rpms/libtiff
6
0
Fork 0
Code Issues Pull Requests Releases Activity

fix CVE-2017-17095: heap-based buffer overflow in pal2rgb (RHEL-87363)

Browse Source 
Resolves: RHEL-87363
This commit is contained in:
Michal Hlavinka 2025-04-22 23:07:26 +02:00
parent 21cdd75b44
commit a1e03d6f7a
2 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
libtiff-4.0.9-CVE-2017-17095.patch Normal file
View File

@ -0,0 +1,40 @@
From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001
From: Nathan Baker <elitebadger@gmail.com>
Date: Thu, 25 Jan 2018 21:28:15 +0000
Subject: [PATCH] Add workaround to pal2rgb buffer overflow.
---
tools/pal2rgb.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
index 0423598f0..01fcf9411 100644
--- a/tools/pal2rgb.c
+++ b/tools/pal2rgb.c
@@ -182,8 +182,21 @@ main(int argc, char* argv[])
{ unsigned char *ibuf, *obuf;
register unsigned char* pp;
register uint32 x;
- ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
+ tmsize_t tss_in = TIFFScanlineSize(in);
+ tmsize_t tss_out = TIFFScanlineSize(out);
+ if (tss_out / tss_in < 3) {
+ /*
+ * BUG 2750: The following code does not know about chroma
+ * subsampling of JPEG data. It assumes that the output buffer is 3x
+ * the length of the input buffer due to exploding the palette into
+ * RGB tuples. If this assumption is incorrect, it could lead to a
+ * buffer overflow. Go ahead and fail now to prevent that.
+ */
+ fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
+ return -1;
+ }
+ ibuf = (unsigned char*)_TIFFmalloc(tss_in);
+ obuf = (unsigned char*)_TIFFmalloc(tss_out);
switch (config) {
case PLANARCONFIG_CONTIG:
for (row = 0; row < imagelength; row++) {
--
GitLab

9
libtiff.spec
View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files Summary: Library of functions for manipulating TIFF format image files
Name: libtiff Name: libtiff
Version: 4.0.9 Version: 4.0.9
Release: 33%{?dist} Release: 34%{?dist}
License: libtiff License: libtiff
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.simplesystems.org/libtiff/ URL: http://www.simplesystems.org/libtiff/
@ -59,6 +59,10 @@ Patch0043: 0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
# https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779 # https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779
Patch44: libtiff-4.6.0-CVE-2024-7006.patch Patch44: libtiff-4.6.0-CVE-2024-7006.patch
# from upstream, for < 4.0.10, RHEL-87363
# https://gitlab.com/libtiff/libtiff/-/commit/9171da596c88e6a2dadcab4a3a89dddd6e1b4655
Patch45: libtiff-4.0.9-CVE-2017-17095.patch
BuildRequires: gcc, gcc-c++ BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: libtool automake autoconf pkgconfig BuildRequires: libtool automake autoconf pkgconfig
@ -211,6 +215,9 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Tue Apr 22 2025 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-34
- fix CVE-2017-17095: heap-based buffer overflow in pal2rgb (RHEL-87363)
* Thu Aug 29 2024 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-33 * Thu Aug 29 2024 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-33
- fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52927) - fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52927)