirread.c
@@ -4278,11 +4278,9 @@ int TIFFReadDirectory(TIFF *tif)
dp->tdir_tag, dp->tdir_tag); dp->tdir_tag, dp->tdir_tag);
/* the following knowingly leaks the /* the following knowingly leaks the
anonymous field structure */ anonymous field structure */
- if (!_TIFFMergeFields(tif, - if (!_TIFFMergeFields(
- _TIFFCreateAnonField(tif, - tif,
- dp->tdir_tag, - _TIFFCreateAnonField(tif, dp->tdir_tag,
- (TIFFDataType)dp->tdir_type), - (TIFFDataType)dp->tdir_type),
- 1)) { - 1))
+ const TIFFField *fld = _TIFFCreateAnonField( + const TIFFField *fld = _TIFFCreateAnonField(
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); + tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+ { {
TIFFWarningExt(tif->tif_clientdata, TIFFWarningExtR(
module, tif, module,
"Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed", @@ -5156,11 +5154,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff,
@@ -4805,10 +4804,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_ "Unknown field with tag %" PRIu16 " (0x%" PRIx16
TIFFWarningExt(tif->tif_clientdata, module, ") encountered",
"Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered",
dp->tdir_tag, dp->tdir_tag); dp->tdir_tag, dp->tdir_tag);
- if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif, - if (!_TIFFMergeFields(
- dp->tdir_tag, - tif,
- _TIFFCreateAnonField(tif, dp->tdir_tag,
- (TIFFDataType)dp->tdir_type), - (TIFFDataType)dp->tdir_type),
- 1)) { - 1))
+ const TIFFField *fld = _TIFFCreateAnonField( + const TIFFField *fld = _TIFFCreateAnonField(
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); + tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) + if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+ { {
TIFFWarningExt(tif->tif_clientdata, module, TIFFWarningExtR(tif, module,
"Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed", "Registering anonymous field with tag %" PRIu16
dp->tdir_tag, dp->tdir_tag);

31
SOURCES/libtiff-am-version.patch
Unescape View File

@ -0,0 +1,31 @@
Back off the minimum required automake version to 1.11. There isn't
anything in libtiff currently that actually requires 1.12, and changing
this allows the package to be built on pre-F18 machines for easier testing.
This patch can go away once we no longer care about testing on pre-F18.
diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am
--- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400
+++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400
@@ -25,7 +25,7 @@
docdir = $(LIBTIFF_DOCDIR)
-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
ACLOCAL_AMFLAGS = -I m4
docfiles = \
diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am
--- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400
+++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400
@@ -23,7 +23,7 @@
# Process this file with automake to produce Makefile.in.
-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
LIBTIFF = $(top_builddir)/libtiff/libtiff.la

202
SPECS/libtiff.spec
Unescape View File

@ -1,48 +1,24 @@
Summary: Library of functions for manipulating TIFF format image files Summary: Library of functions for manipulating TIFF format image files
Name: libtiff Name: libtiff
Version: 4.4.0 Version: 4.6.0
Release: 12%{?dist}.1 Release: 5%{?dist}
License: libtiff License: libtiff
URL: http://www.simplesystems.org/libtiff/ URL: http://www.simplesystems.org/libtiff/
Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz Source: http://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/c9s Patch0: libtiff-am-version.patch
# Patches were generated by: git format-patch --no-signature -N ...
Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch # from upstream, for <=4.6.0, RHEL-52926
Patch0002: 0002-Fix-Makefile.patch
Patch0003: 0003-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch
Patch0004: 0004-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-According-.patch
Patch0005: 0005-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-tiffcrop-S.patch
Patch0006: 0006-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch
Patch0007: 0007-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch
Patch0008: 0008-CVE-2022-3570-CVE-2022-3598-tiffcrop-subroutines-req.patch
Patch0009: 0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
Patch0010: 0010-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch
# CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
Patch0011: 0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
# Related to Patch0013
Patch0012: 0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch
# CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
Patch0013: 0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch
Patch0014: 0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch
Patch0015: 0015-CVE-2023-26965-tiffcrop-Do-not-reuse-input-buffer-fo.patch
Patch0016: 0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch
Patch0017: 0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch
Patch0018: 0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch
Patch0019: 0019-CVE-2023-40090-Improved-IFD-Loop-Handling-fixes-455.patch
Patch0020: 0020-CVE-2023-3618-tiffcrop-fix-553-by-considering-error-.patch
Patch0021: 0021-CVE-2023-40745-CVE-2023-41175-raw2tiff-fix-integer-o.patch
Patch0022: 0022-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
# from upstream, for <=4.6.0, RHEL-52931
# https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779 # https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779
Patch23: libtiff-4.6.0-CVE-2024-7006.patch Patch1: libtiff-4.6.0-CVE-2024-7006.patch
BuildRequires: gcc, gcc-c++ BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel liblerc-devel
BuildRequires: libtool automake autoconf pkgconfig BuildRequires: libtool automake autoconf pkgconfig
# Add old libtiff to work with packages not built with new libtiff.so.6
BuildRequires: libtiff
BuildRequires: make BuildRequires: make
%description %description
@ -86,7 +62,10 @@ This package contains command-line programs for manipulating TIFF format
image files using the libtiff library. image files using the libtiff library.
%prep %prep
%autosetup -p1 -n tiff-%{version} %autosetup -n tiff-%{version} -N
%patch -P 0 -p1 -b .backup
%patch -P 1 -p1 -b .CVE-2024-7006
# Use build system's libtool.m4, not the one in the package. # Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4 rm -f libtool.m4
@ -119,9 +98,6 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/tiffsv
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffgt.1 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffgt.1
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/sgi2tiff.1 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/sgi2tiff.1
rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffsv.1 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/tiffsv.1
rm -f html/man/tiffgt.1.html
rm -f html/man/sgi2tiff.1.html
rm -f html/man/tiffsv.1.html
# multilib header hack # multilib header hack
# we only apply this to known Red Hat multilib arches, per bug #233091 # we only apply this to known Red Hat multilib arches, per bug #233091
@ -161,22 +137,24 @@ EOF
fi fi
# Copy old soname %{_libdir}/libtiff.so.5
# Copy old soname %{_libdir}/libtiffxx.so.5
cp %{_libdir}/libtiff.so.5* $RPM_BUILD_ROOT%{_libdir}
cp %{_libdir}/libtiffxx.so.5* $RPM_BUILD_ROOT%{_libdir}
%ldconfig_scriptlets %ldconfig_scriptlets
%check %check
LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check
# don't include documentation Makefiles, they are a multilib hazard
find html -name 'Makefile*' | xargs rm
%files %files
%license COPYRIGHT %license LICENSE.md
%doc README.md RELEASE-DATE VERSION %doc README.md RELEASE-DATE VERSION
%{_libdir}/libtiff.so.* %{_libdir}/libtiff.so.*
%{_libdir}/libtiffxx.so.* %{_libdir}/libtiffxx.so.*
%files devel %files devel
%doc TODO ChangeLog html %doc TODO ChangeLog
%{_includedir}/* %{_includedir}/*
%{_libdir}/libtiff.so %{_libdir}/libtiff.so
%{_libdir}/libtiffxx.so %{_libdir}/libtiffxx.so
@ -191,66 +169,80 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Wed Aug 21 2024 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-12.1 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 4.6.0-5
- fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52931) - Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Thu Nov 23 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-12
- Fix CVE-2023-6228 * Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 4.6.0-4
- Resolves: RHEL-10084 - Rebuilt for MSVSphere 10
* Wed Oct 04 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-11 * Wed Aug 21 2024 Michal Hlavinka <mhlavink@redhat.com> - 4.6.0-4
- Fix CVE-2023-40090 CVE-2023-3618 CVE-2023-40745 CVE-2023-41175 - fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52926)
- Resolves: RHEL-5458 RHEL-5455 RHEL-5405 RHEL-5450
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 4.6.0-3
* Tue Aug 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-10 - Bump release for June 2024 mass rebuild
- Fix CVE-2023-26965 CVE-2023-3316 CVE-2023-26966 CVE-2023-3576
- Resolves: CVE-2023-26965 CVE-2023-3316 CVE-2023-26966 CVE-2023-3576 * Mon Jan 29 2024 Matej Mužila <mmuzila@redhat.com> - 4.6.0-2
- migrated to SPDX license
* Thu Jun 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-9
- Fix CVE-2023-2731 * Mon Jan 29 2024 Matej Mužila <mmuzila@redhat.com> - 4.6.0-1
- Resolves: CVE-2023-2731 - New upstream release 4.6.0 (#2153870)
* Tue Mar 21 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-8 * Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.5.0-5
- Fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
CVE-2022-48281 * Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.5.0-4
- Resolves: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
CVE-2023-0804 CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798
CVE-2023-0799 CVE-2022-48281 * Thu Oct 05 2023 Matej Mužila <mmuzila@redhat.com> - 4.5.0-3
- New upstream release 4.5.0 (#2153870)
* Tue Dec 06 2022 Matej Mužila <mmuzila@redhat.com> - 4.4.0-7 - Fix CVE-2022-3570, CVE-2022-2867, CVE-2022-2868, CVE-2022-2869, CVE-2022-2519,
- Fix CVE-2022-3970 CVE-2022-2953, CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3626,
- Resolves: CVE-2022-3970 CVE-2022-3627, CVE-2022-3970 (#2142735, #2118854, #2118867, #2118875,
#2122795, #2134437, #2142737, #2148881, #2148888, #2148894, #2148897,
* Mon Dec 05 2022 Matej Mužila <mmuzila@redhat.com> - 4.4.0-6 #2148919)
- Fix CVE-2022-3597 CVE-2022-3626 CVE-2022-3599 CVE-2022-3570 CVE-2022-3598
CVE-2022-3627 * Mon Aug 28 2023 Nikola Forró <nforro@redhat.com> - 4.4.0-8
- Resolves: CVE-2022-3597 CVE-2022-3626 CVE-2022-3599 CVE-2022-3570 - Enable support for LERC compression (#2234459)
CVE-2022-3598 CVE-2022-3627
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.0-7
* Mon Oct 24 2022 Matej Mužila <mmuzila@redhat.com> - 4.4.0-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
- Bump release
- Resolves: CVE-2022-2953 * Sun Feb 19 2023 Antonio Trande <sagitter@fedoraproject.org> - 4.4.0-6
- Fix CVE-2023-0804 (#2170195)
* Tue Oct 11 2022 Matej Mužila <mmuzila@redhat.com> - 4.4.0-4
- Resolves: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Jul 18 2022 Matej Mužila <mmuzila@redhat.com> 4.4.0-3
- Fix CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 * Mon Aug 01 2022 Nikola Forró <nforro@redhat.com> - 4.4.0-4
- Resolves: #2106768 - Fix CVE-2022-34526 (#2112760)
* Wed Jun 15 2022 Matej Mužila <mmuzila@redhat.com> 4.4.0-2 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.0-3
- Update to version 4.4.0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
- Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865
CVE-2022-0891 CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-1354 * Tue Jul 05 2022 Nikola Forró <nforro@redhat.com> - 4.4.0-2
CVE-2022-1355 - Fix CVE-2022-2056, CVE-2022-2057 and CVE-2022-2058 (#2103840)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.2.0-3 * Mon Jun 06 2022 Nikola Forró <nforro@redhat.com> - 4.4.0-1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - New upstream release 4.4.0 (#2088783)
Related: rhbz#1991688
* Fri Mar 18 2022 Nikola Forró <nforro@redhat.com> - 4.3.0-6
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 4.2.0-2 - Fix CVE-2022-0907 (#2064147), CVE-2022-0908 (#2064153) and CVE-2022-0909 (#2064152)
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Mar 18 2022 Nikola Forró <nforro@redhat.com> - 4.3.0-5
- Fix CVE-2022-0865 (#2065359), CVE-2022-0891 (#2065389) and CVE-2022-0924 (#2064154)
* Tue Feb 15 2022 Nikola Forró <nforro@redhat.com> - 4.3.0-4
- Fix CVE-2022-0561 (#2054499) and CVE-2022-0562 (#2054498)
* Thu Jan 20 2022 Nikola Forró <nforro@redhat.com> - 4.3.0-3
- Fix CVE-2022-22844 (#2042604)
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Apr 20 2021 Nikola Forró <nforro@redhat.com> - 4.3.0-1
- New upstream release 4.3.0 (#1950306)
* Tue Feb 02 2021 Nikola Forró <nforro@redhat.com> - 4.2.0-1 * Tue Feb 02 2021 Nikola Forró <nforro@redhat.com> - 4.2.0-1
- New upstream release 4.2.0 (#1909412) - New upstream release 4.2.0 (#1909412)

Write Preview
Loading…
Cancel
Save