rpms/libtiff
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2023-0804 (#2170195)

Browse Source
This commit is contained in:
Antonio Trande 2023-02-19 16:45:03 +01:00
parent fa8cd45d99
commit 91856895aa
2 changed files with 135 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
libtiff-CVE-2023-0804.patch Normal file
View File

@ -0,0 +1,124 @@
From 82a7fbb1fa7228499ffeb3a57a1d106a9626d57c Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Sun, 5 Feb 2023 15:53:15 +0000
Subject: [PATCH] tiffcrop: added check for assumption on composite images
(fixes #496)
tiffcrop: For composite images with more than one region, the combined_length or combined_width always needs to be equal, respectively. Otherwise, even the first section/region copy action might cause buffer overrun. This is now checked before the first copy action.
Closes #496, #497, #498, #500, #501.
---
tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 66 insertions(+), 2 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 84e26ac6..480b927c 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5329,18 +5329,39 @@
crop->regionlist[i].buffsize = buffsize;
crop->bufftotal += buffsize;
+ /* For composite images with more than one region, the
+ * combined_length or combined_width always needs to be equal,
+ * respectively.
+ * Otherwise, even the first section/region copy
+ * action might cause buffer overrun. */
if (crop->img_mode == COMPOSITE_IMAGES)
{
switch (crop->edge_ref)
{
case EDGE_LEFT:
case EDGE_RIGHT:
+ if (i > 0 && zlength != crop->combined_length)
+ {
+ TIFFError(
+ "computeInputPixelOffsets",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (-1);
+ }
crop->combined_length = zlength;
crop->combined_width += zwidth;
break;
case EDGE_BOTTOM:
case EDGE_TOP: /* width from left, length from top */
default:
+ if (i > 0 && zwidth != crop->combined_width)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Only equal width regions can be "
+ "combined for -E "
+ "top or bottom");
+ return (-1);
+ }
crop->combined_width = zwidth;
crop->combined_length += zlength;
break;
@@ -6546,6 +6567,46 @@
crop->combined_width = 0;
crop->combined_length = 0;
+ /* If there is more than one region, check beforehand whether all the width
+ * and length values of the regions are the same, respectively. */
+ switch (crop->edge_ref)
+ {
+ default:
+ case EDGE_TOP:
+ case EDGE_BOTTOM:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_width0 =
+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
+ uint32_t crop_width1 =
+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ if (crop_width0 != crop_width1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal width regions can be combined for -E "
+ "top or bottom");
+ return (1);
+ }
+ }
+ break;
+ case EDGE_LEFT:
+ case EDGE_RIGHT:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_length0 =
+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
+ uint32_t crop_length1 =
+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ if (crop_length0 != crop_length1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (1);
+ }
+ }
+ }
+
for (i = 0; i < crop->selections; i++)
{
/* rows, columns, width, length are expressed in pixels */
@@ -6570,7 +6631,8 @@
default:
case EDGE_TOP:
case EDGE_BOTTOM:
- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
+ if ((crop->selections > i + 1) &&
+ (crop_width != crop->regionlist[i + 1].width))
{
TIFFError ("extractCompositeRegions",
"Only equal width regions can be combined for -E top or bottom");
@@ -6651,7 +6713,8 @@
break;
case EDGE_LEFT: /* splice the pieces of each row together, side by side */
case EDGE_RIGHT:
- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
+ if ((crop->selections > i + 1) &&
+ (crop_length != crop->regionlist[i + 1].length))
{
TIFFError ("extractCompositeRegions",
"Only equal length regions can be combined for -E left or right");

17
libtiff.spec
View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.4.0
Release: 5%{?dist}
Release: 6%{?dist}
License: libtiff
URL: http://www.simplesystems.org/libtiff/
@ -11,6 +11,7 @@ Patch0: libtiff-am-version.patch
Patch1: libtiff-make-check.patch
Patch2: libtiff-CVE-2022-2056_2057_2058.patch
Patch3: libtiff-CVE-2022-34526.patch
Patch4: libtiff-CVE-2023-0804.patch
BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel
@ -58,12 +59,13 @@ This package contains command-line programs for manipulating TIFF format
image files using the libtiff library.
%prep
%setup -q -n tiff-%{version}
%autosetup -n tiff-%{version} -N
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch0 -p1 -b .backup
%patch1 -p1 -b .backup
%patch2 -p1 -b .backup
%patch3 -p1 -b .backup
%patch4 -p1 -b .backup
# Use build system's libtool.m4, not the one in the package.
rm -f libtool.m4
@ -168,6 +170,9 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
* Sun Feb 19 2023 Antonio Trande <sagitter@fedoraproject.org> - 4.4.0-6
- Fix CVE-2023-0804 (#2170195)
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild