rpms
/
libtiff
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libtiff-4.0.9-26.el8_7

This commit is contained in:
CentOS Sources 2023-01-12 03:27:07 -05:00 committed by root
parent 52978dc1ab
commit a4ef6233fc
35 changed files with 645 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch
View File

@ -38,6 +38,3 @@ index 2052487c..227f228f 100644
LIBTIFF = $(top_builddir)/libtiff/libtiff.la
--
2.34.1

3
SOURCES/0002-Fix-Makefile.patch
View File

@ -19,6 +19,3 @@ index 3ed00d44..8a64925a 100644
tiffinfo.1.html \
tiffmedian.1.html \
tiffset.1.html \
--
2.34.1

3
SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch
View File

@ -125,6 +125,3 @@ index c69177e0..c60cb389 100644
if (image_count == 0)
{
dirnum = 0;
--
2.34.1

3
SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch
View File

@ -168,6 +168,3 @@ index 24d4b98a..10a588ea 100644
fprintf(fd, " %5u",
td->td_transferfunction[i][l]);
fputc('\n', fd);
--
2.34.1

3
SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch
View File

@ -150,6 +150,3 @@ index bdb91262..ef5d6a01 100644
t2p->tiff_transferfunctioncount=3;
} else {
t2p->tiff_transferfunctioncount=1;
--
2.34.1

3
SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch
View File

@ -56,6 +56,3 @@ index ef5d6a01..bd23c9e5 100644
) {
t2p->tiff_transferfunctioncount=3;
} else {
--
2.34.1

3
SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch
View File

@ -32,6 +32,3 @@ index 10a588ea..b9b53a0f 100644
#endif
}
}
--
2.34.1

3
SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch
View File

@ -50,6 +50,3 @@ index bc8f9c84..186ea3ca 100644
} else {
*op++ = (char)code;
occ--;
--
2.34.1

3
SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch
View File

@ -27,6 +27,3 @@ index c68d6d21..5d0a6699 100644
}
}
}
--
2.34.1

3
SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch
View File

@ -36,6 +36,3 @@ index 91415e96..81ffa3db 100644
}
int
--
2.34.1

3
SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch
View File

@ -105,6 +105,3 @@ index 2ba985a7..04100f4d 100644
#else
whole_strip = 1;
#endif
--
2.34.1

3
SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch
View File

@ -117,6 +117,3 @@ index c60cb389..3862b1ca 100644
#define TRUE 1
#define FALSE 0
--
2.34.1

3
SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch
View File

@ -38,6 +38,3 @@ index bd23c9e5..ff7b9c22 100644
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}
--
2.34.1

3
SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch
View File

@ -45,6 +45,3 @@ index 489459a7..96f14728 100644
tilebuf = _TIFFmalloc(tilesize);
if (tilebuf == 0)
return 0;
--
2.34.1

3
SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch
View File

@ -421,6 +421,3 @@ index 08e5dc44..d4b86314 100644
extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
--
2.34.1

3
SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch
View File

@ -100,6 +100,3 @@ index ec09feaf..c6edd27c 100644
&& img->stoponerr)
{
ret = 0;
--
2.34.1

3
SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch
View File

@ -84,6 +84,3 @@ index 4de96aec..e6de2209 100644
NULL
};
--
2.34.1

3
SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch
View File

@ -48,6 +48,3 @@ index c6edd27c..b1f7cc95 100644
}
/*
--
2.34.1

3
SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch
View File

@ -36,6 +36,3 @@ index ff7b9c22..a5db1f64 100644
}
if (k == 0) {
/* Assume we had overflow inside TIFFScanlineSize */
--
2.34.1

3
SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch
View File

@ -87,6 +87,3 @@ index 3862b1ca..a6129148 100644
{
*src = ~(*src);
src++;
--
2.34.1

3
SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch
View File

@ -25,6 +25,3 @@ index 80aaf8d1..1e6f1c2f 100644
_TIFFfree(data);
data=resizeddata;
}
--
2.34.1

3
SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch
View File

@ -23,6 +23,3 @@ index 1e6f1c2f..d68aecc5 100644
_TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
_TIFFfree(new_sampleinfo);
}
--
2.34.1

3
SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch
View File

@ -34,6 +34,3 @@ index 894c9f1f..e4b0d49f 100644
} else if (TIFFFieldWriteCount(fip) > 0
|| TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
int ret = 1;
--
2.34.1

3
SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch
View File

@ -31,6 +31,3 @@ index 8136c77b..698428f0 100644
/* Setup the function pointers for encode, decode, and cleanup. */
tif->tif_setupdecode = JBIGSetupDecode;
--
2.34.1

3
SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
View File

@ -196,6 +196,3 @@ index a6129148..83cf80ad 100644
/* allocate a buffer if we don't have one already */
if (createImageSection(sectsize, sect_buff_ptr))
{
--
2.34.1

3
SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
View File

@ -49,6 +49,3 @@ index 96f14728..d5f1d248 100644
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
TIFFError(TIFFFileName(out),
"Error, can't write strip %u",
--
2.34.1

3
SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
View File

@ -28,6 +28,3 @@ index c36a5f3f..f126f2aa 100644
goto badvaluedouble;
td->td_yresolution = TIFFClampDoubleToFloat( dblval );
break;
--
2.34.1

3
SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
View File

@ -25,6 +25,3 @@ index d68aecc5..b72e6a3b 100644
o[(uint32)dp->tdir_count]=0;
if (data!=0)
_TIFFfree(data);
--
2.34.1

3
SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
View File

@ -53,6 +53,3 @@ index d5f1d248..fb98bd57 100644
break;
case 'x':
pageInSeq = 1;
--
2.34.1

161
SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch Normal file
View File

@ -0,0 +1,161 @@
From 9ed8c91366c9f6a3c9068aee6c5a7a0fe1c5c9c8 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Tue, 12 Feb 2019 16:04:28 +0100
Subject: [PATCH] move _TIFFClampDoubleToFloat() to tif_aux.c
the same function was declared in tif_dir.c and tif_dirwrite.c
see http://bugzilla.maptools.org/show_bug.cgi?id=2842
(cherry picked from commit 8420a31e8ca5181ca36580cfeeca28661b348262)
---
libtiff/tif_aux.c | 10 ++++++++++
libtiff/tif_dir.c | 20 +++++---------------
libtiff/tif_dirwrite.c | 12 +-----------
libtiff/tiffiop.h | 2 ++
4 files changed, 18 insertions(+), 26 deletions(-)
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
index 38a98b67..2071d19c 100644
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -32,6 +32,7 @@
#include "tiffiop.h"
#include "tif_predict.h"
#include <math.h>
+#include <float.h>
uint32
_TIFFMultiply32(TIFF* tif, uint32 first, uint32 second, const char* where)
@@ -398,6 +399,15 @@ _TIFFUInt64ToDouble(uint64 ui64)
}
}
+float _TIFFClampDoubleToFloat( double val )
+{
+ if( val > FLT_MAX )
+ return FLT_MAX;
+ if( val < -FLT_MAX )
+ return -FLT_MAX;
+ return (float)val;
+}
+
int _TIFFSeekOK(TIFF* tif, toff_t off)
{
/* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index f126f2aa..ad550c65 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -31,7 +31,6 @@
* (and also some miscellaneous stuff)
*/
#include "tiffiop.h"
-#include <float.h>
/*
* These are used in the backwards compatibility code...
@@ -155,15 +154,6 @@ bad:
return (0);
}
-static float TIFFClampDoubleToFloat( double val )
-{
- if( val > FLT_MAX )
- return FLT_MAX;
- if( val < -FLT_MAX )
- return -FLT_MAX;
- return (float)val;
-}
-
static int
_TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
{
@@ -322,13 +312,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
dblval = va_arg(ap, double);
if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
- td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+ td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
break;
case TIFFTAG_YRESOLUTION:
dblval = va_arg(ap, double);
if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
- td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+ td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
break;
case TIFFTAG_PLANARCONFIG:
v = (uint16) va_arg(ap, uint16_vap);
@@ -337,10 +327,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
td->td_planarconfig = (uint16) v;
break;
case TIFFTAG_XPOSITION:
- td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ td->td_xposition = _TIFFClampDoubleToFloat( va_arg(ap, double) );
break;
case TIFFTAG_YPOSITION:
- td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ td->td_yposition = _TIFFClampDoubleToFloat( va_arg(ap, double) );
break;
case TIFFTAG_RESOLUTIONUNIT:
v = (uint16) va_arg(ap, uint16_vap);
@@ -686,7 +676,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
case TIFF_SRATIONAL:
case TIFF_FLOAT:
{
- float v2 = TIFFClampDoubleToFloat(va_arg(ap, double));
+ float v2 = _TIFFClampDoubleToFloat(va_arg(ap, double));
_TIFFmemcpy(val, &v2, tv_size);
}
break;
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 5d0a6699..03a9f296 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -30,7 +30,6 @@
* Directory Write Support Routines.
*/
#include "tiffiop.h"
-#include <float.h>
#ifdef HAVE_IEEEFP
#define TIFFCvtNativeToIEEEFloat(tif, n, fp)
@@ -948,15 +947,6 @@ bad:
return(0);
}
-static float TIFFClampDoubleToFloat( double val )
-{
- if( val > FLT_MAX )
- return FLT_MAX;
- if( val < -FLT_MAX )
- return -FLT_MAX;
- return (float)val;
-}
-
static int8 TIFFClampDoubleToInt8( double val )
{
if( val > 127 )
@@ -1031,7 +1021,7 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di
if (tif->tif_dir.td_bitspersample<=32)
{
for (i = 0; i < count; ++i)
- ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
+ ((float*)conv)[i] = _TIFFClampDoubleToFloat(value[i]);
ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
}
else
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index d4b86314..05ba735b 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -377,6 +377,8 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
extern double _TIFFUInt64ToDouble(uint64);
extern float _TIFFUInt64ToFloat(uint64);
+extern float _TIFFClampDoubleToFloat(double);
+
extern tmsize_t
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
void **buf, tmsize_t bufsizetoalloc,

179
SOURCES/0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch Normal file
View File

@ -0,0 +1,179 @@
From fddff26550de7a5ea9735649a74aa3829e461ae5 Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Sat, 11 Jun 2022 09:31:43 +0000
Subject: [PATCH] (CVE-2022-2056 CVE-2022-2057 CVE-2022-2058) fix the FPE in
tiffcrop (#415, #427, and #428)
(cherry picked from commit dd1bcc7abb26094e93636e85520f0d8f81ab0fab)
---
libtiff/tif_aux.c | 9 +++++++
libtiff/tiffiop.h | 1 +
tools/tiffcrop.c | 62 ++++++++++++++++++++++++++---------------------
3 files changed, 44 insertions(+), 28 deletions(-)
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
index 2071d19c..4d1869b4 100644
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -408,6 +408,15 @@ float _TIFFClampDoubleToFloat( double val )
return (float)val;
}
+uint32 _TIFFClampDoubleToUInt32(double val)
+{
+ if( val < 0 )
+ return 0;
+ if( val > 0xFFFFFFFFU || val != val )
+ return 0xFFFFFFFFU;
+ return (uint32)val;
+}
+
int _TIFFSeekOK(TIFF* tif, toff_t off)
{
/* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index 05ba735b..5b106e03 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -378,6 +378,7 @@ extern double _TIFFUInt64ToDouble(uint64);
extern float _TIFFUInt64ToFloat(uint64);
extern float _TIFFClampDoubleToFloat(double);
+extern uint32 _TIFFClampDoubleToUInt32(double);
extern tmsize_t
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 83cf80ad..ea0b98be 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5140,17 +5140,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
{
- x1 = (uint32) (crop->corners[i].X1 * scale * xres);
- x2 = (uint32) (crop->corners[i].X2 * scale * xres);
- y1 = (uint32) (crop->corners[i].Y1 * scale * yres);
- y2 = (uint32) (crop->corners[i].Y2 * scale * yres);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
}
else
{
- x1 = (uint32) (crop->corners[i].X1);
- x2 = (uint32) (crop->corners[i].X2);
- y1 = (uint32) (crop->corners[i].Y1);
- y2 = (uint32) (crop->corners[i].Y2);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
}
if (x1 < 1)
crop->regionlist[i].x1 = 0;
@@ -5213,17 +5213,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{ /* User has specified pixels as reference unit */
- tmargin = (uint32)(crop->margins[0]);
- lmargin = (uint32)(crop->margins[1]);
- bmargin = (uint32)(crop->margins[2]);
- rmargin = (uint32)(crop->margins[3]);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
}
else
{ /* inches or centimeters specified */
- tmargin = (uint32)(crop->margins[0] * scale * yres);
- lmargin = (uint32)(crop->margins[1] * scale * xres);
- bmargin = (uint32)(crop->margins[2] * scale * yres);
- rmargin = (uint32)(crop->margins[3] * scale * xres);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
}
if ((lmargin + rmargin) > image->width)
@@ -5253,24 +5253,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32)crop->width;
+ width = _TIFFClampDoubleToUInt32(crop->width);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32)crop->length;
+ length = _TIFFClampDoubleToUInt32(crop->length);
else
length = image->length - tmargin - bmargin;
}
else
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32)(crop->width * scale * image->xres);
+ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32)(crop->length * scale * image->yres);
+ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
else
length = image->length - tmargin - bmargin;
}
@@ -5669,13 +5669,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
{ /* inches or centimeters specified */
- hmargin = (uint32)(page->hmargin * scale * page->hres * ((image->bps + 7)/ 8));
- vmargin = (uint32)(page->vmargin * scale * page->vres * ((image->bps + 7)/ 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
}
else
{ /* Otherwise user has specified pixels as reference unit */
- hmargin = (uint32)(page->hmargin * scale * ((image->bps + 7)/ 8));
- vmargin = (uint32)(page->vmargin * scale * ((image->bps + 7)/ 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
}
if ((hmargin * 2.0) > (pwidth * page->hres))
@@ -5713,13 +5713,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->mode & PAGE_MODE_PAPERSIZE )
{
- owidth = (uint32)((pwidth * page->hres) - (hmargin * 2));
- olength = (uint32)((plength * page->vres) - (vmargin * 2));
+ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
+ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
}
else
{
- owidth = (uint32)(iwidth - (hmargin * 2 * page->hres));
- olength = (uint32)(ilength - (vmargin * 2 * page->vres));
+ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
+ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
}
}
@@ -5728,6 +5728,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
if (olength > ilength)
olength = ilength;
+ if (owidth == 0 || olength == 0)
+ {
+ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
+ exit(EXIT_FAILURE);
+ }
+
/* Compute the number of pages required for Portrait or Landscape */
switch (page->orient)
{

161
SOURCES/0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch Normal file
View File

@ -0,0 +1,161 @@
From 5d214a07db3bb8dcea8354d8f1e52f9c46264acb Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Wed, 9 Feb 2022 21:31:29 +0000
Subject: [PATCH] (CVE-2022-2867 CVE-2022-2868) tiffcrop.c: Fix issue #352
heap-buffer-overflow by correcting uint32_t underflow.
(cherry picked from commit 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c)
---
tools/tiffcrop.c | 81 +++++++++++++++++++++++++++++++-----------------
1 file changed, 53 insertions(+), 28 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index ea0b98be..5801b8f6 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5152,29 +5152,45 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
}
- if (x1 < 1)
- crop->regionlist[i].x1 = 0;
- else
- crop->regionlist[i].x1 = (uint32) (x1 - 1);
+ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
+ * b) Corners are expected to be submitted as top-left to bottom-right.
+ * Therefore, check that and reorder input.
+ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
+ */
+ uint32 aux;
+ if (x1 > x2) {
+ aux = x1;
+ x1 = x2;
+ x2 = aux;
+ }
+ if (y1 > y2) {
+ aux = y1;
+ y1 = y2;
+ y2 = aux;
+ }
+ if (x1 > image->width - 1)
+ crop->regionlist[i].x1 = image->width - 1;
+ else if (x1 > 0)
+ crop->regionlist[i].x1 = (uint32)(x1 - 1);
if (x2 > image->width - 1)
crop->regionlist[i].x2 = image->width - 1;
- else
- crop->regionlist[i].x2 = (uint32) (x2 - 1);
- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ else if (x2 > 0)
+ crop->regionlist[i].x2 = (uint32)(x2 - 1);
- if (y1 < 1)
- crop->regionlist[i].y1 = 0;
- else
- crop->regionlist[i].y1 = (uint32) (y1 - 1);
+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+
+ if (y1 > image->length - 1)
+ crop->regionlist[i].y1 = image->length - 1;
+ else if (y1 > 0)
+ crop->regionlist[i].y1 = (uint32)(y1 - 1);
if (y2 > image->length - 1)
crop->regionlist[i].y2 = image->length - 1;
- else
- crop->regionlist[i].y2 = (uint32) (y2 - 1);
-
- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ else if (y2 > 0)
+ crop->regionlist[i].y2 = (uint32)(y2 - 1);
+ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
if (zwidth > max_width)
max_width = zwidth;
if (zlength > max_length)
@@ -5204,7 +5220,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
}
}
return (0);
- }
+ } /* crop_mode == CROP_REGIONS */
/* Convert crop margins into offsets into image
* Margins are expressed as pixel rows and columns, not bytes
@@ -5240,7 +5256,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
bmargin = (uint32) 0;
return (-1);
}
- }
+ } /* crop_mode == CROP_MARGINS */
else
{ /* no margins requested */
tmargin = (uint32) 0;
@@ -5331,24 +5347,23 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
off->endx = endx;
off->endy = endy;
- crop_width = endx - startx + 1;
- crop_length = endy - starty + 1;
-
- if (crop_width <= 0)
+ if (endx + 1 <= startx)
{
TIFFError("computeInputPixelOffsets",
"Invalid left/right margins and /or image crop width requested");
return (-1);
}
+ crop_width = endx - startx + 1;
if (crop_width > image->width)
crop_width = image->width;
- if (crop_length <= 0)
+ if (endy + 1 <= starty)
{
TIFFError("computeInputPixelOffsets",
"Invalid top/bottom margins and /or image crop length requested");
return (-1);
}
+ crop_length = endy - starty + 1;
if (crop_length > image->length)
crop_length = image->length;
@@ -5448,10 +5463,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
else
crop->selections = crop->zones;
- for (i = 0; i < crop->zones; i++)
+ /* Initialize regions iterator i */
+ i = 0;
+ for (int j = 0; j < crop->zones; j++)
{
- seg = crop->zonelist[i].position;
- total = crop->zonelist[i].total;
+ seg = crop->zonelist[j].position;
+ total = crop->zonelist[j].total;
+
+ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
+ if (seg == 0 || total == 0 || seg > total) {
+ continue;
+ }
switch (crop->edge_ref)
{
@@ -5578,10 +5600,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
if (dump->outfile != NULL)
dump_info (dump->outfile, dump->format, "", "Zone %d, width: %4d, length: %4d, x1: %4d x2: %4d y1: %4d y2: %4d",
i + 1, (uint32)zwidth, (uint32)zlength,
- crop->regionlist[i].x1, crop->regionlist[i].x2,
- crop->regionlist[i].y1, crop->regionlist[i].y2);
+ crop->regionlist[i].x1, crop->regionlist[i].x2,
+ crop->regionlist[i].y1, crop->regionlist[i].y2);
+ /* increment regions iterator */
+ i++;
}
-
+ /* set number of generated regions out of given zones */
+ crop->selections = i;
return (0);
} /* end getCropOffsets */

92
SOURCES/0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch Normal file
View File

@ -0,0 +1,92 @@
From d26748dd8fb90b0af8c9344615f65d273dc66f93 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Mon, 15 Aug 2022 22:11:03 +0200
Subject: [PATCH] =?UTF-8?q?(CVE-2022-2519=20CVE-2022-2520=20CVE-2022-2521?=
=?UTF-8?q?=20CVE-2022-2953)=20According=20to=20Richard=20Nolde=20https://?=
=?UTF-8?q?gitlab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the?=
=?UTF-8?q?=20tiffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutua?=
=?UTF-8?q?lly=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),?=
=?UTF-8?q?=20-Z=20and=20-z.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is now checked and ends tiffcrop if those arguments are not mutually exclusive.
This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
(cherry picked from commit 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf)
---
tools/tiffcrop.c | 31 +++++++++++++++++++++++--------
1 file changed, 23 insertions(+), 8 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 5801b8f6..27e6f81c 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -104,7 +104,10 @@
* includes annotations for image parameters and scanline info. Level
* selects which functions dump data, with higher numbers selecting
* lower level, scanline level routines. Debug reports a limited set
- * of messages to monitor progess without enabling dump logs.
+ * of messages to monitor progress without enabling dump logs.
+ *
+ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
+ * In no case should the options be applied to a given selection successively.
*/
static char tiffcrop_version_id[] = "2.4";
@@ -177,12 +180,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
#define ROTATECW_270 32
#define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
-#define CROP_NONE 0
-#define CROP_MARGINS 1
-#define CROP_WIDTH 2
-#define CROP_LENGTH 4
-#define CROP_ZONES 8
-#define CROP_REGIONS 16
+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
+#define CROP_MARGINS 1 /* "-m" */
+#define CROP_WIDTH 2 /* "-X" */
+#define CROP_LENGTH 4 /* "-Y" */
+#define CROP_ZONES 8 /* "-Z" */
+#define CROP_REGIONS 16 /* "-z" */
#define CROP_ROTATE 32
#define CROP_MIRROR 64
#define CROP_INVERT 128
@@ -320,7 +323,7 @@ struct crop_mask {
#define PAGE_MODE_RESOLUTION 1
#define PAGE_MODE_PAPERSIZE 2
#define PAGE_MODE_MARGINS 4
-#define PAGE_MODE_ROWSCOLS 8
+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
#define INVERT_DATA_ONLY 10
#define INVERT_DATA_AND_TAG 11
@@ -751,6 +754,8 @@ static char* usage_info[] = {
" The four debug/dump options are independent, though it makes little sense to",
" specify a dump file without specifying a detail level.",
" ",
+"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive."
+" ",
NULL
};
@@ -2099,6 +2104,16 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
/*NOTREACHED*/
}
}
+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
+ char XY, Z, R, S;
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
+ Z = (crop_data->crop_mode & CROP_ZONES);
+ R = (crop_data->crop_mode & CROP_REGIONS);
+ S = (page->mode & PAGE_MODE_ROWSCOLS);
+ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
+ exit(EXIT_FAILURE);
+ }
} /* end process_command_opts */
/* Start a new output file if one has not been previously opened or

32
SOURCES/0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch Normal file
View File

@ -0,0 +1,32 @@
From 3635844b59578eb572372e7546548ea84c967ba1 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sat, 20 Aug 2022 23:35:26 +0200
Subject: [PATCH] (CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953)
tiffcrop -S option: Make decision simpler.
(cherry picked from commit bad48e90b410df32172006c7876da449ba62cdba)
---
tools/tiffcrop.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 27e6f81c..ff118496 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2106,11 +2106,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
}
/*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
char XY, Z, R, S;
- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
- Z = (crop_data->crop_mode & CROP_ZONES);
- R = (crop_data->crop_mode & CROP_REGIONS);
- S = (page->mode & PAGE_MODE_ROWSCOLS);
- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
+ if (XY + Z + R + S > 1) {
TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
exit(EXIT_FAILURE);
}

22
SPECS/libtiff.spec
View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.0.9
Release: 23%{?dist}
Release: 26%{?dist}
License: libtiff
Group: System Environment/Libraries
URL: http://www.simplesystems.org/libtiff/
@ -10,7 +10,7 @@ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/rhel-8.7.0
# Patches were generated by: git format-patch -N ...
# Patches were generated by: git format-patch -N --no-signature ...
Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch
Patch0002: 0002-Fix-Makefile.patch
Patch0003: 0003-CVE-2018-5784-Fix-for-bug-2772.patch
@ -40,6 +40,11 @@ Patch0026: 0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
Patch0027: 0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
Patch0028: 0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
Patch0029: 0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
Patch0030: 0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch
Patch0031: 0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch
Patch0032: 0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch
Patch0033: 0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch
Patch0034: 0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch
BuildRequires: gcc, gcc-c++
@ -194,6 +199,19 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
* Mon Oct 24 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-26
- Fix various CVEs
- Resolves: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953
* Tue Sep 06 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-25
- Fix CVE-2022-2867 (#2118857)
- Fix CVE-2022-2868 (#2118882)
- Fix CVE-2022-2869 (#2118878)
* Mon Jul 18 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-24
- Fix CVE-2022-2056 CVE-2022-2057 CVE-2022-2058
- Resolves: #2103222
* Thu May 12 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-23
- Fix various CVEs
- Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865