rpms
/
libtiff
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS libtiff-4.4.0-10.el9

This commit is contained in:
eabdullin 2023-09-21 19:20:00 +00:00
parent 66c029d6fc
commit bf4177b4c7
10 changed files with 770 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
SOURCES/0010-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch Normal file
View File

@ -0,0 +1,28 @@
From cadce9836463df5653b573eff47fddadc23431c5 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 21 Jan 2023 15:58:10 +0000
Subject: [PATCH] (CVE-2022-48281) tiffcrop: Correct simple copy paste error.
Fix #488.
Closes #488
See merge request libtiff/libtiff!459
(cherry picked from commit d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5)
---
tools/tiffcrop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 70d56e55..57940697 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7741,7 +7741,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
- prev_cropsize = seg_buffs[0].size;
+ prev_cropsize = seg_buffs[i].size;
if (prev_cropsize < cropsize)
{
next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);

128
SOURCES/0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch Normal file
View File

@ -0,0 +1,128 @@
From 22b164b8734f9d1ea91760d87e9531e3b3cc7017 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 5 Feb 2023 15:53:16 +0000
Subject: [PATCH] (CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803
CVE-2023-0804) tiffcrop: added check for assumption on composite images
(fixes #496)
Closes #501, #500, #498, #497 et #496
See merge request libtiff/libtiff!466
(cherry picked from commit 33aee1275d9d1384791d2206776eb8152d397f00)
---
tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 66 insertions(+), 2 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 57940697..2c0ebf4b 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5364,18 +5364,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
crop->regionlist[i].buffsize = buffsize;
crop->bufftotal += buffsize;
+
+ /* For composite images with more than one region, the
+ * combined_length or combined_width always needs to be equal,
+ * respectively.
+ * Otherwise, even the first section/region copy
+ * action might cause buffer overrun. */
if (crop->img_mode == COMPOSITE_IMAGES)
{
switch (crop->edge_ref)
{
case EDGE_LEFT:
case EDGE_RIGHT:
+ if (i > 0 && zlength != crop->combined_length)
+ {
+ TIFFError(
+ "computeInputPixelOffsets",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (-1);
+ }
crop->combined_length = zlength;
crop->combined_width += zwidth;
break;
case EDGE_BOTTOM:
case EDGE_TOP: /* width from left, length from top */
default:
+ if (i > 0 && zwidth != crop->combined_width)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Only equal width regions can be "
+ "combined for -E "
+ "top or bottom");
+ return (-1);
+ }
crop->combined_width = zwidth;
crop->combined_length += zlength;
break;
@@ -6589,6 +6611,46 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
crop->combined_width = 0;
crop->combined_length = 0;
+ /* If there is more than one region, check beforehand whether all the width
+ * and length values of the regions are the same, respectively. */
+ switch (crop->edge_ref)
+ {
+ default:
+ case EDGE_TOP:
+ case EDGE_BOTTOM:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_width0 =
+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
+ uint32_t crop_width1 =
+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ if (crop_width0 != crop_width1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal width regions can be combined for -E "
+ "top or bottom");
+ return (1);
+ }
+ }
+ break;
+ case EDGE_LEFT:
+ case EDGE_RIGHT:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_length0 =
+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
+ uint32_t crop_length1 =
+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ if (crop_length0 != crop_length1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (1);
+ }
+ }
+ }
+
for (i = 0; i < crop->selections; i++)
{
/* rows, columns, width, length are expressed in pixels */
@@ -6613,7 +6675,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
default:
case EDGE_TOP:
case EDGE_BOTTOM:
- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
+ if ((crop->selections > i + 1) &&
+ (crop_width != crop->regionlist[i + 1].width))
{
TIFFError ("extractCompositeRegions",
"Only equal width regions can be combined for -E top or bottom");
@@ -6694,7 +6757,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
break;
case EDGE_LEFT: /* splice the pieces of each row together, side by side */
case EDGE_RIGHT:
- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
+ if ((crop->selections > i + 1) &&
+ (crop_length != crop->regionlist[i + 1].length))
{
TIFFError ("extractCompositeRegions",
"Only equal length regions can be combined for -E left or right");

174
SOURCES/0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch Normal file
View File

@ -0,0 +1,174 @@
From 7160a3d1a81ba2feaee3a8c0aea10eb9efb74ab9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 14 Mar 2023 18:40:04 +0100
Subject: [PATCH] Merge branch
'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master'
tiffcrop correctly update buffersize after rotateImage() fix#520
Closes #520
See merge request libtiff/libtiff!467
(cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3)
---
tools/tiffcrop.c | 66 +++++++++++++++++++++++++++++++++++++-----------
1 file changed, 51 insertions(+), 15 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 2c0ebf4b..e183e849 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -526,7 +526,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
uint32_t, uint32_t, uint8_t *, uint8_t *);
static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
- unsigned char **);
+ unsigned char **, size_t *);
static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
unsigned char *);
static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
@@ -6557,7 +6557,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
return (-1);
}
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
+ if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
{
TIFFError ("correct_orientation", "Unable to rotate image");
return (-1);
@@ -7781,16 +7781,19 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
+ /* rotateImage() set up a new buffer and calculates its size
+ * individually. Therefore, seg_buffs size needs to be updated
+ * accordingly. */
+ size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff))
+ &crop->combined_length, &crop_buff, &rot_buf_size))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
return (-1);
}
seg_buffs[0].buffer = crop_buff;
- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
- * image->spp) * crop->combined_length;
+ seg_buffs[0].size = rot_buf_size;
}
}
else /* Separated Images */
@@ -7890,9 +7893,12 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
{
/* rotateImage() changes image->width, ->length, ->xres and ->yres, what it schouldn't do here, when more than one section is processed.
* ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !!
- */
- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff))
+ * Furthermore, rotateImage() set up a new buffer and calculates
+ * its size individually. Therefore, seg_buffs size needs to be
+ * updated accordingly. */
+ size_t rot_buf_size = 0;
+ if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
@@ -7903,8 +7909,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
crop->combined_width = total_width;
crop->combined_length = total_length;
seg_buffs[i].buffer = crop_buff;
- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
- * image->spp) * crop->regionlist[i].length;
+ seg_buffs[i].size = rot_buf_size;
}
} /* for crop->selections loop */
} /* Separated Images (else case) */
@@ -8024,7 +8029,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr))
+ &crop->combined_length, crop_buff_ptr, NULL))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
@@ -8687,13 +8692,14 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
/* Rotate an image by a multiple of 90 degrees clockwise */
static int
rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
- uint32_t *img_length, unsigned char **ibuff_ptr)
+ uint32_t * img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size)
{
int shift_width;
uint32_t bytes_per_pixel, bytes_per_sample;
uint32_t row, rowsize, src_offset, dst_offset;
uint32_t i, col, width, length;
- uint32_t colsize, buffsize, col_offset, pix_offset;
+ uint32_t colsize, col_offset, pix_offset;
+ tmsize_t buffsize;
unsigned char *ibuff;
unsigned char *src;
unsigned char *dst;
@@ -8706,12 +8712,40 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
spp = image->spp;
bps = image->bps;
+ if ((spp != 0 && bps != 0 &&
+ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
+ (spp != 0 && bps != 0 &&
+ length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
+ {
+ TIFFError("rotateImage", "Integer overflow detected.");
+ return (-1);
+ }
rowsize = ((bps * spp * width) + 7) / 8;
colsize = ((bps * spp * length) + 7) / 8;
if ((colsize * width) > (rowsize * length))
- buffsize = (colsize + 1) * width;
+ {
+ if (((tmsize_t)colsize + 1) != 0 &&
+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+ ((tmsize_t)colsize + 1)))
+ {
+ TIFFError("rotateImage",
+ "Integer overflow when calculating buffer size.");
+ return (-1);
+ }
+ buffsize = ((tmsize_t)colsize + 1) * width;
+ }
else
+ {
+ if (((tmsize_t)rowsize + 1) != 0 &&
+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+ ((tmsize_t)rowsize + 1)))
+ {
+ TIFFError("rotateImage",
+ "Integer overflow when calculating buffer size.");
+ return (-1);
+ }
buffsize = (rowsize + 1) * length;
+ }
bytes_per_sample = (bps + 7) / 8;
bytes_per_pixel = ((bps * spp) + 7) / 8;
@@ -8734,7 +8768,7 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
/* Add 3 padding bytes for extractContigSamplesShifted32bits */
if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
{
- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT " bytes ", buffsize + NUM_BUFF_OVERSIZE_BYTES);
return (-1);
}
_TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
@@ -8764,6 +8798,8 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
for (row = 0; row < length; row++)
{
src_offset = row * rowsize;
+ if (rot_buf_size != NULL)
+ *rot_buf_size = buffsize;
dst_offset = (length - row - 1) * rowsize;
src = ibuff + src_offset;
dst = rbuff + dst_offset;

154
SOURCES/0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch Normal file
View File

@ -0,0 +1,154 @@
From 9debf535618baef5a906de9f07d937e361ea0bc0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 14 Mar 2023 19:37:18 +0100
Subject: [PATCH] (CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798
CVE-2023-0799) Merge branch 'tiffcrop_R270_fix#492' into 'master'
tiffcrop: Amend rotateImage() not to toggle the input (main) image width and...
Closes #519, #518, #499, #495, #494, #493 et #492
See merge request libtiff/libtiff!465
(cherry picked from commit afaabc3e50d4e5d80a94143f7e3c997e7e410f68)
---
tools/tiffcrop.c | 49 +++++++++++++++++++++++++++---------------------
1 file changed, 28 insertions(+), 21 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index e183e849..c2688883 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -271,7 +271,6 @@ struct region {
uint32_t width; /* width in pixels */
uint32_t length; /* length in pixels */
uint32_t buffsize; /* size of buffer needed to hold the cropped region */
- unsigned char *buffptr; /* address of start of the region */
};
/* Cropping parameters from command line and image data
@@ -526,7 +525,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
uint32_t, uint32_t, uint8_t *, uint8_t *);
static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
- unsigned char **, size_t *);
+ unsigned char **, size_t *, int);
static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
unsigned char *);
static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
@@ -5224,7 +5223,6 @@ initCropMasks (struct crop_mask *cps)
cps->regionlist[i].width = 0;
cps->regionlist[i].length = 0;
cps->regionlist[i].buffsize = 0;
- cps->regionlist[i].buffptr = NULL;
cps->zonelist[i].position = 0;
cps->zonelist[i].total = 0;
}
@@ -6556,8 +6554,12 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
(uint16_t) (image->adjustments & ROTATE_ANY));
return (-1);
}
-
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
+ /* Dummy variable in order not to switch two times the
+ * image->width,->length within rotateImage(),
+ * but switch xres, yres there. */
+ uint32_t width = image->width;
+ uint32_t length = image->length;
+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, TRUE))
{
TIFFError ("correct_orientation", "Unable to rotate image");
return (-1);
@@ -6665,7 +6667,6 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
/* These should not be needed for composite images */
crop->regionlist[i].width = crop_width;
crop->regionlist[i].length = crop_length;
- crop->regionlist[i].buffptr = crop_buff;
src_rowsize = ((img_width * bps * spp) + 7) / 8;
dst_rowsize = (((crop_width * bps * count) + 7) / 8);
@@ -6904,7 +6905,6 @@ extractSeparateRegion(struct image_data *image, struct crop_mask *crop,
crop->regionlist[region].width = crop_width;
crop->regionlist[region].length = crop_length;
- crop->regionlist[region].buffptr = crop_buff;
src = read_buff;
dst = crop_buff;
@@ -7786,7 +7786,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
* accordingly. */
size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff, &rot_buf_size))
+ &crop->combined_length, &crop_buff, &rot_buf_size, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
@@ -7898,7 +7898,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
* updated accordingly. */
size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
@@ -8029,7 +8029,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr, NULL))
+ &crop->combined_length, crop_buff_ptr, NULL, TRUE))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
@@ -8692,7 +8692,8 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
/* Rotate an image by a multiple of 90 degrees clockwise */
static int
rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
- uint32_t * img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size)
+ uint32_t * img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size,
+ int rot_image_params)
{
int shift_width;
uint32_t bytes_per_pixel, bytes_per_sample;
@@ -8914,11 +8915,14 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params) {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
case 270: if ((bps % 8) == 0) /* byte aligned data */
@@ -8991,11 +8995,14 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params) {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
default:
break;

36
SOURCES/0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch Normal file
View File

@ -0,0 +1,36 @@
From af4ee2276bfb9cfdd1809326604ead5a405735be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 8 Jun 2023 14:10:59 +0200
Subject: [PATCH] (CVE-2023-2731) LZWDecode(): avoid crash when trying to read
again from a strip whith a missing end-of-information marker (fixes #548)
(cherry picked from commit 9be22b639ea69e102d3847dca4c53ef025e9527b)
---
libtiff/tif_lzw.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index 096824d2..2ba6237e 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -404,7 +404,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
assert(sp->dec_codetab != NULL);
if (sp->read_error) {
- return 0;
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
+ "previous error",
+ tif->tif_row);
+ return 0;
}
/*
@@ -705,6 +709,7 @@ after_loop:
return (1);
no_eoi:
+ sp->read_error = 1;
TIFFErrorExt(tif->tif_clientdata, module,
"LZWDecode: Strip %"PRIu32" not terminated with EOI code",
tif->tif_curstrip);

95
SOURCES/0015-CVE-2023-26965-tiffcrop-Do-not-reuse-input-buffer-fo.patch Normal file
View File

@ -0,0 +1,95 @@
From c7c1a0e3537b692196c15ea764b789f601b15850 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Wed, 28 Jun 2023 14:05:50 +0200
Subject: [PATCH] (CVE-2023-26965) tiffcrop: Do not reuse input buffer for
subsequent images. Fix issue 527
Reuse of read_buff within loadImage() from previous image is quite unsafe,
because other functions (like rotateImage() etc.) reallocate that buffer with
different size without updating the local prev_readsize value.
Closes #527
(cherry picked from commit ec8ef90c1f573c9eb1f17d6a056aa0015f184acf)
---
tools/tiffcrop.c | 45 ++++++++++++++-------------------------------
1 file changed, 14 insertions(+), 31 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index c2688883..d9b91e4e 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -6103,9 +6103,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
uint32_t tw = 0, tl = 0; /* Tile width and length */
tmsize_t tile_rowsize = 0;
unsigned char *read_buff = NULL;
- unsigned char *new_buff = NULL;
int readunit = 0;
- static tmsize_t prev_readsize = 0;
TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -6404,41 +6402,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
}
}
}
-
+
read_buff = *read_ptr;
- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
- /* outside buffer */
- if (!read_buff)
+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
+ * outside buffer */
+ /* Reuse of read_buff from previous image is quite unsafe, because other
+ * functions (like rotateImage() etc.) reallocate that buffer with different
+ * size without updating the local prev_readsize value. */
+ if (read_buff)
{
- if( buffsize > 0xFFFFFFFFU - 3 )
- {
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ _TIFFfree(read_buff);
}
- else
+ if( buffsize > 0xFFFFFFFFU - 3 )
{
- if (prev_readsize < buffsize)
- {
- if( buffsize > 0xFFFFFFFFU - 3 )
- {
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
- if (!new_buff)
- {
- free (read_buff);
- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
- }
- else
- read_buff = new_buff;
- }
+ TIFFError("loadImage", "Required read buffer size too large" );
+ return (-1);
}
+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+
if (!read_buff)
{
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ TIFFError("loadImage", "Unable to allocate read buffer" );
return (-1);
}
@@ -6446,7 +6430,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
read_buff[buffsize+1] = 0;
read_buff[buffsize+2] = 0;
- prev_readsize = buffsize;
*read_ptr = read_buff;
/* N.B. The read functions used copy separate plane data into a buffer as interleaved

55
SOURCES/0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch Normal file
View File

@ -0,0 +1,55 @@
From 9a0ec729ad38af873eac5d896cb38219cb50d49c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 1 Aug 2023 16:04:17 +0200
Subject: [PATCH] (CVE-2023-3316) TIFFClose() avoid NULL pointer dereferencing.
fix#515
Closes #515
(cherry picked from commit f171d7a2cd50e34975036748a395c156d32d9235)
---
libtiff/tif_close.c | 6 ++++--
tools/tiffcrop.c | 7 +++++--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
index 04977bc7..6c9f7349 100644
--- a/libtiff/tif_close.c
+++ b/libtiff/tif_close.c
@@ -125,13 +125,15 @@ TIFFCleanup(TIFF* tif)
void
TIFFClose(TIFF* tif)
{
- TIFFCloseProc closeproc = tif->tif_closeproc;
+ if (tif != NULL)
+ {
+ TIFFCloseProc closeproc = tif->tif_closeproc;
thandle_t fd = tif->tif_clientdata;
TIFFCleanup(tif);
(void) (*closeproc)(fd);
}
-
+}
/* vim: set ts=8 sts=8 sw=8 noet: */
/*
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index d9b91e4e..07fc7ea3 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2553,9 +2553,12 @@ main(int argc, char* argv[])
}
}
- TIFFClose(out);
+ if (out != NULL)
+ {
+ TIFFClose(out);
+ }
- return (0);
+ return (0);
} /* end main */

35
SOURCES/0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch Normal file
View File

@ -0,0 +1,35 @@
From 7d0a920d34e9960b2dd2e3583172826b3a4db570 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 8 Aug 2023 15:32:42 +0200
Subject: [PATCH] (CVE-2023-26966) tif_luv: Check and correct for NaN data in
uv_encode().
Closes #530
See merge request libtiff/libtiff!473
(cherry picked from commit d1f658afa5ab5ed21a9e32e0f790f41b01506cd9)
---
libtiff/tif_luv.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index 72ab3668..93c76115 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -908,7 +908,14 @@ uv_encode(double u, double v, int em) /* encode (u',v') coordinates */
{
register int vi, ui;
- if (v < UV_VSTART)
+ /* check for NaN */
+ if (u != u || v != v)
+ {
+ u = U_NEU;
+ v = V_NEU;
+ }
+
+ if (v < UV_VSTART)
return oog_encode(u, v);
vi = tiff_itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em);
if (vi >= UV_NVS)

34
SOURCES/0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch Normal file
View File

@ -0,0 +1,34 @@
From 186a46ebfe483703e3120e825fc5f3eb26a1c0f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 8 Aug 2023 15:42:54 +0200
Subject: [PATCH] (CVE-2023-3576) Fix memory leak in tiffcrop.c
See merge request libtiff/libtiff!475
(cherry picked from commit 1d5b1181c980090a6518f11e61a18b0e268bf31a)
---
tools/tiffcrop.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 07fc7ea3..be72ec52 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7922,9 +7922,14 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
read_buff = *read_buff_ptr;
- /* process full image, no crop buffer needed */
- crop_buff = read_buff;
- *crop_buff_ptr = read_buff;
+ /* Memory is freed before crop_buff_ptr is overwritten */
+ if (*crop_buff_ptr != NULL )
+ {
+ _TIFFfree(*crop_buff_ptr);
+ }
+
+ /* process full image, no crop buffer needed */
+ *crop_buff_ptr = read_buff;
crop->combined_width = image->width;
crop->combined_length = image->length;

32
SPECS/libtiff.spec
View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.4.0
Release: 7%{?dist}
Release: 10%{?dist}
License: libtiff
URL: http://www.simplesystems.org/libtiff/
@ -18,6 +18,20 @@ Patch0006: 0006-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch
Patch0007: 0007-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch
Patch0008: 0008-CVE-2022-3570-CVE-2022-3598-tiffcrop-subroutines-req.patch
Patch0009: 0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
Patch0010: 0010-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch
# CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
Patch0011: 0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
# Related to Patch0013
Patch0012: 0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch
# CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
Patch0013: 0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch
Patch0014: 0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch
Patch0015: 0015-CVE-2023-26965-tiffcrop-Do-not-reuse-input-buffer-fo.patch
Patch0016: 0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch
Patch0017: 0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch
Patch0018: 0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch
BuildRequires: gcc, gcc-c++
@ -171,6 +185,22 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
* Tue Aug 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-10
- Fix CVE-2023-26965 CVE-2023-3316 CVE-2023-26966 CVE-2023-3576
- Resolves: CVE-2023-26965 CVE-2023-3316 CVE-2023-26966 CVE-2023-3576
* Thu Jun 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-9
- Fix CVE-2023-2731
- Resolves: CVE-2023-2731
* Tue Mar 21 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-8
- Fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
CVE-2022-48281
- Resolves: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803
CVE-2023-0804 CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798
CVE-2023-0799 CVE-2022-48281
* Tue Dec 06 2022 Matej Mužila <mmuzila@redhat.com> - 4.4.0-7
- Fix CVE-2022-3970
- Resolves: CVE-2022-3970