From c1ae4857a317c1b42dfaabdd39a4137a729a2265 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Fri, 18 Mar 2022 16:23:34 +0100
Subject: [PATCH] Fix CVE-2022-0907 (#2064147), CVE-2022-0908 (#2064153) and
 CVE-2022-0909 (#2064152)

---
 libtiff-CVE-2022-0907.patch | 89 +++++++++++++++++++++++++++++++++++++
 libtiff-CVE-2022-0908.patch | 29 ++++++++++++
 libtiff-CVE-2022-0909.patch | 32 +++++++++++++
 libtiff.spec                | 14 +++++-
 4 files changed, 163 insertions(+), 1 deletion(-)
 create mode 100644 libtiff-CVE-2022-0907.patch
 create mode 100644 libtiff-CVE-2022-0908.patch
 create mode 100644 libtiff-CVE-2022-0909.patch

diff --git a/libtiff-CVE-2022-0907.patch b/libtiff-CVE-2022-0907.patch
new file mode 100644
index 0000000..ce1af73
--- /dev/null
+++ b/libtiff-CVE-2022-0907.patch
@@ -0,0 +1,89 @@
+From 10b4736669928673cc9a5c5f2a88ffdc92f1b560 Mon Sep 17 00:00:00 2001
+From: Augustus <wangdw.augustus@qq.com>
+Date: Mon, 7 Mar 2022 18:21:49 +0800
+Subject: [PATCH 1/3] add checks for return value of limitMalloc (#392)
+
+---
+ tools/tiffcrop.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 302a7e9..e407bf5 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
+   if (!sect_buff)
+     {
+     sect_buff = (unsigned char *)limitMalloc(sectsize);
+-    *sect_buff_ptr = sect_buff;
++    if (!sect_buff)
++    {
++        TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
++        return (-1);
++    }
+     _TIFFmemset(sect_buff, 0, sectsize);
+     }
+   else
+@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
+       else
+         sect_buff = new_buff;
+ 
++      if (!sect_buff)
++      {
++          TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
++          return (-1);
++      }
+       _TIFFmemset(sect_buff, 0, sectsize);
+       }
+     }
+ 
+-  if (!sect_buff)
+-    {
+-    TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+-    return (-1);
+-    }
+   prev_sectsize = sectsize;
+   *sect_buff_ptr = sect_buff;
+ 
+@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (!crop_buff)
+     {
+     crop_buff = (unsigned char *)limitMalloc(cropsize);
+-    *crop_buff_ptr = crop_buff;
++    if (!crop_buff)
++    {
++        TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
++        return (-1);
++    }
+     _TIFFmemset(crop_buff, 0, cropsize);
+     prev_cropsize = cropsize;
+     }
+@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+         }
+       else
+         crop_buff = new_buff;
++      if (!crop_buff)
++      {
++          TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
++          return (-1);
++      }
+       _TIFFmemset(crop_buff, 0, cropsize);
+       }
+     }
+ 
+-  if (!crop_buff)
+-    {
+-    TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+-    return (-1);
+-    }
+   *crop_buff_ptr = crop_buff;
+ 
+   if (crop->crop_mode & CROP_INVERT)
+@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
+  * fill-column: 78
+  * End:
+  */
++
+-- 
+2.35.1
+
diff --git a/libtiff-CVE-2022-0908.patch b/libtiff-CVE-2022-0908.patch
new file mode 100644
index 0000000..17f7e36
--- /dev/null
+++ b/libtiff-CVE-2022-0908.patch
@@ -0,0 +1,29 @@
+From 2fac3f6f3178bd2fee777bced88cccef71873b2b Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Feb 2022 15:28:43 +0100
+Subject: [PATCH 2/3] TIFFFetchNormalTag(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #383)
+
+---
+ libtiff/tif_dirread.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index d654a1c..a31109a 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -5080,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
+ 								_TIFFfree(data);
+ 							return(0);
+ 						}
+-						_TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
++						if (dp->tdir_count > 0 )
++						{
++							_TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
++						}
+ 						o[(uint32_t)dp->tdir_count]=0;
+ 						if (data!=0)
+ 							_TIFFfree(data);
+-- 
+2.35.1
+
diff --git a/libtiff-CVE-2022-0909.patch b/libtiff-CVE-2022-0909.patch
new file mode 100644
index 0000000..2bd803e
--- /dev/null
+++ b/libtiff-CVE-2022-0909.patch
@@ -0,0 +1,32 @@
+From 802070f1c2e2064a4df3d7e0aa63316677845ec0 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 8 Mar 2022 16:22:04 +0000
+Subject: [PATCH 3/3] fix the FPE in tiffcrop (#393)
+
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index a6c254f..77da6ea 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
+ 		break;
+ 	case TIFFTAG_XRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
++        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+ 		td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
+ 		break;
+ 	case TIFFTAG_YRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
++        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+ 		td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
+ 		break;
+-- 
+2.35.1
+
diff --git a/libtiff.spec b/libtiff.spec
index 481e79a..f732923 100644
--- a/libtiff.spec
+++ b/libtiff.spec
@@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.3.0
-Release:       5%{?dist}
+Release:       6%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/
 
@@ -20,6 +20,12 @@ Patch5:        libtiff-CVE-2022-0865.patch
 Patch6:        libtiff-CVE-2022-0891.patch
 # https://gitlab.com/libtiff/libtiff/-/commit/408976c44ef0aad975e0d1b6c6dc80d60f9dc665
 Patch7:        libtiff-CVE-2022-0924.patch
+# https://gitlab.com/libtiff/libtiff/-/commit/f2b656e2e64adde07a6cffd5c8e96bd81a850fea
+Patch8:        libtiff-CVE-2022-0907.patch
+# https://gitlab.com/libtiff/libtiff/-/commit/a95b799f65064e4ba2e2dfc206808f86faf93e85
+Patch9:        libtiff-CVE-2022-0908.patch
+# https://gitlab.com/libtiff/libtiff/-/commit/f8d0f9aa1ba04c9ae3bfe869a18141a8b8117ad7
+Patch10:       libtiff-CVE-2022-0909.patch
 
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel
@@ -77,6 +83,9 @@ image files using the libtiff library.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
 
 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@@ -181,6 +190,9 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*
 
 %changelog
+* Fri Mar 18 2022 Nikola Forró <nforro@redhat.com> - 4.3.0-6
+- Fix CVE-2022-0907 (#2064147), CVE-2022-0908 (#2064153) and CVE-2022-0909 (#2064152)
+
 * Fri Mar 18 2022 Nikola Forró <nforro@redhat.com> - 4.3.0-5
 - Fix CVE-2022-0865 (#2065359), CVE-2022-0891 (#2065389) and CVE-2022-0924 (#2064154)