rpms
/
libtiff
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9-beta
rpms:c8-beta
rpms:c9s
rpms:c9
rpms:c8s
rpms:imports/c9/libtiff-4.4.0-10.el9
rpms:imports/c8/libtiff-4.0.9-29.el8_8
rpms:imports/c9-beta/libtiff-4.4.0-10.el9
rpms:imports/c8/libtiff-4.0.9-28.el8_8
rpms:imports/c9/libtiff-4.4.0-8.el9_2
rpms:imports/c8/libtiff-4.0.9-27.el8
rpms:imports/c9/libtiff-4.4.0-7.el9
rpms:imports/c9-beta/libtiff-4.4.0-7.el9
rpms:imports/c8-beta/libtiff-4.0.9-27.el8
rpms:imports/c8s/libtiff-4.0.9-27.el8
rpms:imports/c9/libtiff-4.4.0-5.el9_1
rpms:imports/c8/libtiff-4.0.9-26.el8_7
rpms:imports/c9/libtiff-4.4.0-2.el9
rpms:imports/c8s/libtiff-4.0.9-26.el8_7
rpms:imports/c8/libtiff-4.0.9-23.el8
rpms:imports/c9-beta/libtiff-4.4.0-2.el9
rpms:imports/c8-beta/libtiff-4.0.9-23.el8
rpms:imports/c8s/libtiff-4.0.9-23.el8
rpms:imports/c9/libtiff-4.2.0-3.el9
rpms:imports/c8/libtiff-4.0.9-21.el8
rpms:imports/c8-beta/libtiff-4.0.9-21.el8
rpms:imports/c9-beta/libtiff-4.2.0-3.el9
rpms:imports/c8/libtiff-4.0.9-20.el8
rpms:imports/c8s/libtiff-4.0.9-21.el8
rpms:imports/c8-beta/libtiff-4.0.9-20.el8
rpms:imports/c8-beta/libtiff-4.0.9-18.el8
rpms:imports/c8-beta/libtiff-4.0.9-17.el8
rpms:imports/c8-beta/libtiff-4.0.9-15.el8
rpms:imports/c8s/libtiff-4.0.9-20.el8
rpms:imports/c8s/libtiff-4.0.9-18.el8
rpms:imports/c8s/libtiff-4.0.9-17.el8
rpms:imports/c8/libtiff-4.0.9-18.el8
rpms:imports/c8/libtiff-4.0.9-17.el8
rpms:imports/c8/libtiff-4.0.9-15.el8
rpms:imports/c8/libtiff-4.0.9-13.el8
...
pull from: rpms:c9-beta
Branches Tags
rpms:c9-beta
rpms:c8-beta
rpms:c9s
rpms:c9
rpms:c8
rpms:c8s
rpms:imports/c9/libtiff-4.4.0-10.el9
rpms:imports/c8/libtiff-4.0.9-29.el8_8
rpms:imports/c9-beta/libtiff-4.4.0-10.el9
rpms:imports/c8/libtiff-4.0.9-28.el8_8
rpms:imports/c9/libtiff-4.4.0-8.el9_2
rpms:imports/c8/libtiff-4.0.9-27.el8
rpms:imports/c9/libtiff-4.4.0-7.el9
rpms:imports/c9-beta/libtiff-4.4.0-7.el9
rpms:imports/c8-beta/libtiff-4.0.9-27.el8
rpms:imports/c8s/libtiff-4.0.9-27.el8
rpms:imports/c9/libtiff-4.4.0-5.el9_1
rpms:imports/c8/libtiff-4.0.9-26.el8_7
rpms:imports/c9/libtiff-4.4.0-2.el9
rpms:imports/c8s/libtiff-4.0.9-26.el8_7
rpms:imports/c8/libtiff-4.0.9-23.el8
rpms:imports/c9-beta/libtiff-4.4.0-2.el9
rpms:imports/c8-beta/libtiff-4.0.9-23.el8
rpms:imports/c8s/libtiff-4.0.9-23.el8
rpms:imports/c9/libtiff-4.2.0-3.el9
rpms:imports/c8/libtiff-4.0.9-21.el8
rpms:imports/c8-beta/libtiff-4.0.9-21.el8
rpms:imports/c9-beta/libtiff-4.2.0-3.el9
rpms:imports/c8/libtiff-4.0.9-20.el8
rpms:imports/c8s/libtiff-4.0.9-21.el8
rpms:imports/c8-beta/libtiff-4.0.9-20.el8
rpms:imports/c8-beta/libtiff-4.0.9-18.el8
rpms:imports/c8-beta/libtiff-4.0.9-17.el8
rpms:imports/c8-beta/libtiff-4.0.9-15.el8
rpms:imports/c8s/libtiff-4.0.9-20.el8
rpms:imports/c8s/libtiff-4.0.9-18.el8
rpms:imports/c8s/libtiff-4.0.9-17.el8
rpms:imports/c8/libtiff-4.0.9-18.el8
rpms:imports/c8/libtiff-4.0.9-17.el8
rpms:imports/c8/libtiff-4.0.9-15.el8
rpms:imports/c8/libtiff-4.0.9-13.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

54 changed files with 2451 additions and 2811 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/tiff-4.0.9.tar.gz
SOURCES/tiff-4.4.0.tar.gz

2
.libtiff.metadata
View File

@ -1 +1 @@
87d4543579176cc568668617c22baceccd568296 SOURCES/tiff-4.0.9.tar.gz
e11d05db71d243a62800b4bf4479eb4859714405 SOURCES/tiff-4.4.0.tar.gz

18
SOURCES/0001-Back-off-the-minimum-required-automake-version-to-1..patch
View File

@ -1,19 +1,19 @@
From 686002d8cd9d41f0a4b7915be9866979c25bd5d7 Mon Sep 17 00:00:00 2001
From b2e3171e935be3c4b79657aebf4175ef3be403b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 5 May 2022 14:38:04 +0200
Subject: [PATCH] Back off the minimum required automake version to 1.11.
Date: Mon, 18 Jul 2022 13:40:10 +0200
Subject: [PATCH] Back off the minimum required automake version to 1.11.
There isn't anything in libtiff currently that actually requires 1.12, and
changing this allows the package to be built on pre-F18 machines for easier
testing.
There isn't anything in libtiff currently that actually requires 1.12,
and changing this allows the package to be built on pre-F18 machines for
easier testing. This patch can go away once we no longer care about
testing on pre-F18.
This patch can go away once we no longer care about testing on pre-F18.
---
Makefile.am | 2 +-
test/Makefile.am | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 418a3b93..fa8bf4c0 100644
index aaabf4d1..66e13dd8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -25,7 +25,7 @@
@ -26,7 +26,7 @@ index 418a3b93..fa8bf4c0 100644
docfiles = \
diff --git a/test/Makefile.am b/test/Makefile.am
index 2052487c..227f228f 100644
index b5823198..949667ee 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -23,7 +23,7 @@

2
SOURCES/0002-Fix-Makefile.patch
View File

@ -1,4 +1,4 @@
From 42425abcf2204e46544aff5cd95a129944e15894 Mon Sep 17 00:00:00 2001
From ab8a25b78922ba0e93fc4264d15c3e796a6f4c34 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 5 May 2022 14:42:52 +0200
Subject: [PATCH] Fix Makefile

127
SOURCES/0003-CVE-2018-5784-Fix-for-bug-2772.patch
View File

@ -1,127 +0,0 @@
From e5d227c83f487e8a87d336f6cebf39042520d5cd Mon Sep 17 00:00:00 2001
From: Nathan Baker <nathanb@lenovo-chrome.com>
Date: Tue, 6 Feb 2018 10:13:57 -0500
Subject: [PATCH] (CVE-2018-5784) Fix for bug 2772
It is possible to craft a TIFF document where the IFD list is circular,
leading to an infinite loop while traversing the chain. The libtiff
directory reader has a failsafe that will break out of this loop after
reading 65535 directory entries, but it will continue processing,
consuming time and resources to process what is essentially a bogus TIFF
document.
This change fixes the above behavior by breaking out of processing when
a TIFF document has >= 65535 directories and terminating with an error.
(cherry picked from commit 473851d211cf8805a161820337ca74cc9615d6ef)
---
contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
tools/tiff2pdf.c | 10 ++++++++++
tools/tiffcrop.c | 13 +++++++++++--
3 files changed, 34 insertions(+), 3 deletions(-)
diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
index c61ffbb8..03b35733 100644
--- a/contrib/addtiffo/tif_overview.c
+++ b/contrib/addtiffo/tif_overview.c
@@ -65,6 +65,8 @@
# define MAX(a,b) ((a>b) ? a : b)
#endif
+#define TIFF_DIR_MAX 65534
+
void TIFFBuildOverviews( TIFF *, int, int *, int, const char *,
int (*)(double,void*), void * );
@@ -91,6 +93,7 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
{
toff_t nBaseDirOffset;
toff_t nOffset;
+ tdir_t iNumDir;
(void) bUseSubIFDs;
@@ -147,7 +150,16 @@ uint32 TIFF_WriteOverview( TIFF *hTIFF, uint32 nXSize, uint32 nYSize,
return 0;
TIFFWriteDirectory( hTIFF );
- TIFFSetDirectory( hTIFF, (tdir_t) (TIFFNumberOfDirectories(hTIFF)-1) );
+ iNumDir = TIFFNumberOfDirectories(hTIFF);
+ if( iNumDir > TIFF_DIR_MAX )
+ {
+ TIFFErrorExt( TIFFClientdata(hTIFF),
+ "TIFF_WriteOverview",
+ "File `%s' has too many directories.\n",
+ TIFFFileName(hTIFF) );
+ exit(-1);
+ }
+ TIFFSetDirectory( hTIFF, (tdir_t) (iNumDir - 1) );
nOffset = TIFFCurrentDirOffset( hTIFF );
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 454befbd..bdb91262 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
#define PS_UNIT_SIZE 72.0F
+#define TIFF_DIR_MAX 65534
+
/* This type is of PDF color spaces. */
typedef enum {
T2P_CS_BILEVEL = 0x01, /* Bilevel, black and white */
@@ -1049,6 +1051,14 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16 xuint16=0;
directorycount=TIFFNumberOfDirectories(input);
+ if(directorycount > TIFF_DIR_MAX) {
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "TIFF contains too many directories, %s",
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE)));
if(t2p->tiff_pages==NULL){
TIFFError(
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index c69177e0..c60cb389 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
#define DUMP_TEXT 1
#define DUMP_RAW 2
+#define TIFF_DIR_MAX 65534
+
/* Offsets into buffer for margins and fixed width and length segments */
struct offset {
uint32 tmargin;
@@ -2233,7 +2235,7 @@ main(int argc, char* argv[])
pageNum = -1;
else
total_images = 0;
- /* read multiple input files and write to output file(s) */
+ /* Read multiple input files and write to output file(s) */
while (optind < argc - 1)
{
in = TIFFOpen (argv[optind], "r");
@@ -2241,7 +2243,14 @@ main(int argc, char* argv[])
return (-3);
/* If only one input file is specified, we can use directory count */
- total_images = TIFFNumberOfDirectories(in);
+ total_images = TIFFNumberOfDirectories(in);
+ if (total_images > TIFF_DIR_MAX)
+ {
+ TIFFError (TIFFFileName(in), "File contains too many directories");
+ if (out != NULL)
+ (void) TIFFClose(out);
+ return (1);
+ }
if (image_count == 0)
{
dirnum = 0;

94
SOURCES/0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch → SOURCES/0003-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch
View File

@ -1,4 +1,4 @@
From fddff26550de7a5ea9735649a74aa3829e461ae5 Mon Sep 17 00:00:00 2001
From eda0ab31e15edbb6ddee96f5c87d52888d68872c Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Sat, 11 Jun 2022 09:31:43 +0000
Subject: [PATCH] (CVE-2022-2056 CVE-2022-2057 CVE-2022-2058) fix the FPE in
@ -12,49 +12,49 @@ Subject: [PATCH] (CVE-2022-2056 CVE-2022-2057 CVE-2022-2058) fix the FPE in
3 files changed, 44 insertions(+), 28 deletions(-)
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
index 2071d19c..4d1869b4 100644
index 140f26c7..5b88c8d0 100644
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -408,6 +408,15 @@ float _TIFFClampDoubleToFloat( double val )
@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val )
return (float)val;
}
+uint32 _TIFFClampDoubleToUInt32(double val)
+uint32_t _TIFFClampDoubleToUInt32(double val)
+{
+ if( val < 0 )
+ return 0;
+ if( val > 0xFFFFFFFFU || val != val )
+ return 0xFFFFFFFFU;
+ return (uint32)val;
+ return (uint32_t)val;
+}
+
int _TIFFSeekOK(TIFF* tif, toff_t off)
{
/* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index 05ba735b..5b106e03 100644
index e3af461d..4e8bdac2 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -378,6 +378,7 @@ extern double _TIFFUInt64ToDouble(uint64);
extern float _TIFFUInt64ToFloat(uint64);
@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64_t);
extern float _TIFFUInt64ToFloat(uint64_t);
extern float _TIFFClampDoubleToFloat(double);
+extern uint32 _TIFFClampDoubleToUInt32(double);
+extern uint32_t _TIFFClampDoubleToUInt32(double);
extern tmsize_t
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip,
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 83cf80ad..ea0b98be 100644
index 1f827b2b..90286a5e 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5140,17 +5140,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
{
- x1 = (uint32) (crop->corners[i].X1 * scale * xres);
- x2 = (uint32) (crop->corners[i].X2 * scale * xres);
- y1 = (uint32) (crop->corners[i].Y1 * scale * yres);
- y2 = (uint32) (crop->corners[i].Y2 * scale * yres);
- x1 = (uint32_t) (crop->corners[i].X1 * scale * xres);
- x2 = (uint32_t) (crop->corners[i].X2 * scale * xres);
- y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres);
- y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
@ -62,25 +62,25 @@ index 83cf80ad..ea0b98be 100644
}
else
{
- x1 = (uint32) (crop->corners[i].X1);
- x2 = (uint32) (crop->corners[i].X2);
- y1 = (uint32) (crop->corners[i].Y1);
- y2 = (uint32) (crop->corners[i].Y2);
- x1 = (uint32_t) (crop->corners[i].X1);
- x2 = (uint32_t) (crop->corners[i].X2);
- y1 = (uint32_t) (crop->corners[i].Y1);
- y2 = (uint32_t) (crop->corners[i].Y2);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
}
if (x1 < 1)
crop->regionlist[i].x1 = 0;
@@ -5213,17 +5213,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
/* a) Region needs to be within image sizes 0.. width-1; 0..length-1
* b) Corners are expected to be submitted as top-left to bottom-right.
@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{ /* User has specified pixels as reference unit */
- tmargin = (uint32)(crop->margins[0]);
- lmargin = (uint32)(crop->margins[1]);
- bmargin = (uint32)(crop->margins[2]);
- rmargin = (uint32)(crop->margins[3]);
- tmargin = (uint32_t)(crop->margins[0]);
- lmargin = (uint32_t)(crop->margins[1]);
- bmargin = (uint32_t)(crop->margins[2]);
- rmargin = (uint32_t)(crop->margins[3]);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
@ -88,10 +88,10 @@ index 83cf80ad..ea0b98be 100644
}
else
{ /* inches or centimeters specified */
- tmargin = (uint32)(crop->margins[0] * scale * yres);
- lmargin = (uint32)(crop->margins[1] * scale * xres);
- bmargin = (uint32)(crop->margins[2] * scale * yres);
- rmargin = (uint32)(crop->margins[3] * scale * xres);
- tmargin = (uint32_t)(crop->margins[0] * scale * yres);
- lmargin = (uint32_t)(crop->margins[1] * scale * xres);
- bmargin = (uint32_t)(crop->margins[2] * scale * yres);
- rmargin = (uint32_t)(crop->margins[3] * scale * xres);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
@ -99,17 +99,17 @@ index 83cf80ad..ea0b98be 100644
}
if ((lmargin + rmargin) > image->width)
@@ -5253,24 +5253,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32)crop->width;
- width = (uint32_t)crop->width;
+ width = _TIFFClampDoubleToUInt32(crop->width);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32)crop->length;
- length = (uint32_t)crop->length;
+ length = _TIFFClampDoubleToUInt32(crop->length);
else
length = image->length - tmargin - bmargin;
@ -117,54 +117,54 @@ index 83cf80ad..ea0b98be 100644
else
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32)(crop->width * scale * image->xres);
- width = (uint32_t)(crop->width * scale * image->xres);
+ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32)(crop->length * scale * image->yres);
- length = (uint32_t)(crop->length * scale * image->yres);
+ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
else
length = image->length - tmargin - bmargin;
}
@@ -5669,13 +5669,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
{ /* inches or centimeters specified */
- hmargin = (uint32)(page->hmargin * scale * page->hres * ((image->bps + 7)/ 8));
- vmargin = (uint32)(page->vmargin * scale * page->vres * ((image->bps + 7)/ 8));
- hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
- vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
}
else
{ /* Otherwise user has specified pixels as reference unit */
- hmargin = (uint32)(page->hmargin * scale * ((image->bps + 7)/ 8));
- vmargin = (uint32)(page->vmargin * scale * ((image->bps + 7)/ 8));
- hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8));
- vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
}
if ((hmargin * 2.0) > (pwidth * page->hres))
@@ -5713,13 +5713,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->mode & PAGE_MODE_PAPERSIZE )
{
- owidth = (uint32)((pwidth * page->hres) - (hmargin * 2));
- olength = (uint32)((plength * page->vres) - (vmargin * 2));
- owidth = (uint32_t)((pwidth * page->hres) - (hmargin * 2));
- olength = (uint32_t)((plength * page->vres) - (vmargin * 2));
+ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
+ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
}
else
{
- owidth = (uint32)(iwidth - (hmargin * 2 * page->hres));
- olength = (uint32)(ilength - (vmargin * 2 * page->vres));
- owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres));
- olength = (uint32_t)(ilength - (vmargin * 2 * page->vres));
+ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
+ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
}
}
@@ -5728,6 +5728,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
if (olength > ilength)
olength = ilength;

170
SOURCES/0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch
View File

@ -1,170 +0,0 @@
From 688dc47dfcbbc4e54dc617c9701cf46a03f8e069 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Sun, 8 Apr 2018 14:07:08 -0400
Subject: [PATCH] (CVE-2018-7456) Fix NULL pointer dereference in
TIFFPrintDirectory
The TIFFPrintDirectory function relies on the following assumptions,
supposed to be guaranteed by the specification:
(a) A Transfer Function field is only present if the TIFF file has
photometric type < 3.
(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
has count SamplesPerPixel - (Color Channels) and contains
information about supplementary channels.
While respect of (a) and (b) are essential for the well functioning of
TIFFPrintDirectory, no checks are realized neither by the callee nor
by TIFFPrintDirectory itself. Hence, following scenarios might happen
and trigger the NULL pointer dereference:
(1) TIFF File of photometric type 4 or more has illegal Transfer
Function field.
(2) TIFF File has photometric type 3 or less and defines a
SamplesPerPixel field such that SamplesPerPixel > Color Channels
without defining all extra samples in the ExtraSamples fields.
In this patch, we address both issues with respect of the following
principles:
(A) In the case of (1), the defined transfer table should be printed
safely even if it isn't 'legal'. This allows us to avoid expensive
checks in TIFFPrintDirectory. Also, it is quite possible that
an alternative photometric type would be developed (not part of the
standard) and would allow definition of Transfer Table. We want
libtiff to be able to handle this scenario out of the box.
(B) In the case of (2), the transfer table should be printed at its
right size, that is if TIFF file has photometric type Palette
then the transfer table should have one row and not three, even
if two extra samples are declared.
In order to fulfill (A) we simply add a new 'i < 3' end condition to
the broken TIFFPrintDirectory loop. This makes sure that in any case
where (b) would be respected but not (a), everything stays fine.
(B) is fulfilled by the loop condition
'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
long as (b) is respected.
Naturally, we also make sure (b) is respected. This is done in the
TIFFReadDirectory function by making sure any non-color channel is
counted in ExtraSamples.
This commit addresses CVE-2018-7456.
(cherry picked from commit be4c85b16e8801a16eec25e80eb9f3dd6a96731b)
---
libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++
libtiff/tif_print.c | 2 +-
2 files changed, 63 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 5e62e813..80aaf8d1 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
static void ChopUpSingleUncompressedStrip(TIFF*);
static uint64 TIFFReadUInt64(const uint8 *value);
+static int _TIFFGetMaxColorChannels(uint16 photometric);
static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
@@ -3506,6 +3507,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
}
}
+/*
+ * Return the maximum number of color channels specified for a given photometric
+ * type. 0 is returned if photometric type isn't supported or no default value
+ * is defined by the specification.
+ */
+static int _TIFFGetMaxColorChannels( uint16 photometric )
+{
+ switch (photometric) {
+ case PHOTOMETRIC_PALETTE:
+ case PHOTOMETRIC_MINISWHITE:
+ case PHOTOMETRIC_MINISBLACK:
+ return 1;
+ case PHOTOMETRIC_YCBCR:
+ case PHOTOMETRIC_RGB:
+ case PHOTOMETRIC_CIELAB:
+ return 3;
+ case PHOTOMETRIC_SEPARATED:
+ case PHOTOMETRIC_MASK:
+ return 4;
+ case PHOTOMETRIC_LOGL:
+ case PHOTOMETRIC_LOGLUV:
+ case PHOTOMETRIC_CFA:
+ case PHOTOMETRIC_ITULAB:
+ case PHOTOMETRIC_ICCLAB:
+ default:
+ return 0;
+ }
+}
+
/*
* Read the next TIFF directory from a file and convert it to the internal
* format. We read directories sequentially.
@@ -3522,6 +3552,7 @@ TIFFReadDirectory(TIFF* tif)
uint32 fii=FAILED_FII;
toff_t nextdiroff;
int bitspersample_read = FALSE;
+ int color_channels;
tif->tif_diroff=tif->tif_nextdiroff;
if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
@@ -4026,6 +4057,37 @@ TIFFReadDirectory(TIFF* tif)
}
}
}
+
+ /*
+ * Make sure all non-color channels are extrasamples.
+ * If it's not the case, define them as such.
+ */
+ color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
+ if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
+ uint16 old_extrasamples;
+ uint16 *new_sampleinfo;
+
+ TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
+ "color channels and ExtraSamples doesn't match SamplesPerPixel. "
+ "Defining non-color channels as ExtraSamples.");
+
+ old_extrasamples = tif->tif_dir.td_extrasamples;
+ tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
+
+ // sampleinfo should contain information relative to these new extra samples
+ new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
+ if (!new_sampleinfo) {
+ TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
+ "temporary new sampleinfo array (%d 16 bit elements)",
+ tif->tif_dir.td_extrasamples);
+ goto bad;
+ }
+
+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+ _TIFFfree(new_sampleinfo);
+ }
+
/*
* Verify Palette image has a Colormap.
*/
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 24d4b98a..10a588ea 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
uint16 i;
fprintf(fd, " %2ld: %5u",
l, td->td_transferfunction[0][l]);
- for (i = 1; i < td->td_samplesperpixel; i++)
+ for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
fprintf(fd, " %5u",
td->td_transferfunction[i][l]);
fputc('\n', fd);

72
SOURCES/0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch → SOURCES/0004-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-According-.patch
View File

@ -1,12 +1,11 @@
From d26748dd8fb90b0af8c9344615f65d273dc66f93 Mon Sep 17 00:00:00 2001
From ecd9216e574039b8fba893314bdfc6edbdd6bf20 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Mon, 15 Aug 2022 22:11:03 +0200
Subject: [PATCH] =?UTF-8?q?(CVE-2022-2519=20CVE-2022-2520=20CVE-2022-2521?=
=?UTF-8?q?=20CVE-2022-2953)=20According=20to=20Richard=20Nolde=20https://?=
=?UTF-8?q?gitlab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the?=
=?UTF-8?q?=20tiffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutua?=
=?UTF-8?q?lly=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),?=
=?UTF-8?q?=20-Z=20and=20-z.?=
Subject: [PATCH] =?UTF-8?q?(CVE-2022-2519=20CVE-2022-2520=20CVE-2022-2521)?=
=?UTF-8?q?=20According=20to=20Richard=20Nolde=20https://gitlab.com/libtif?=
=?UTF-8?q?f/libtiff/-/issues/401#note=5F877637400=20the=20tiffcrop=20opti?=
=?UTF-8?q?on=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutually=20exclusive=20?=
=?UTF-8?q?to=20the=20other=20crop=20options=20(-X|-Y),=20-Z=20and=20-z.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -17,26 +16,23 @@ This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
(cherry picked from commit 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf)
---
tools/tiffcrop.c | 31 +++++++++++++++++++++++--------
1 file changed, 23 insertions(+), 8 deletions(-)
tools/tiffcrop.c | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 5801b8f6..27e6f81c 100644
index 90286a5e..d9213ecb 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -104,7 +104,10 @@
* includes annotations for image parameters and scanline info. Level
* selects which functions dump data, with higher numbers selecting
@@ -108,7 +108,7 @@
* lower level, scanline level routines. Debug reports a limited set
- * of messages to monitor progess without enabling dump logs.
+ * of messages to monitor progress without enabling dump logs.
+ *
* of messages to monitor progress without enabling dump logs.
*
- * Note: The (-X|-Y), -Z and -z options are mutually exclusive.
+ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
+ * In no case should the options be applied to a given selection successively.
* In no case should the options be applied to a given selection successively.
*/
static char tiffcrop_version_id[] = "2.4";
@@ -177,12 +180,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
#define ROTATECW_270 32
#define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
@ -55,7 +51,7 @@ index 5801b8f6..27e6f81c 100644
#define CROP_ROTATE 32
#define CROP_MIRROR 64
#define CROP_INVERT 128
@@ -320,7 +323,7 @@ struct crop_mask {
@@ -316,7 +316,7 @@ struct crop_mask {
#define PAGE_MODE_RESOLUTION 1
#define PAGE_MODE_PAPERSIZE 2
#define PAGE_MODE_MARGINS 4
@ -64,29 +60,31 @@ index 5801b8f6..27e6f81c 100644
#define INVERT_DATA_ONLY 10
#define INVERT_DATA_AND_TAG 11
@@ -751,6 +754,8 @@ static char* usage_info[] = {
" The four debug/dump options are independent, though it makes little sense to",
" specify a dump file without specifying a detail level.",
" ",
+"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive."
+" ",
NULL
};
@@ -2099,6 +2104,16 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
@@ -781,7 +781,7 @@ static const char usage_info[] =
" The four debug/dump options are independent, though it makes little sense to\n"
" specify a dump file without specifying a detail level.\n"
"\n"
-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
+"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
" In no case should the options be applied to a given selection successively.\n"
"\n"
;
@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
/*NOTREACHED*/
}
}
- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/
- char XY, Z, R;
+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
+ char XY, Z, R, S;
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
+ Z = (crop_data->crop_mode & CROP_ZONES);
+ R = (crop_data->crop_mode & CROP_REGIONS);
XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
Z = (crop_data->crop_mode & CROP_ZONES);
R = (crop_data->crop_mode & CROP_REGIONS);
- if ((XY && Z) || (XY && R) || (Z && R)) {
- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit");
+ S = (page->mode & PAGE_MODE_ROWSCOLS);
+ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
+ exit(EXIT_FAILURE);
+ }
exit(EXIT_FAILURE);
}
} /* end process_command_opts */
/* Start a new output file if one has not been previously opened or

152
SOURCES/0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch
View File

@ -1,152 +0,0 @@
From 5b984e1b9296c4a3b80c5650f17cb4db575250e4 Mon Sep 17 00:00:00 2001
From: Brian May <brian@linuxpenguins.xyz>
Date: Thu, 7 Dec 2017 07:46:47 +1100
Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix CVE-2017-9935
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
This vulnerability - at least for the supplied test case - is because we
assume that a tiff will only have one transfer function that is the same
for all pages. This is not required by the TIFF standards.
We than read the transfer function for every page. Depending on the
transfer function, we allocate either 2 or 4 bytes to the XREF buffer.
We allocate this memory after we read in the transfer function for the
page.
For the first exploit - POC1, this file has 3 pages. For the first page
we allocate 2 extra extra XREF entries. Then for the next page 2 more
entries. Then for the last page the transfer function changes and we
allocate 4 more entries.
When we read the file into memory, we assume we have 4 bytes extra for
each and every page (as per the last transfer function we read). Which
is not correct, we only have 2 bytes extra for the first 2 pages. As a
result, we end up writing past the end of the buffer.
There are also some related issues that this also fixes. For example,
TIFFGetField can return uninitalized pointer values, and the logic to
detect a N=3 vs N=1 transfer function seemed rather strange.
It is also strange that we declare the transfer functions to be of type
float, when the standard says they are unsigned 16 bit values. This is
fixed in another patch.
This patch will check to ensure that the N value for every transfer
function is the same for every page. If this changes, we abort with an
error. In theory, we should perhaps check that the transfer function
itself is identical for every page, however we don't do that due to the
confusion of the type of the data in the transfer function.
(cherry picked from commit 3dd8f6a357981a4090f126ab9025056c938b6940)
---
libtiff/tif_dir.c | 3 +++
tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++---------------
2 files changed, 47 insertions(+), 21 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index f00f8080..c36a5f3f 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
if (td->td_samplesperpixel - td->td_extrasamples > 1) {
*va_arg(ap, uint16**) = td->td_transferfunction[1];
*va_arg(ap, uint16**) = td->td_transferfunction[2];
+ } else {
+ *va_arg(ap, uint16**) = NULL;
+ *va_arg(ap, uint16**) = NULL;
}
break;
case TIFFTAG_REFERENCEBLACKWHITE:
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index bdb91262..ef5d6a01 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16 pagen=0;
uint16 paged=0;
uint16 xuint16=0;
+ uint16 tiff_transferfunctioncount=0;
+ float* tiff_transferfunction[3];
directorycount=TIFFNumberOfDirectories(input);
if(directorycount > TIFF_DIR_MAX) {
@@ -1157,26 +1159,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
}
#endif
if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION,
- &(t2p->tiff_transferfunction[0]),
- &(t2p->tiff_transferfunction[1]),
- &(t2p->tiff_transferfunction[2]))) {
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
- (t2p->tiff_transferfunction[1] !=
- t2p->tiff_transferfunction[0])) {
- t2p->tiff_transferfunctioncount = 3;
- t2p->tiff_pages[i].page_extra += 4;
- t2p->pdf_xrefcount += 4;
- } else {
- t2p->tiff_transferfunctioncount = 1;
- t2p->tiff_pages[i].page_extra += 2;
- t2p->pdf_xrefcount += 2;
- }
- if(t2p->pdf_minorversion < 2)
- t2p->pdf_minorversion = 2;
+ &(tiff_transferfunction[0]),
+ &(tiff_transferfunction[1]),
+ &(tiff_transferfunction[2]))) {
+
+ if((tiff_transferfunction[1] != (float*) NULL) &&
+ (tiff_transferfunction[2] != (float*) NULL)
+ ) {
+ tiff_transferfunctioncount=3;
+ } else {
+ tiff_transferfunctioncount=1;
+ }
} else {
- t2p->tiff_transferfunctioncount=0;
+ tiff_transferfunctioncount=0;
}
+
+ if (i > 0){
+ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){
+ TIFFError(
+ TIFF2PDF_MODULE,
+ "Different transfer function on page %d",
+ i);
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
+ }
+
+ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount;
+ t2p->tiff_transferfunction[0] = tiff_transferfunction[0];
+ t2p->tiff_transferfunction[1] = tiff_transferfunction[1];
+ t2p->tiff_transferfunction[2] = tiff_transferfunction[2];
+ if(tiff_transferfunctioncount == 3){
+ t2p->tiff_pages[i].page_extra += 4;
+ t2p->pdf_xrefcount += 4;
+ if(t2p->pdf_minorversion < 2)
+ t2p->pdf_minorversion = 2;
+ } else if (tiff_transferfunctioncount == 1){
+ t2p->tiff_pages[i].page_extra += 2;
+ t2p->pdf_xrefcount += 2;
+ if(t2p->pdf_minorversion < 2)
+ t2p->pdf_minorversion = 2;
+ }
+
if( TIFFGetField(
input,
TIFFTAG_ICCPROFILE,
@@ -1838,9 +1862,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
&(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) {
if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
- (t2p->tiff_transferfunction[1] !=
- t2p->tiff_transferfunction[0])) {
+ (t2p->tiff_transferfunction[2] != (float*) NULL)
+ ) {
t2p->tiff_transferfunctioncount=3;
} else {
t2p->tiff_transferfunctioncount=1;

10
SOURCES/0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch → SOURCES/0005-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-tiffcrop-S.patch
View File

@ -1,8 +1,8 @@
From 3635844b59578eb572372e7546548ea84c967ba1 Mon Sep 17 00:00:00 2001
From 670117c3a76bc0f995bfdb6c293ab2ce9af18273 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sat, 20 Aug 2022 23:35:26 +0200
Subject: [PATCH] (CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953)
tiffcrop -S option: Make decision simpler.
Subject: [PATCH] (CVE-2022-2519 CVE-2022-2520 CVE-2022-2521) tiffcrop -S
option: Make decision simpler.
(cherry picked from commit bad48e90b410df32172006c7876da449ba62cdba)
---
@ -10,10 +10,10 @@ Subject: [PATCH] (CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953)
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 27e6f81c..ff118496 100644
index d9213ecb..0551a01c 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2106,11 +2106,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
@@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
}
/*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
char XY, Z, R, S;

58
SOURCES/0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch
View File

@ -1,58 +0,0 @@
From 8e3772f232bf8f8c1959f229b5d922dd33a1e558 Mon Sep 17 00:00:00 2001
From: Brian May <brian@linuxpenguins.xyz>
Date: Thu, 7 Dec 2017 07:49:20 +1100
Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix apparent incorrect type for
transfer table
The standard says the transfer table contains unsigned 16 bit values,
I have no idea why we refer to them as floats.
(cherry picked from commit d4f213636b6f950498a1386083199bd7f65676b9)
---
tools/tiff2pdf.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index ef5d6a01..bd23c9e5 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -239,7 +239,7 @@ typedef struct {
float tiff_whitechromaticities[2];
float tiff_primarychromaticities[6];
float tiff_referenceblackwhite[2];
- float* tiff_transferfunction[3];
+ uint16* tiff_transferfunction[3];
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
1 : interpolate */
uint16 tiff_transferfunctioncount;
@@ -1050,7 +1050,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
uint16 paged=0;
uint16 xuint16=0;
uint16 tiff_transferfunctioncount=0;
- float* tiff_transferfunction[3];
+ uint16* tiff_transferfunction[3];
directorycount=TIFFNumberOfDirectories(input);
if(directorycount > TIFF_DIR_MAX) {
@@ -1163,8 +1163,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
&(tiff_transferfunction[1]),
&(tiff_transferfunction[2]))) {
- if((tiff_transferfunction[1] != (float*) NULL) &&
- (tiff_transferfunction[2] != (float*) NULL)
+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
+ (tiff_transferfunction[2] != (uint16*) NULL)
) {
tiff_transferfunctioncount=3;
} else {
@@ -1861,8 +1861,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
&(t2p->tiff_transferfunction[0]),
&(t2p->tiff_transferfunction[1]),
&(t2p->tiff_transferfunction[2]))) {
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
- (t2p->tiff_transferfunction[2] != (float*) NULL)
+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
) {
t2p->tiff_transferfunctioncount=3;
} else {

55
SOURCES/0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch → SOURCES/0006-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch
View File

@ -1,4 +1,4 @@
From 84f9ede8075774dd9a10080a9eea9016229adbaa Mon Sep 17 00:00:00 2001
From c382116391639603e06aeceb80accf7af4418892 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Thu, 25 Aug 2022 16:11:41 +0200
Subject: [PATCH] (CVE-2022-3597 CVE-2022-3626 CVE-2022-3627) tiffcrop: disable
@ -23,18 +23,20 @@ The MR solves issues #411 and #413.
(cherry picked from commit 4746f16253b784287bc8a5003990c1c3b9a03a62)
---
tools/tiffcrop.c | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
tools/tiffcrop.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index ff118496..848b2b49 100644
index 0551a01c..613ce7f8 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -106,9 +106,11 @@
@@ -107,10 +107,12 @@
* selects which functions dump data, with higher numbers selecting
* lower level, scanline level routines. Debug reports a limited set
* of messages to monitor progress without enabling dump logs.
*
- *
- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
+ *
+ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
* In no case should the options be applied to a given selection successively.
- */
@ -42,22 +44,23 @@ index ff118496..848b2b49 100644
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
+ */
static char tiffcrop_version_id[] = "2.4";
static char tiffcrop_rev_date[] = "12-13-2010";
@@ -754,7 +756,11 @@ static char* usage_info[] = {
" The four debug/dump options are independent, though it makes little sense to",
" specify a dump file without specifying a detail level.",
" ",
-"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive."
+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.",
+" In no case should the options be applied to a given selection successively.",
+" ",
+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options",
+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.",
" ",
NULL
};
@@ -2111,9 +2117,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
static char tiffcrop_version_id[] = "2.5";
static char tiffcrop_rev_date[] = "02-09-2022";
@@ -781,9 +783,12 @@ static const char usage_info[] =
" The four debug/dump options are independent, though it makes little sense to\n"
" specify a dump file without specifying a detail level.\n"
"\n"
-"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
" In no case should the options be applied to a given selection successively.\n"
"\n"
+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options\n"
+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.\n"
+"\n"
;
/* This function could be modified to pass starting sample offset
@@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
if (XY + Z + R + S > 1) {
@ -79,16 +82,16 @@ index ff118496..848b2b49 100644
} /* end process_command_opts */
/* Start a new output file if one has not been previously opened or
@@ -2381,6 +2398,7 @@ main(int argc, char* argv[])
exit (-1);
@@ -2411,6 +2427,7 @@ main(int argc, char* argv[])
exit (EXIT_FAILURE);
}
+ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */
if (crop.selections > 0)
{
if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
@@ -2397,6 +2415,7 @@ main(int argc, char* argv[])
exit (-1);
@@ -2427,6 +2444,7 @@ main(int argc, char* argv[])
exit (EXIT_FAILURE);
}
}
+ /* Format and write selected image parts to output file(s). */

34
SOURCES/0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch
View File

@ -1,34 +0,0 @@
From 4d6c37328f38636d5002a6f1b584ad8e6031c61c Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 31 Dec 2017 15:09:41 +0100
Subject: [PATCH] (CVE-2017-18013) libtiff/tif_print.c: TIFFPrintDirectory():
fix null pointer dereference on corrupted file. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2770
(cherry picked from commit c6f41df7b581402dfba3c19a1e3df4454c551a01)
---
libtiff/tif_print.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 10a588ea..b9b53a0f 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
fprintf(fd, " %3lu: [%8I64u, %8I64u]\n",
(unsigned long) s,
- (unsigned __int64) td->td_stripoffset[s],
- (unsigned __int64) td->td_stripbytecount[s]);
+ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0,
+ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0);
#else
fprintf(fd, " %3lu: [%8llu, %8llu]\n",
(unsigned long) s,
- (unsigned long long) td->td_stripoffset[s],
- (unsigned long long) td->td_stripbytecount[s]);
+ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0,
+ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0);
#endif
}
}

261
SOURCES/0007-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch Normal file
View File

@ -0,0 +1,261 @@
From 80d781f24346e2ba76e9eedfc943f6013abb2771 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Tue, 30 Aug 2022 16:56:48 +0200
Subject: [PATCH] (CVE-2022-3599) Revised handling of TIFFTAG_INKNAMES and
related TIFFTAG_NUMBEROFINKS value
In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
Behaviour for writing:
`NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
`NumberOfInks` is automatically set when `InkNames` is set.
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
Behaviour for reading:
When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
(cherry picked from commit f00484b9519df933723deb38fff943dc291a793d)
---
libtiff/tif_dir.c | 119 ++++++++++++++++++++++++-----------------
libtiff/tif_dir.h | 2 +
libtiff/tif_dirinfo.c | 2 +-
libtiff/tif_dirwrite.c | 5 ++
libtiff/tif_print.c | 4 ++
5 files changed, 82 insertions(+), 50 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index e90f14a0..a4295dc9 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v)
}
/*
- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
+ * Count ink names separated by \0. Returns
* zero if the ink names are not as expected.
*/
-static uint32_t
-checkInkNamesString(TIFF* tif, uint32_t slen, const char* s)
+static uint16_t
+countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
{
- TIFFDirectory* td = &tif->tif_dir;
- uint16_t i = td->td_samplesperpixel;
+ uint16_t i = 0;
+ const char *ep = s + slen;
+ const char *cp = s;
if (slen > 0) {
- const char* ep = s+slen;
- const char* cp = s;
- for (; i > 0; i--) {
+ do {
for (; cp < ep && *cp != '\0'; cp++) {}
if (cp >= ep)
goto bad;
cp++; /* skip \0 */
- }
- return ((uint32_t)(cp - s));
+ i++;
+ } while (cp < ep);
+ return (i);
}
bad:
TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
- "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16,
- tif->tif_name,
- td->td_samplesperpixel,
- (uint16_t)(td->td_samplesperpixel-i));
+ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink",
+ tif->tif_name, slen, i);
return (0);
}
@@ -475,13 +473,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
_TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
break;
case TIFFTAG_INKNAMES:
- v = (uint16_t) va_arg(ap, uint16_vap);
- s = va_arg(ap, char*);
- v = checkInkNamesString(tif, v, s);
- status = v > 0;
- if( v > 0 ) {
- _TIFFsetNString(&td->td_inknames, s, v);
- td->td_inknameslen = v;
+ {
+ v = (uint16_t) va_arg(ap, uint16_vap);
+ s = va_arg(ap, char*);
+ uint16_t ninksinstring;
+ ninksinstring = countInkNamesString(tif, v, s);
+ status = ninksinstring > 0;
+ if(ninksinstring > 0 ) {
+ _TIFFsetNString(&td->td_inknames, s, v);
+ td->td_inknameslen = v;
+ /* Set NumberOfInks to the value ninksinstring */
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
+ {
+ if (td->td_numberofinks != ninksinstring) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"",
+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
+ td->td_numberofinks = ninksinstring;
+ }
+ } else {
+ td->td_numberofinks = ninksinstring;
+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
+ }
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
+ {
+ if (td->td_numberofinks != td->td_samplesperpixel) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
+ }
+ }
+ }
+ }
+ break;
+ case TIFFTAG_NUMBEROFINKS:
+ v = (uint16_t)va_arg(ap, uint16_vap);
+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
+ if (TIFFFieldSet(tif, FIELD_INKNAMES))
+ {
+ if (v != td->td_numberofinks) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")",
+ tif->tif_name, fip->field_name, v, td->td_numberofinks);
+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
+ status = 0;
+ }
+ } else {
+ td->td_numberofinks = (uint16_t)v;
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
+ {
+ if (td->td_numberofinks != td->td_samplesperpixel) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
+ }
+ }
}
break;
case TIFFTAG_PERSAMPLE:
@@ -915,34 +961,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
if (fip->field_bit == FIELD_CUSTOM) {
standard_tag = 0;
}
-
- if( standard_tag == TIFFTAG_NUMBEROFINKS )
- {
- int i;
- for (i = 0; i < td->td_customValueCount; i++) {
- uint16_t val;
- TIFFTagValue *tv = td->td_customValues + i;
- if (tv->info->field_tag != standard_tag)
- continue;
- if( tv->value == NULL )
- return 0;
- val = *(uint16_t *)tv->value;
- /* Truncate to SamplesPerPixel, since the */
- /* setting code for INKNAMES assume that there are SamplesPerPixel */
- /* inknames. */
- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
- if( val > td->td_samplesperpixel )
- {
- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
- "Truncating NumberOfInks from %u to %"PRIu16,
- val, td->td_samplesperpixel);
- val = td->td_samplesperpixel;
- }
- *va_arg(ap, uint16_t*) = val;
- return 1;
- }
- return 0;
- }
switch (standard_tag) {
case TIFFTAG_SUBFILETYPE:
@@ -1124,6 +1142,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
case TIFFTAG_INKNAMES:
*va_arg(ap, const char**) = td->td_inknames;
break;
+ case TIFFTAG_NUMBEROFINKS:
+ *va_arg(ap, uint16_t *) = td->td_numberofinks;
+ break;
default:
{
int i;
diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
index 09065648..0c251c9e 100644
--- a/libtiff/tif_dir.h
+++ b/libtiff/tif_dir.h
@@ -117,6 +117,7 @@ typedef struct {
/* CMYK parameters */
int td_inknameslen;
char* td_inknames;
+ uint16_t td_numberofinks; /* number of inks in InkNames string */
int td_customValueCount;
TIFFTagValue *td_customValues;
@@ -174,6 +175,7 @@ typedef struct {
#define FIELD_TRANSFERFUNCTION 44
#define FIELD_INKNAMES 46
#define FIELD_SUBIFD 49
+#define FIELD_NUMBEROFINKS 50
/* FIELD_CUSTOM (see tiffio.h) 65 */
/* end of support for well-known tags; codec-private tags follow */
#define FIELD_CODEC 66 /* base of codec-private tags */
diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
index c30f569b..a7e78aae 100644
--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
@@ -114,7 +114,7 @@ tiffFields[] = {
{ TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
{ TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
{ TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
{ TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
{ TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
{ TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 2fef6d82..1a00edbf 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -708,6 +708,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64_t* pdiroff)
if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
goto bad;
}
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
+ {
+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
+ goto bad;
+ }
if (TIFFFieldSet(tif,FIELD_SUBIFD))
{
if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 80a9d90f..1ed90e28 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -401,6 +401,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
}
fputs("\n", fd);
}
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
+ fprintf(fd, " NumberOfInks: %d\n",
+ td->td_numberofinks);
+ }
if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
fprintf(fd, " Thresholding: ");
switch (td->td_threshholding) {

52
SOURCES/0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch
View File

@ -1,52 +0,0 @@
From 54972f69399628fd2105753cbcddb36ede510507 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 12 May 2018 15:32:31 +0200
Subject: [PATCH] (CVE-2018-8905) LZWDecodeCompat(): fix potential
index-out-of-bounds write. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
The fix consists in using the similar code LZWDecode() to validate we
don't write outside of the output buffer.
(cherry picked from commit 58a898cb4459055bb488ca815c23b880c242a27d)
---
libtiff/tif_lzw.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index bc8f9c84..186ea3ca 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
char *tp;
unsigned char *bp;
int code, nbits;
+ int len;
long nextbits, nextdata, nbitsmask;
code_t *codep, *free_entp, *maxcodep, *oldcodep;
@@ -755,13 +756,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
} while (--occ);
break;
}
- assert(occ >= codep->length);
- op += codep->length;
- occ -= codep->length;
- tp = op;
+ len = codep->length;
+ tp = op + len;
do {
- *--tp = codep->value;
- } while( (codep = codep->next) != NULL );
+ int t;
+ --tp;
+ t = codep->value;
+ codep = codep->next;
+ *tp = (char)t;
+ } while (codep && tp > op);
+ assert(occ >= len);
+ op += len;
+ occ -= len;
} else {
*op++ = (char)code;
occ--;

647
SOURCES/0008-CVE-2022-3570-CVE-2022-3598-tiffcrop-subroutines-req.patch Normal file
View File

@ -0,0 +1,647 @@
From aacb1f89c5aa85d513dea8bdb1fd6818519bae2d Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Thu, 13 Oct 2022 14:33:27 +0000
Subject: [PATCH] (CVE-2022-3570 CVE-2022-3598) tiffcrop subroutines require a
larger buffer (fixes #271, #381, #386, #388, #389, #435)
(cherry picked from commit afd7086090dafd3949afd172822cbcec4ed17d56)
---
tools/tiffcrop.c | 205 +++++++++++++++++++++++++++--------------------
1 file changed, 116 insertions(+), 89 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 613ce7f8..70d56e55 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -212,6 +212,10 @@ static char tiffcrop_rev_date[] = "02-09-2022";
#define TIFF_DIR_MAX 65534
+/* Some conversion subroutines require image buffers, which are at least 3 bytes
+ * larger than the necessary size for the image itself. */
+#define NUM_BUFF_OVERSIZE_BYTES 3
+
/* Offsets into buffer for margins and fixed width and length segments */
struct offset {
uint32_t tmargin;
@@ -233,7 +237,7 @@ struct offset {
*/
struct buffinfo {
- uint32_t size; /* size of this buffer */
+ size_t size; /* size of this buffer */
unsigned char *buffer; /* address of the allocated buffer */
};
@@ -810,8 +814,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
uint32_t dst_rowsize, shift_width;
uint32_t bytes_per_sample, bytes_per_pixel;
uint32_t trailing_bits, prev_trailing_bits;
- uint32_t tile_rowsize = TIFFTileRowSize(in);
- uint32_t src_offset, dst_offset;
+ tmsize_t tile_rowsize = TIFFTileRowSize(in);
+ tmsize_t src_offset, dst_offset;
uint32_t row_offset, col_offset;
uint8_t *bufp = (uint8_t*) buf;
unsigned char *src = NULL;
@@ -861,7 +865,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
exit(EXIT_FAILURE);
}
- tilebuf = limitMalloc(tile_buffsize + 3);
+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (tilebuf == 0)
return 0;
tilebuf[tile_buffsize] = 0;
@@ -1024,7 +1028,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf,
for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++)
{
srcbuffs[sample] = NULL;
- tbuff = (unsigned char *)limitMalloc(tilesize + 8);
+ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES);
if (!tbuff)
{
TIFFError ("readSeparateTilesIntoBuffer",
@@ -1217,7 +1221,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
}
rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
- obuf = limitMalloc (rowstripsize);
+ /* Add 3 padding bytes for extractContigSamples32bits */
+ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
if (obuf == NULL)
return 1;
@@ -1229,7 +1234,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
stripsize = TIFFVStripSize(out, nrows);
src = buf + (row * rowsize);
- memset (obuf, '\0', rowstripsize);
+ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
{
_TIFFfree(obuf);
@@ -1237,10 +1242,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
}
if ((dump->outfile != NULL) && (dump->level == 1))
{
- dump_info(dump->outfile, dump->format,"",
+ if (scanlinesize > 0x0ffffffffULL) {
+ dump_info(dump->infile, dump->format, "loadImage",
+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
+ scanlinesize);
+ }
+ dump_info(dump->outfile, dump->format,"",
"Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d",
- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf);
- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf);
+ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf);
+ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf);
}
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0)
@@ -1267,7 +1277,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
uint32_t tl, tw;
uint32_t row, col, nrow, ncol;
uint32_t src_rowsize, col_offset;
- uint32_t tile_rowsize = TIFFTileRowSize(out);
+ tmsize_t tile_rowsize = TIFFTileRowSize(out);
uint8_t* bufp = (uint8_t*) buf;
tsize_t tile_buffsize = 0;
tsize_t tilesize = TIFFTileSize(out);
@@ -1310,9 +1320,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
}
src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
- tilebuf = limitMalloc(tile_buffsize);
+ /* Add 3 padding bytes for extractContigSamples32bits */
+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (tilebuf == 0)
return 1;
+ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
for (row = 0; row < imagelength; row += tl)
{
nrow = (row + tl > imagelength) ? imagelength - row : tl;
@@ -1358,7 +1370,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
uint32_t imagewidth, tsample_t spp,
struct dump_opts * dump)
{
- tdata_t obuf = limitMalloc(TIFFTileSize(out));
+ /* Add 3 padding bytes for extractContigSamples32bits */
+ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
uint32_t tl, tw;
uint32_t row, col, nrow, ncol;
uint32_t src_rowsize, col_offset;
@@ -1368,6 +1381,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
if (obuf == NULL)
return 1;
+ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
!TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
@@ -1793,14 +1807,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
*opt_offset = '\0';
/* convert option to lowercase */
- end = strlen (opt_ptr);
+ end = (unsigned int)strlen (opt_ptr);
for (i = 0; i < end; i++)
*(opt_ptr + i) = tolower((int) *(opt_ptr + i));
/* Look for dump format specification */
if (strncmp(opt_ptr, "for", 3) == 0)
{
/* convert value to lowercase */
- end = strlen (opt_offset + 1);
+ end = (unsigned int)strlen (opt_offset + 1);
for (i = 1; i <= end; i++)
*(opt_offset + i) = tolower((int) *(opt_offset + i));
/* check dump format value */
@@ -2273,6 +2287,8 @@ main(int argc, char* argv[])
size_t length;
char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */
+ assert(NUM_BUFF_OVERSIZE_BYTES >= 3);
+
little_endian = *((unsigned char *)&little_endian) & '1';
initImageData(&image);
@@ -3227,13 +3243,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
/* If we have a full buffer's worth, write it out */
if (ready_bits >= 32)
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -3642,13 +3658,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
}
else /* If we have a full buffer's worth, write it out */
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -3825,10 +3841,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3
static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
{
uint8_t* bufp = buf;
- int32_t bytes_read = 0;
+ tmsize_t bytes_read = 0;
uint32_t strip, nstrips = TIFFNumberOfStrips(in);
- uint32_t stripsize = TIFFStripSize(in);
- uint32_t rows = 0;
+ tmsize_t stripsize = TIFFStripSize(in);
+ tmsize_t rows = 0;
uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
tsize_t scanline_size = TIFFScanlineSize(in);
@@ -3841,11 +3857,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1);
rows = bytes_read / scanline_size;
if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize))
- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32,
+ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64,
strip + 1, bytes_read, stripsize);
if (bytes_read < 0 && !ignore) {
- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows",
+ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows",
strip, rows);
return 0;
}
@@ -4310,13 +4326,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
/* If we have a full buffer's worth, write it out */
if (ready_bits >= 32)
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -4359,10 +4375,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
"Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
row + 1, col + 1, src_byte, src_bit, dst - out);
- dump_long (dumpfile, format, "Match bits ", matchbits);
+ dump_wide (dumpfile, format, "Match bits ", matchbits);
dump_data (dumpfile, format, "Src bits ", src, 4);
- dump_long (dumpfile, format, "Buff1 bits ", buff1);
- dump_long (dumpfile, format, "Buff2 bits ", buff2);
+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
dump_byte (dumpfile, format, "Write bits1", bytebuff1);
dump_byte (dumpfile, format, "Write bits2", bytebuff2);
dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
@@ -4835,13 +4851,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
/* If we have a full buffer's worth, write it out */
if (ready_bits >= 32)
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -4884,10 +4900,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
"Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
row + 1, col + 1, src_byte, src_bit, dst - out);
- dump_long (dumpfile, format, "Match bits ", matchbits);
+ dump_wide (dumpfile, format, "Match bits ", matchbits);
dump_data (dumpfile, format, "Src bits ", src, 4);
- dump_long (dumpfile, format, "Buff1 bits ", buff1);
- dump_long (dumpfile, format, "Buff2 bits ", buff2);
+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
dump_byte (dumpfile, format, "Write bits1", bytebuff1);
dump_byte (dumpfile, format, "Write bits2", bytebuff2);
dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
@@ -4910,7 +4926,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
{
int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
uint32_t j;
- int32_t bytes_read = 0;
+ tmsize_t bytes_read = 0;
uint16_t bps = 0, planar;
uint32_t nstrips;
uint32_t strips_per_sample;
@@ -4976,7 +4992,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
srcbuffs[s] = NULL;
- buff = limitMalloc(stripsize + 3);
+ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES);
if (!buff)
{
TIFFError ("readSeparateStripsIntoBuffer",
@@ -4999,7 +5015,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
buff = srcbuffs[s];
strip = (s * strips_per_sample) + j;
bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
- rows_this_strip = bytes_read / src_rowsize;
+ rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
if (bytes_read < 0 && !ignore)
{
TIFFError(TIFFFileName(in),
@@ -6062,13 +6078,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
uint16_t input_compression = 0, input_photometric = 0;
uint16_t subsampling_horiz, subsampling_vert;
uint32_t width = 0, length = 0;
- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0;
+ tmsize_t stsize = 0, tlsize = 0, buffsize = 0;
+ tmsize_t scanlinesize = 0;
uint32_t tw = 0, tl = 0; /* Tile width and length */
- uint32_t tile_rowsize = 0;
+ tmsize_t tile_rowsize = 0;
unsigned char *read_buff = NULL;
unsigned char *new_buff = NULL;
int readunit = 0;
- static uint32_t prev_readsize = 0;
+ static tmsize_t prev_readsize = 0;
TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -6325,6 +6342,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
/* The buffsize_check and the possible adaptation of buffsize
* has to account also for padding of each line to a byte boundary.
* This is assumed by mirrorImage() and rotateImage().
+ * Furthermore, functions like extractContigSamplesShifted32bits()
+ * need a buffer, which is at least 3 bytes larger than the actual image.
* Otherwise buffer-overflow might occur there.
*/
buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8);
@@ -6376,7 +6395,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
return (-1);
}
- read_buff = (unsigned char *)limitMalloc(buffsize+3);
+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
{
@@ -6387,11 +6406,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
return (-1);
}
- new_buff = _TIFFrealloc(read_buff, buffsize+3);
+ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (!new_buff)
{
free (read_buff);
- read_buff = (unsigned char *)limitMalloc(buffsize+3);
+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
read_buff = new_buff;
@@ -6464,8 +6483,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
dump_info (dump->infile, dump->format, "",
"Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp);
+ if (scanlinesize > 0x0ffffffffULL) {
+ dump_info(dump->infile, dump->format, "loadImage",
+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
+ scanlinesize);
+ }
for (i = 0; i < length; i++)
- dump_buffer(dump->infile, dump->format, 1, scanlinesize,
+ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize,
i, read_buff + (i * scanlinesize));
}
return (0);
@@ -7485,13 +7509,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image,
if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
- int inknameslen = strlen(inknames) + 1;
+ int inknameslen = (int)strlen(inknames) + 1;
const char* cp = inknames;
while (ninks > 1) {
cp = strchr(cp, '\0');
if (cp) {
cp++;
- inknameslen += (strlen(cp) + 1);
+ inknameslen += ((int)strlen(cp) + 1);
}
ninks--;
}
@@ -7554,23 +7578,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
if (!sect_buff)
{
- sect_buff = (unsigned char *)limitMalloc(sectsize);
+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
if (!sect_buff)
{
TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
return (-1);
}
- _TIFFmemset(sect_buff, 0, sectsize);
+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
{
if (prev_sectsize < sectsize)
{
- new_buff = _TIFFrealloc(sect_buff, sectsize);
+ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES);
if (!new_buff)
{
_TIFFfree (sect_buff);
- sect_buff = (unsigned char *)limitMalloc(sectsize);
+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
sect_buff = new_buff;
@@ -7580,7 +7604,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
return (-1);
}
- _TIFFmemset(sect_buff, 0, sectsize);
+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
}
}
@@ -7611,17 +7635,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
cropsize = crop->bufftotal;
crop_buff = seg_buffs[0].buffer;
if (!crop_buff)
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
prev_cropsize = seg_buffs[0].size;
if (prev_cropsize < cropsize)
{
- next_buff = _TIFFrealloc(crop_buff, cropsize);
+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (! next_buff)
{
_TIFFfree (crop_buff);
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
crop_buff = next_buff;
@@ -7634,7 +7658,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
seg_buffs[0].buffer = crop_buff;
seg_buffs[0].size = cropsize;
@@ -7714,17 +7738,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
cropsize = crop->bufftotal;
crop_buff = seg_buffs[i].buffer;
if (!crop_buff)
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
prev_cropsize = seg_buffs[0].size;
if (prev_cropsize < cropsize)
{
- next_buff = _TIFFrealloc(crop_buff, cropsize);
+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (! next_buff)
{
_TIFFfree (crop_buff);
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
crop_buff = next_buff;
@@ -7737,7 +7761,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
seg_buffs[i].buffer = crop_buff;
seg_buffs[i].size = cropsize;
@@ -7853,24 +7877,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
crop_buff = *crop_buff_ptr;
if (!crop_buff)
{
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (!crop_buff)
{
TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
prev_cropsize = cropsize;
}
else
{
if (prev_cropsize < cropsize)
{
- new_buff = _TIFFrealloc(crop_buff, cropsize);
+ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (!new_buff)
{
free (crop_buff);
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
crop_buff = new_buff;
@@ -7879,7 +7903,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
}
@@ -8177,13 +8201,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
- int inknameslen = strlen(inknames) + 1;
+ int inknameslen = (int)strlen(inknames) + 1;
const char* cp = inknames;
while (ninks > 1) {
cp = strchr(cp, '\0');
if (cp) {
cp++;
- inknameslen += (strlen(cp) + 1);
+ inknameslen += ((int)strlen(cp) + 1);
}
ninks--;
}
@@ -8568,13 +8592,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
}
else /* If we have a full buffer's worth, write it out */
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -8643,12 +8667,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
return (-1);
}
- if (!(rbuff = (unsigned char *)limitMalloc(buffsize)))
+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
+ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
{
- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize);
+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
return (-1);
}
- _TIFFmemset(rbuff, '\0', buffsize);
+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
ibuff = *ibuff_ptr;
switch (rotation)
@@ -9176,13 +9201,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width,
}
else /* If we have a full buffer's worth, write it out */
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -9273,12 +9298,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
{
case MIRROR_BOTH:
case MIRROR_VERT:
- line_buff = (unsigned char *)limitMalloc(rowsize);
+ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES);
if (line_buff == NULL)
{
- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize);
+ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES);
return (-1);
}
+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
dst = ibuff + (rowsize * (length - 1));
for (row = 0; row < length / 2; row++)
@@ -9310,11 +9336,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
}
else
{ /* non 8 bit per sample data */
- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1)))
+ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES)))
{
TIFFError("mirrorImage", "Unable to allocate mirror line buffer");
return (-1);
}
+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
bytes_per_sample = (bps + 7) / 8;
bytes_per_pixel = ((bps * spp) + 7) / 8;
if (bytes_per_pixel < (bytes_per_sample + 1))
@@ -9326,7 +9353,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
{
row_offset = row * rowsize;
src = ibuff + row_offset;
- _TIFFmemset (line_buff, '\0', rowsize);
+ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
switch (shift_width)
{
case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))

29
SOURCES/0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch
View File

@ -1,29 +0,0 @@
From 142912f9f5bce169d9d0b16a687c00f9edec5825 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 12 May 2018 14:24:15 +0200
Subject: [PATCH] (CVE-2018-10963) TIFFWriteDirectorySec: avoid assertion.
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
(cherry picked from commit de144fd228e4be8aa484c3caf3d814b6fa88c6d9)
---
libtiff/tif_dirwrite.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index c68d6d21..5d0a6699 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
}
break;
default:
- assert(0); /* we should never get here */
- break;
+ TIFFErrorExt(tif->tif_clientdata,module,
+ "Cannot write tag %d (%s)",
+ TIFFFieldTag(o),
+ o->field_name ? o->field_name : "unknown");
+ goto bad;
}
}
}

14
SOURCES/0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch → SOURCES/0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
View File

@ -1,4 +1,4 @@
From a28b2e1b23fc936989dc4bbc857e9a8a851c5ff0 Mon Sep 17 00:00:00 2001
From b6204fada53418fdf140e039e87052f987770de1 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 8 Nov 2022 15:16:58 +0100
Subject: [PATCH] (CVE-2022-3970) TIFFReadRGBATileExt(): fix (unsigned) integer
@ -6,16 +6,16 @@ Subject: [PATCH] (CVE-2022-3970) TIFFReadRGBATileExt(): fix (unsigned) integer
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
(cherry picked from commit 227500897dfb07fb7d27f7aa570050e62617e3be)
(cherry picked from commit 227500897dfb07fb7d27f7aa570050e62617e3be)
---
libtiff/tif_getimage.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index b1f7cc95..00cd5510 100644
index a1b6570b..9a2e0c59 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -3044,15 +3044,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
@@ -3058,15 +3058,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
return( ok );
for( i_row = 0; i_row < read_ysize; i_row++ ) {
@ -23,15 +23,15 @@ index b1f7cc95..00cd5510 100644
- raster + (read_ysize - i_row - 1) * read_xsize,
+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
read_xsize * sizeof(uint32) );
read_xsize * sizeof(uint32_t) );
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
0, sizeof(uint32) * (tile_xsize - read_xsize) );
0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
}
for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
0, sizeof(uint32) * tile_xsize );
0, sizeof(uint32_t) * tile_xsize );
}

38
SOURCES/0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch
View File

@ -1,38 +0,0 @@
From a04b4c4aec3bbfbbde9602ddb4e00809a1a4f92c Mon Sep 17 00:00:00 2001
From: Young_X <YangX92@hotmail.com>
Date: Sat, 8 Sep 2018 14:46:27 +0800
Subject: [PATCH] (CVE-2018-17100) avoid potential int32 overflows in
multiply_ms()
(cherry picked from commit 6da1fb3f64d43be37e640efbec60400d1f1ac39e)
---
tools/ppm2tiff.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
index 91415e96..81ffa3db 100644
--- a/tools/ppm2tiff.c
+++ b/tools/ppm2tiff.c
@@ -72,15 +72,16 @@ BadPPM(char* file)
exit(-2);
}
+
+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+
static tmsize_t
multiply_ms(tmsize_t m1, tmsize_t m2)
{
- tmsize_t bytes = m1 * m2;
-
- if (m1 && bytes / m1 != m2)
- bytes = 0;
-
- return bytes;
+ if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+ return 0;
+ return m1 * m2;
}
int

18
SOURCES/0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch → SOURCES/0010-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch
View File

@ -1,24 +1,28 @@
From 72bbfc1ecd58f7732946719a0aeb2070f056bb6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 16 May 2023 13:04:55 +0200
From cadce9836463df5653b573eff47fddadc23431c5 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 21 Jan 2023 15:58:10 +0000
Subject: [PATCH] (CVE-2022-48281) tiffcrop: Correct simple copy paste error.
Fix #488.
Closes #488
See merge request libtiff/libtiff!459
(cherry picked from commit d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5)
---
tools/tiffcrop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 848b2b49..7f738d91 100644
index 70d56e55..57940697 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7537,7 +7537,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
@@ -7741,7 +7741,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
- prev_cropsize = seg_buffs[0].size;
+ prev_cropsize = seg_buffs[i].size;
if (prev_cropsize < cropsize)
{
next_buff = _TIFFrealloc(crop_buff, cropsize);
next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);

107
SOURCES/0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch
View File

@ -1,107 +0,0 @@
From dfd5030637f8643990161311eb6b47f3292ab076 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 14 Oct 2018 16:38:29 +0200
Subject: [PATCH] (CVE-2018-18557) JBIG: fix potential out-of-bounds write in
JBIGDecode()
JBIGDecode doesn't check if the user provided buffer is large enough
to store the JBIG decoded image, which can potentially cause out-of-bounds
write in the buffer.
This issue was reported and analyzed by Thomas Dullien.
Also fixes a (harmless) potential use of uninitialized memory when
tif->tif_rawsize > tif->tif_rawcc
And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
that whole strip data is provided to JBIGDecode()
(cherry picked from commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66)
---
libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------
libtiff/tif_read.c | 6 ++++++
2 files changed, 32 insertions(+), 6 deletions(-)
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
index 7a14dd9a..8136c77b 100644
--- a/libtiff/tif_jbig.c
+++ b/libtiff/tif_jbig.c
@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
struct jbg_dec_state decoder;
int decodeStatus = 0;
unsigned char* pImage = NULL;
- (void) size, (void) s;
+ unsigned long decodedSize;
+ (void) s;
if (isFillOrder(tif, tif->tif_dir.td_fillorder))
{
- TIFFReverseBits(tif->tif_rawdata, tif->tif_rawdatasize);
+ TIFFReverseBits(tif->tif_rawcp, tif->tif_rawcc);
}
jbg_dec_init(&decoder);
#if defined(HAVE_JBG_NEWLEN)
- jbg_newlen(tif->tif_rawdata, (size_t)tif->tif_rawdatasize);
+ jbg_newlen(tif->tif_rawcp, (size_t)tif->tif_rawcc);
/*
* I do not check the return status of jbg_newlen because even if this
* function fails it does not necessarily mean that decoding the image
@@ -76,8 +77,8 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
*/
#endif /* HAVE_JBG_NEWLEN */
- decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawdata,
- (size_t)tif->tif_rawdatasize, NULL);
+ decodeStatus = jbg_dec_in(&decoder, (unsigned char*)tif->tif_rawcp,
+ (size_t)tif->tif_rawcc, NULL);
if (JBG_EOK != decodeStatus)
{
/*
@@ -98,9 +99,28 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
return 0;
}
+ decodedSize = jbg_dec_getsize(&decoder);
+ if( (tmsize_t)decodedSize < size )
+ {
+ TIFFWarningExt(tif->tif_clientdata, "JBIG",
+ "Only decoded %lu bytes, whereas %lu requested",
+ decodedSize, (unsigned long)size);
+ }
+ else if( (tmsize_t)decodedSize > size )
+ {
+ TIFFErrorExt(tif->tif_clientdata, "JBIG",
+ "Decoded %lu bytes, whereas %lu were requested",
+ decodedSize, (unsigned long)size);
+ jbg_dec_free(&decoder);
+ return 0;
+ }
pImage = jbg_dec_getimage(&decoder, 0);
- _TIFFmemcpy(buffer, pImage, jbg_dec_getsize(&decoder));
+ _TIFFmemcpy(buffer, pImage, decodedSize);
jbg_dec_free(&decoder);
+
+ tif->tif_rawcp += tif->tif_rawcc;
+ tif->tif_rawcc = 0;
+
return 1;
}
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index 2ba985a7..04100f4d 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
return 0;
whole_strip = tif->tif_dir.td_stripbytecount[strip] < 10
|| isMapped(tif);
+ if( td->td_compression == COMPRESSION_JBIG )
+ {
+ /* Ideally plugins should have a way to declare they don't support
+ * chunk strip */
+ whole_strip = 1;
+ }
#else
whole_strip = 1;
#endif

12
SOURCES/0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch → SOURCES/0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
View File

@ -1,4 +1,4 @@
From 73b3f582caa08a976d647537346790b182bbcc10 Mon Sep 17 00:00:00 2001
From 22b164b8734f9d1ea91760d87e9531e3b3cc7017 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 5 Feb 2023 15:53:16 +0000
Subject: [PATCH] (CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803
@ -15,10 +15,10 @@ See merge request libtiff/libtiff!466
1 file changed, 66 insertions(+), 2 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 7f738d91..77923cf3 100644
index 57940697..2c0ebf4b 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5235,18 +5235,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
@@ -5364,18 +5364,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
crop->regionlist[i].buffsize = buffsize;
crop->bufftotal += buffsize;
@ -59,7 +59,7 @@ index 7f738d91..77923cf3 100644
crop->combined_width = zwidth;
crop->combined_length += zlength;
break;
@@ -6390,6 +6412,46 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
@@ -6589,6 +6611,46 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
crop->combined_width = 0;
crop->combined_length = 0;
@ -106,7 +106,7 @@ index 7f738d91..77923cf3 100644
for (i = 0; i < crop->selections; i++)
{
/* rows, columns, width, length are expressed in pixels */
@@ -6414,7 +6476,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
@@ -6613,7 +6675,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
default:
case EDGE_TOP:
case EDGE_BOTTOM:
@ -116,7 +116,7 @@ index 7f738d91..77923cf3 100644
{
TIFFError ("extractCompositeRegions",
"Only equal width regions can be combined for -E top or bottom");
@@ -6495,7 +6558,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
@@ -6694,7 +6757,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
break;
case EDGE_LEFT: /* splice the pieces of each row together, side by side */
case EDGE_RIGHT:

119
SOURCES/0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch
View File

@ -1,119 +0,0 @@
From 44ef4d3a8e92171f7470620649e8911a8056297c Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 30 Oct 2018 18:50:27 +0100
Subject: [PATCH] (CVE-2018-18661) tiff2bw: avoid null pointer dereference in
case of out of memory situation. Fixes
http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661
(cherry picked from commit 99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f)
---
libtiff/tiffiop.h | 1 +
tools/tiff2bw.c | 30 ++++++++++++++++++++++++++----
tools/tiffcrop.c | 5 -----
3 files changed, 27 insertions(+), 9 deletions(-)
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index daa291c0..08e5dc44 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
#endif
#define streq(a,b) (strcmp(a,b) == 0)
+#define strneq(a,b,n) (strncmp(a,b,n) == 0)
#ifndef TRUE
#define TRUE 1
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
index dad54afa..1f3bb2cd 100644
--- a/tools/tiff2bw.c
+++ b/tools/tiff2bw.c
@@ -40,9 +40,7 @@
#endif
#include "tiffio.h"
-
-#define streq(a,b) (strcmp((a),(b)) == 0)
-#define strneq(a,b,n) (strncmp(a,b,n) == 0)
+#include "tiffiop.h"
/* x% weighting -> fraction of full color */
#define PCT(x) (((x)*256+50)/100)
@@ -223,6 +221,11 @@ main(int argc, char* argv[])
TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, thing);
TIFFSetField(out, TIFFTAG_SOFTWARE, "tiff2bw");
outbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(out));
+ if( !outbuf )
+ {
+ fprintf(stderr, "Out of memory\n");
+ goto tiff2bw_error;
+ }
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP,
TIFFDefaultStripSize(out, rowsperstrip));
@@ -246,6 +249,11 @@ main(int argc, char* argv[])
#undef CVT
}
inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
+ if( !inbuf )
+ {
+ fprintf(stderr, "Out of memory\n");
+ goto tiff2bw_error;
+ }
for (row = 0; row < h; row++) {
if (TIFFReadScanline(in, inbuf, row, 0) < 0)
break;
@@ -256,6 +264,11 @@ main(int argc, char* argv[])
break;
case pack(PHOTOMETRIC_RGB, PLANARCONFIG_CONTIG):
inbuf = (unsigned char *)_TIFFmalloc(TIFFScanlineSize(in));
+ if( !inbuf )
+ {
+ fprintf(stderr, "Out of memory\n");
+ goto tiff2bw_error;
+ }
for (row = 0; row < h; row++) {
if (TIFFReadScanline(in, inbuf, row, 0) < 0)
break;
@@ -265,8 +278,16 @@ main(int argc, char* argv[])
}
break;
case pack(PHOTOMETRIC_RGB, PLANARCONFIG_SEPARATE):
+ {
+ tmsize_t inbufsize;
rowsize = TIFFScanlineSize(in);
- inbuf = (unsigned char *)_TIFFmalloc(3*rowsize);
+ inbufsize = TIFFSafeMultiply(tmsize_t, 3, rowsize);
+ inbuf = (unsigned char *)_TIFFmalloc(inbufsize);
+ if( !inbuf )
+ {
+ fprintf(stderr, "Out of memory\n");
+ goto tiff2bw_error;
+ }
for (row = 0; row < h; row++) {
for (s = 0; s < 3; s++)
if (TIFFReadScanline(in,
@@ -278,6 +299,7 @@ main(int argc, char* argv[])
break;
}
break;
+ }
}
#undef pack
if (inbuf)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index c60cb389..3862b1ca 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
#define TIFF_UINT32_MAX 0xFFFFFFFFU
-#ifndef streq
-#define streq(a,b) (strcmp((a),(b)) == 0)
-#endif
-#define strneq(a,b,n) (strncmp((a),(b),(n)) == 0)
-
#define TRUE 1
#define FALSE 0

174
SOURCES/0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch Normal file
View File

@ -0,0 +1,174 @@
From 7160a3d1a81ba2feaee3a8c0aea10eb9efb74ab9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 14 Mar 2023 18:40:04 +0100
Subject: [PATCH] Merge branch
'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master'
tiffcrop correctly update buffersize after rotateImage() fix#520
Closes #520
See merge request libtiff/libtiff!467
(cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3)
---
tools/tiffcrop.c | 66 +++++++++++++++++++++++++++++++++++++-----------
1 file changed, 51 insertions(+), 15 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 2c0ebf4b..e183e849 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -526,7 +526,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
uint32_t, uint32_t, uint8_t *, uint8_t *);
static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
- unsigned char **);
+ unsigned char **, size_t *);
static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
unsigned char *);
static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
@@ -6557,7 +6557,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
return (-1);
}
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
+ if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
{
TIFFError ("correct_orientation", "Unable to rotate image");
return (-1);
@@ -7781,16 +7781,19 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
+ /* rotateImage() set up a new buffer and calculates its size
+ * individually. Therefore, seg_buffs size needs to be updated
+ * accordingly. */
+ size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff))
+ &crop->combined_length, &crop_buff, &rot_buf_size))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
return (-1);
}
seg_buffs[0].buffer = crop_buff;
- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
- * image->spp) * crop->combined_length;
+ seg_buffs[0].size = rot_buf_size;
}
}
else /* Separated Images */
@@ -7890,9 +7893,12 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
{
/* rotateImage() changes image->width, ->length, ->xres and ->yres, what it schouldn't do here, when more than one section is processed.
* ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !!
- */
- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff))
+ * Furthermore, rotateImage() set up a new buffer and calculates
+ * its size individually. Therefore, seg_buffs size needs to be
+ * updated accordingly. */
+ size_t rot_buf_size = 0;
+ if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
@@ -7903,8 +7909,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
crop->combined_width = total_width;
crop->combined_length = total_length;
seg_buffs[i].buffer = crop_buff;
- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
- * image->spp) * crop->regionlist[i].length;
+ seg_buffs[i].size = rot_buf_size;
}
} /* for crop->selections loop */
} /* Separated Images (else case) */
@@ -8024,7 +8029,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr))
+ &crop->combined_length, crop_buff_ptr, NULL))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
@@ -8687,13 +8692,14 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
/* Rotate an image by a multiple of 90 degrees clockwise */
static int
rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
- uint32_t *img_length, unsigned char **ibuff_ptr)
+ uint32_t * img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size)
{
int shift_width;
uint32_t bytes_per_pixel, bytes_per_sample;
uint32_t row, rowsize, src_offset, dst_offset;
uint32_t i, col, width, length;
- uint32_t colsize, buffsize, col_offset, pix_offset;
+ uint32_t colsize, col_offset, pix_offset;
+ tmsize_t buffsize;
unsigned char *ibuff;
unsigned char *src;
unsigned char *dst;
@@ -8706,12 +8712,40 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
spp = image->spp;
bps = image->bps;
+ if ((spp != 0 && bps != 0 &&
+ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
+ (spp != 0 && bps != 0 &&
+ length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
+ {
+ TIFFError("rotateImage", "Integer overflow detected.");
+ return (-1);
+ }
rowsize = ((bps * spp * width) + 7) / 8;
colsize = ((bps * spp * length) + 7) / 8;
if ((colsize * width) > (rowsize * length))
- buffsize = (colsize + 1) * width;
+ {
+ if (((tmsize_t)colsize + 1) != 0 &&
+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+ ((tmsize_t)colsize + 1)))
+ {
+ TIFFError("rotateImage",
+ "Integer overflow when calculating buffer size.");
+ return (-1);
+ }
+ buffsize = ((tmsize_t)colsize + 1) * width;
+ }
else
+ {
+ if (((tmsize_t)rowsize + 1) != 0 &&
+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+ ((tmsize_t)rowsize + 1)))
+ {
+ TIFFError("rotateImage",
+ "Integer overflow when calculating buffer size.");
+ return (-1);
+ }
buffsize = (rowsize + 1) * length;
+ }
bytes_per_sample = (bps + 7) / 8;
bytes_per_pixel = ((bps * spp) + 7) / 8;
@@ -8734,7 +8768,7 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
/* Add 3 padding bytes for extractContigSamplesShifted32bits */
if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
{
- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT " bytes ", buffsize + NUM_BUFF_OVERSIZE_BYTES);
return (-1);
}
_TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
@@ -8764,6 +8798,8 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
for (row = 0; row < length; row++)
{
src_offset = row * rowsize;
+ if (rot_buf_size != NULL)
+ *rot_buf_size = buffsize;
dst_offset = (length - row - 1) * rowsize;
src = ibuff + src_offset;
dst = rbuff + dst_offset;

154
SOURCES/0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch Normal file
View File

@ -0,0 +1,154 @@
From 9debf535618baef5a906de9f07d937e361ea0bc0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 14 Mar 2023 19:37:18 +0100
Subject: [PATCH] (CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798
CVE-2023-0799) Merge branch 'tiffcrop_R270_fix#492' into 'master'
tiffcrop: Amend rotateImage() not to toggle the input (main) image width and...
Closes #519, #518, #499, #495, #494, #493 et #492
See merge request libtiff/libtiff!465
(cherry picked from commit afaabc3e50d4e5d80a94143f7e3c997e7e410f68)
---
tools/tiffcrop.c | 49 +++++++++++++++++++++++++++---------------------
1 file changed, 28 insertions(+), 21 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index e183e849..c2688883 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -271,7 +271,6 @@ struct region {
uint32_t width; /* width in pixels */
uint32_t length; /* length in pixels */
uint32_t buffsize; /* size of buffer needed to hold the cropped region */
- unsigned char *buffptr; /* address of start of the region */
};
/* Cropping parameters from command line and image data
@@ -526,7 +525,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
uint32_t, uint32_t, uint8_t *, uint8_t *);
static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
- unsigned char **, size_t *);
+ unsigned char **, size_t *, int);
static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
unsigned char *);
static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
@@ -5224,7 +5223,6 @@ initCropMasks (struct crop_mask *cps)
cps->regionlist[i].width = 0;
cps->regionlist[i].length = 0;
cps->regionlist[i].buffsize = 0;
- cps->regionlist[i].buffptr = NULL;
cps->zonelist[i].position = 0;
cps->zonelist[i].total = 0;
}
@@ -6556,8 +6554,12 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
(uint16_t) (image->adjustments & ROTATE_ANY));
return (-1);
}
-
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
+ /* Dummy variable in order not to switch two times the
+ * image->width,->length within rotateImage(),
+ * but switch xres, yres there. */
+ uint32_t width = image->width;
+ uint32_t length = image->length;
+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, TRUE))
{
TIFFError ("correct_orientation", "Unable to rotate image");
return (-1);
@@ -6665,7 +6667,6 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
/* These should not be needed for composite images */
crop->regionlist[i].width = crop_width;
crop->regionlist[i].length = crop_length;
- crop->regionlist[i].buffptr = crop_buff;
src_rowsize = ((img_width * bps * spp) + 7) / 8;
dst_rowsize = (((crop_width * bps * count) + 7) / 8);
@@ -6904,7 +6905,6 @@ extractSeparateRegion(struct image_data *image, struct crop_mask *crop,
crop->regionlist[region].width = crop_width;
crop->regionlist[region].length = crop_length;
- crop->regionlist[region].buffptr = crop_buff;
src = read_buff;
dst = crop_buff;
@@ -7786,7 +7786,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
* accordingly. */
size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff, &rot_buf_size))
+ &crop->combined_length, &crop_buff, &rot_buf_size, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
@@ -7898,7 +7898,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
* updated accordingly. */
size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
@@ -8029,7 +8029,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr, NULL))
+ &crop->combined_length, crop_buff_ptr, NULL, TRUE))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
@@ -8692,7 +8692,8 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
/* Rotate an image by a multiple of 90 degrees clockwise */
static int
rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
- uint32_t * img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size)
+ uint32_t * img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size,
+ int rot_image_params)
{
int shift_width;
uint32_t bytes_per_pixel, bytes_per_sample;
@@ -8914,11 +8915,14 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params) {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
case 270: if ((bps % 8) == 0) /* byte aligned data */
@@ -8991,11 +8995,14 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params) {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
default:
break;

40
SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch
View File

@ -1,40 +0,0 @@
From 14212e5d19b47d02a4989aa31b9a326c1b131460 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Wed, 31 Oct 2018 11:50:48 +0100
Subject: [PATCH] (bz1602597) Fix two resource leaks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Nikola Forró <nforro@redhat.com>
(cherry picked from commit 2f694198f1931e144e0a07a7fb50546b5b70e3ef)
---
tools/ppm2tiff.c | 2 ++
tools/tiff2pdf.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
index 81ffa3db..a02e865a 100644
--- a/tools/ppm2tiff.c
+++ b/tools/ppm2tiff.c
@@ -285,6 +285,8 @@ main(int argc, char* argv[])
if (TIFFWriteScanline(out, buf, row, 0) < 0)
break;
}
+ if (in != stdin)
+ fclose(in);
(void) TIFFClose(out);
if (buf)
_TIFFfree(buf);
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index bd23c9e5..ff7b9c22 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
"for t2p_readwrite_pdf_image_tile, %s",
(unsigned long) t2p->tiff_datasize,
TIFFFileName(input));
+ _TIFFfree(buffer);
t2p->t2p_error = T2P_ERR_ERROR;
return(0);
}

47
SOURCES/0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch
View File

@ -1,47 +0,0 @@
From 98e37a5c822bdfed2343e6ab9d03680e85783aef Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Mon, 11 Feb 2019 10:05:33 +0100
Subject: [PATCH] (CVE-2018-12900) check that (Tile Width)*(Samples/Pixel) do
no overflow
fixes bug 2833
(cherry picked from commit 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d)
---
tools/tiffcp.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 489459a7..96f14728 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -43,6 +43,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include <ctype.h>
@@ -1391,7 +1392,7 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
int status = 1;
uint32 imagew = TIFFRasterScanlineSize(in);
uint32 tilew = TIFFTileRowSize(in);
- int iskew = imagew - tilew*spp;
+ int iskew;
tsize_t tilesize = TIFFTileSize(in);
tdata_t tilebuf;
uint8* bufp = (uint8*) buf;
@@ -1399,6 +1400,12 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
uint32 row;
uint16 bps = 0, bytes_per_sample;
+ if (tilew && spp > (INT_MAX / tilew))
+ {
+ TIFFError(TIFFFileName(in), "Error, cannot handle that much samples per tile row (Tile Width * Samples/Pixel)");
+ return 0;
+ }
+ iskew = imagew - tilew*spp;
tilebuf = _TIFFmalloc(tilesize);
if (tilebuf == 0)
return 0;

36
SOURCES/0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch Normal file
View File

@ -0,0 +1,36 @@
From af4ee2276bfb9cfdd1809326604ead5a405735be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 8 Jun 2023 14:10:59 +0200
Subject: [PATCH] (CVE-2023-2731) LZWDecode(): avoid crash when trying to read
again from a strip whith a missing end-of-information marker (fixes #548)
(cherry picked from commit 9be22b639ea69e102d3847dca4c53ef025e9527b)
---
libtiff/tif_lzw.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index 096824d2..2ba6237e 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -404,7 +404,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
assert(sp->dec_codetab != NULL);
if (sp->read_error) {
- return 0;
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
+ "previous error",
+ tif->tif_row);
+ return 0;
}
/*
@@ -705,6 +709,7 @@ after_loop:
return (1);
no_eoi:
+ sp->read_error = 1;
TIFFErrorExt(tif->tif_clientdata, module,
"LZWDecode: Strip %"PRIu32" not terminated with EOI code",
tif->tif_curstrip);

423
SOURCES/0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch
View File

@ -1,423 +0,0 @@
From 00aeede6bdba3cb74943932b24accc7ba61d2cb0 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 10 Aug 2019 18:25:03 +0200
Subject: [PATCH] (CVE-2019-14973) Fix integer overflow in _TIFFCheckMalloc()
and other implementation-defined behaviour (CVE-2019-14973)
_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
signed), which was especially easily triggered on 32-bit builds (with recent
enough compilers that assume that signed multiplication cannot overflow, since
this is undefined behaviour by the C standard). The original issue which lead to
this fix was trigged from tif_fax3.c
There were also unsafe (implementation defied), and broken in practice on 64bit
builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
at that time exploits, but are better to fix in a more bullet-proof way.
Or similarly use of (int64)uint64_var <= 0.
(cherry picked from commit 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773)
---
libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++-----
libtiff/tif_getimage.c | 6 ++----
libtiff/tif_luv.c | 8 +------
libtiff/tif_pixarlog.c | 7 +-----
libtiff/tif_read.c | 38 +++++++++-----------------------
libtiff/tif_strip.c | 35 ++++--------------------------
libtiff/tif_tile.c | 27 +++--------------------
libtiff/tiffiop.h | 7 +++++-
8 files changed, 71 insertions(+), 106 deletions(-)
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
index 10b8d00c..38a98b67 100644
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -59,18 +59,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
return bytes;
}
+tmsize_t
+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
+{
+ if( first <= 0 || second <= 0 )
+ {
+ if( tif != NULL && where != NULL )
+ {
+ TIFFErrorExt(tif->tif_clientdata, where,
+ "Invalid argument to _TIFFMultiplySSize() in %s", where);
+ }
+ return 0;
+ }
+
+ if( first > TIFF_TMSIZE_T_MAX / second )
+ {
+ if( tif != NULL && where != NULL )
+ {
+ TIFFErrorExt(tif->tif_clientdata, where,
+ "Integer overflow in %s", where);
+ }
+ return 0;
+ }
+ return first * second;
+}
+
+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
+{
+ if( val > (uint64)TIFF_TMSIZE_T_MAX )
+ {
+ if( tif != NULL && module != NULL )
+ {
+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+ }
+ return 0;
+ }
+ return (tmsize_t)val;
+}
+
void*
_TIFFCheckRealloc(TIFF* tif, void* buffer,
tmsize_t nmemb, tmsize_t elem_size, const char* what)
{
void* cp = NULL;
- tmsize_t bytes = nmemb * elem_size;
-
+ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
/*
- * XXX: Check for integer overflow.
+ * Check for integer overflow.
*/
- if (nmemb && elem_size && bytes / elem_size == nmemb)
- cp = _TIFFrealloc(buffer, bytes);
+ if (count != 0)
+ {
+ cp = _TIFFrealloc(buffer, count);
+ }
if (cp == NULL) {
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index fc554cca..ec09feaf 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -757,9 +757,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
uint32 leftmost_tw;
tilesize = TIFFTileSize(tif);
- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
+ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
if (bufsize == 0) {
- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
return (0);
}
@@ -1021,9 +1020,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
uint16 colorchannels;
stripsize = TIFFStripSize(tif);
- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
+ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
if (bufsize == 0) {
- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
return (0);
}
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index 4b25244b..c4cb73a3 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
return (SGILOGDATAFMT_UNKNOWN);
}
-
-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
-
static tmsize_t
multiply_ms(tmsize_t m1, tmsize_t m2)
{
- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
- return 0;
- return m1 * m2;
+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
}
static int
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index 979858da..8e9eaa1d 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -636,15 +636,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
return guess;
}
-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
-
static tmsize_t
multiply_ms(tmsize_t m1, tmsize_t m2)
{
- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
- return 0;
- return m1 * m2;
+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
}
static tmsize_t
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index 04100f4d..9a0e6e95 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -31,9 +31,6 @@
#include "tiffiop.h"
#include <stdio.h>
-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
-
int TIFFFillStrip(TIFF* tif, uint32 strip);
int TIFFFillTile(TIFF* tif, uint32 tile);
static int TIFFStartStrip(TIFF* tif, uint32 strip);
@@ -51,6 +48,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
#define THRESHOLD_MULTIPLIER 10
#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
+
/* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
* Returns 1 in case of success, 0 otherwise. */
static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
@@ -735,23 +734,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
return ((tmsize_t)(-1));
}
bytecount = td->td_stripbytecount[strip];
- if ((int64)bytecount <= 0) {
-#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFErrorExt(tif->tif_clientdata, module,
- "%I64u: Invalid strip byte count, strip %lu",
- (unsigned __int64) bytecount,
- (unsigned long) strip);
-#else
- TIFFErrorExt(tif->tif_clientdata, module,
- "%llu: Invalid strip byte count, strip %lu",
- (unsigned long long) bytecount,
- (unsigned long) strip);
-#endif
- return ((tmsize_t)(-1));
- }
- bytecountm = (tmsize_t)bytecount;
- if ((uint64)bytecountm!=bytecount) {
- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
+ if (bytecountm == 0) {
return ((tmsize_t)(-1));
}
if (size != (tmsize_t)(-1) && size < bytecountm)
@@ -775,7 +759,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
if ((tif->tif_flags&TIFF_NOREADRAW)==0)
{
uint64 bytecount = td->td_stripbytecount[strip];
- if ((int64)bytecount <= 0) {
+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
"Invalid strip byte count %I64u, strip %lu",
@@ -802,7 +786,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
(bytecount - 4096) / 10 > (uint64)stripsize )
{
uint64 newbytecount = (uint64)stripsize * 10 + 4096;
- if( (int64)newbytecount >= 0 )
+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
{
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFWarningExt(tif->tif_clientdata, module,
@@ -1197,10 +1181,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
bytecount64 = td->td_stripbytecount[tile];
if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
bytecount64 = (uint64)size;
- bytecountm = (tmsize_t)bytecount64;
- if ((uint64)bytecountm!=bytecount64)
- {
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
+ if( bytecountm == 0 ) {
return ((tmsize_t)(-1));
}
return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
@@ -1222,7 +1204,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
if ((tif->tif_flags&TIFF_NOREADRAW)==0)
{
uint64 bytecount = td->td_stripbytecount[tile];
- if ((int64)bytecount <= 0) {
+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
"%I64u: Invalid tile byte count, tile %lu",
@@ -1249,7 +1231,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
(bytecount - 4096) / 10 > (uint64)stripsize )
{
uint64 newbytecount = (uint64)stripsize * 10 + 4096;
- if( (int64)newbytecount >= 0 )
+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
{
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFWarningExt(tif->tif_clientdata, module,
diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
index 6e9f2ef6..321ad6b9 100644
--- a/libtiff/tif_strip.c
+++ b/libtiff/tif_strip.c
@@ -131,15 +131,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
{
static const char module[] = "TIFFVStripSize";
uint64 m;
- tmsize_t n;
m=TIFFVStripSize64(tif,nrows);
- n=(tmsize_t)m;
- if ((uint64)n!=m)
- {
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
- n=0;
- }
- return(n);
+ return _TIFFCastUInt64ToSSize(tif, m, module);
}
/*
@@ -213,15 +206,8 @@ TIFFStripSize(TIFF* tif)
{
static const char module[] = "TIFFStripSize";
uint64 m;
- tmsize_t n;
m=TIFFStripSize64(tif);
- n=(tmsize_t)m;
- if ((uint64)n!=m)
- {
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
- n=0;
- }
- return(n);
+ return _TIFFCastUInt64ToSSize(tif, m, module);
}
/*
@@ -332,14 +318,8 @@ TIFFScanlineSize(TIFF* tif)
{
static const char module[] = "TIFFScanlineSize";
uint64 m;
- tmsize_t n;
m=TIFFScanlineSize64(tif);
- n=(tmsize_t)m;
- if ((uint64)n!=m) {
- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
- n=0;
- }
- return(n);
+ return _TIFFCastUInt64ToSSize(tif, m, module);
}
/*
@@ -368,15 +348,8 @@ TIFFRasterScanlineSize(TIFF* tif)
{
static const char module[] = "TIFFRasterScanlineSize";
uint64 m;
- tmsize_t n;
m=TIFFRasterScanlineSize64(tif);
- n=(tmsize_t)m;
- if ((uint64)n!=m)
- {
- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
- n=0;
- }
- return(n);
+ return _TIFFCastUInt64ToSSize(tif, m, module);
}
/* vim: set ts=8 sts=8 sw=8 noet: */
diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
index 388e168a..7d057509 100644
--- a/libtiff/tif_tile.c
+++ b/libtiff/tif_tile.c
@@ -183,15 +183,8 @@ TIFFTileRowSize(TIFF* tif)
{
static const char module[] = "TIFFTileRowSize";
uint64 m;
- tmsize_t n;
m=TIFFTileRowSize64(tif);
- n=(tmsize_t)m;
- if ((uint64)n!=m)
- {
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
- n=0;
- }
- return(n);
+ return _TIFFCastUInt64ToSSize(tif, m, module);
}
/*
@@ -250,15 +243,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
{
static const char module[] = "TIFFVTileSize";
uint64 m;
- tmsize_t n;
m=TIFFVTileSize64(tif,nrows);
- n=(tmsize_t)m;
- if ((uint64)n!=m)
- {
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
- n=0;
- }
- return(n);
+ return _TIFFCastUInt64ToSSize(tif, m, module);
}
/*
@@ -274,15 +260,8 @@ TIFFTileSize(TIFF* tif)
{
static const char module[] = "TIFFTileSize";
uint64 m;
- tmsize_t n;
m=TIFFTileSize64(tif);
- n=(tmsize_t)m;
- if ((uint64)n!=m)
- {
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
- n=0;
- }
- return(n);
+ return _TIFFCastUInt64ToSSize(tif, m, module);
}
/*
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index 08e5dc44..d4b86314 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -79,6 +79,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
#define FALSE 0
#endif
+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+
typedef struct client_info {
struct client_info *next;
void *data;
@@ -260,7 +263,7 @@ struct tiff {
#define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
#define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
-/* Safe multiply which returns zero if there is an integer overflow */
+/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */
#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
#define TIFFmax(A,B) ((A)>(B)?(A):(B))
@@ -366,6 +369,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*);
extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*);
+extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*);
+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*);
extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);

95
SOURCES/0015-CVE-2023-26965-tiffcrop-Do-not-reuse-input-buffer-fo.patch Normal file
View File

@ -0,0 +1,95 @@
From c7c1a0e3537b692196c15ea764b789f601b15850 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Wed, 28 Jun 2023 14:05:50 +0200
Subject: [PATCH] (CVE-2023-26965) tiffcrop: Do not reuse input buffer for
subsequent images. Fix issue 527
Reuse of read_buff within loadImage() from previous image is quite unsafe,
because other functions (like rotateImage() etc.) reallocate that buffer with
different size without updating the local prev_readsize value.
Closes #527
(cherry picked from commit ec8ef90c1f573c9eb1f17d6a056aa0015f184acf)
---
tools/tiffcrop.c | 45 ++++++++++++++-------------------------------
1 file changed, 14 insertions(+), 31 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index c2688883..d9b91e4e 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -6103,9 +6103,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
uint32_t tw = 0, tl = 0; /* Tile width and length */
tmsize_t tile_rowsize = 0;
unsigned char *read_buff = NULL;
- unsigned char *new_buff = NULL;
int readunit = 0;
- static tmsize_t prev_readsize = 0;
TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -6404,41 +6402,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
}
}
}
-
+
read_buff = *read_ptr;
- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
- /* outside buffer */
- if (!read_buff)
+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
+ * outside buffer */
+ /* Reuse of read_buff from previous image is quite unsafe, because other
+ * functions (like rotateImage() etc.) reallocate that buffer with different
+ * size without updating the local prev_readsize value. */
+ if (read_buff)
{
- if( buffsize > 0xFFFFFFFFU - 3 )
- {
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ _TIFFfree(read_buff);
}
- else
+ if( buffsize > 0xFFFFFFFFU - 3 )
{
- if (prev_readsize < buffsize)
- {
- if( buffsize > 0xFFFFFFFFU - 3 )
- {
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
- if (!new_buff)
- {
- free (read_buff);
- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
- }
- else
- read_buff = new_buff;
- }
+ TIFFError("loadImage", "Required read buffer size too large" );
+ return (-1);
}
+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+
if (!read_buff)
{
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ TIFFError("loadImage", "Unable to allocate read buffer" );
return (-1);
}
@@ -6446,7 +6430,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
read_buff[buffsize+1] = 0;
read_buff[buffsize+2] = 0;
- prev_readsize = buffsize;
*read_ptr = read_buff;
/* N.B. The read functions used copy separate plane data into a buffer as interleaved

102
SOURCES/0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch
View File

@ -1,102 +0,0 @@
From a1c493aa4f22f9d1a4757c05a60addc877519cea Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 15 Aug 2019 15:05:28 +0200
Subject: [PATCH] (CVE-2019-17546) RGBA interface: fix integer overflow
potentially causing write heap buffer overflow, especially on 32 bit builds.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to
OSS Fuzz
(cherry picked from commit 4bb584a35f87af42d6cf09d15e9ce8909a839145)
---
libtiff/tif_getimage.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index ec09feaf..c6edd27c 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
fromskew = (w < imagewidth ? imagewidth - w : 0);
for (row = 0; row < h; row += nrow)
{
+ uint32 temp;
rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
nrow = (row + rowstoread > h ? h - row : rowstoread);
nrowsub = nrow;
if ((nrowsub%subsamplingver)!=0)
nrowsub+=subsamplingver-nrowsub%subsamplingver;
+ temp = (row + img->row_offset)%rowsperstrip + nrowsub;
+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
+ {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
+ return 0;
+ }
if (_TIFFReadEncodedStripAndAllocBuffer(tif,
TIFFComputeStrip(tif,row+img->row_offset, 0),
(void**)(&buf),
maxstripsize,
- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
+ temp * scanline)==(tmsize_t)(-1)
&& (buf == NULL || img->stoponerr))
{
ret = 0;
@@ -1053,15 +1060,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
fromskew = (w < imagewidth ? imagewidth - w : 0);
for (row = 0; row < h; row += nrow)
{
+ uint32 temp;
rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
nrow = (row + rowstoread > h ? h - row : rowstoread);
offset_row = row + img->row_offset;
+ temp = (row + img->row_offset)%rowsperstrip + nrow;
+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
+ {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
+ return 0;
+ }
if( buf == NULL )
{
if (_TIFFReadEncodedStripAndAllocBuffer(
tif, TIFFComputeStrip(tif, offset_row, 0),
(void**) &buf, bufsize,
- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
+ temp * scanline)==(tmsize_t)(-1)
&& (buf == NULL || img->stoponerr))
{
ret = 0;
@@ -1081,7 +1095,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
}
}
else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
+ p0, temp * scanline)==(tmsize_t)(-1)
&& img->stoponerr)
{
ret = 0;
@@ -1089,7 +1103,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
}
if (colorchannels > 1
&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
+ p1, temp * scanline) == (tmsize_t)(-1)
&& img->stoponerr)
{
ret = 0;
@@ -1097,7 +1111,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
}
if (colorchannels > 1
&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
+ p2, temp * scanline) == (tmsize_t)(-1)
&& img->stoponerr)
{
ret = 0;
@@ -1106,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
if (alpha)
{
if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
+ pa, temp * scanline)==(tmsize_t)(-1)
&& img->stoponerr)
{
ret = 0;

55
SOURCES/0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch Normal file
View File

@ -0,0 +1,55 @@
From 9a0ec729ad38af873eac5d896cb38219cb50d49c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 1 Aug 2023 16:04:17 +0200
Subject: [PATCH] (CVE-2023-3316) TIFFClose() avoid NULL pointer dereferencing.
fix#515
Closes #515
(cherry picked from commit f171d7a2cd50e34975036748a395c156d32d9235)
---
libtiff/tif_close.c | 6 ++++--
tools/tiffcrop.c | 7 +++++--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
index 04977bc7..6c9f7349 100644
--- a/libtiff/tif_close.c
+++ b/libtiff/tif_close.c
@@ -125,13 +125,15 @@ TIFFCleanup(TIFF* tif)
void
TIFFClose(TIFF* tif)
{
- TIFFCloseProc closeproc = tif->tif_closeproc;
+ if (tif != NULL)
+ {
+ TIFFCloseProc closeproc = tif->tif_closeproc;
thandle_t fd = tif->tif_clientdata;
TIFFCleanup(tif);
(void) (*closeproc)(fd);
}
-
+}
/* vim: set ts=8 sts=8 sw=8 noet: */
/*
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index d9b91e4e..07fc7ea3 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2553,9 +2553,12 @@ main(int argc, char* argv[])
}
}
- TIFFClose(out);
+ if (out != NULL)
+ {
+ TIFFClose(out);
+ }
- return (0);
+ return (0);
} /* end main */

86
SOURCES/0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch
View File

@ -1,86 +0,0 @@
From 8f70b086e6553b4d41aaff2c5fb4266859436626 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Sun, 15 Nov 2020 17:02:51 +0100
Subject: [PATCH] (CVE-2020-35521 CVE-2020-35522) enforce (configurable) memory
limit in tiff2rgba
fixes #207
fixes #209
(cherry picked from commit 98a254f5b92cea22f5436555ff7fceb12afee84d)
---
tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
index 4de96aec..e6de2209 100644
--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
int process_by_block = 0; /* default is whole image at once */
int no_alpha = 0;
int bigtiff_output = 0;
+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
+/* malloc size limit (in bytes)
+ * disabled when set to 0 */
+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
static int tiffcvt(TIFF* in, TIFF* out);
@@ -70,8 +74,11 @@ main(int argc, char* argv[])
extern char *optarg;
#endif
- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
+ while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1)
switch (c) {
+ case 'M':
+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
+ break;
case 'b':
process_by_block = 1;
break;
@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
(unsigned long)width, (unsigned long)height);
return 0;
}
+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
+ TIFFError(TIFFFileName(in),
+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
+ return 0;
+ }
rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out)
TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
CopyField(TIFFTAG_DOCUMENTNAME, stringv);
+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
+ {
+ TIFFError(TIFFFileName(in),
+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
+ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
+ return 0;
+ }
if( process_by_block && TIFFIsTiled( in ) )
return( cvt_by_tile( in, out ) );
else if( process_by_block )
@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out)
}
static char* stuff[] = {
- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
"where comp is one of the following compression algorithms:",
" jpeg\t\tJPEG encoding",
" zip\t\tZip/Deflate encoding",
@@ -543,6 +563,7 @@ static char* stuff[] = {
" -b (progress by block rather than as a whole image)",
" -n don't emit alpha component.",
" -8 write BigTIFF file instead of ClassicTIFF",
+ " -M set the memory allocation limit in MiB. 0 to disable limit",
NULL
};

35
SOURCES/0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch Normal file
View File

@ -0,0 +1,35 @@
From 7d0a920d34e9960b2dd2e3583172826b3a4db570 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 8 Aug 2023 15:32:42 +0200
Subject: [PATCH] (CVE-2023-26966) tif_luv: Check and correct for NaN data in
uv_encode().
Closes #530
See merge request libtiff/libtiff!473
(cherry picked from commit d1f658afa5ab5ed21a9e32e0f790f41b01506cd9)
---
libtiff/tif_luv.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index 72ab3668..93c76115 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -908,7 +908,14 @@ uv_encode(double u, double v, int em) /* encode (u',v') coordinates */
{
register int vi, ui;
- if (v < UV_VSTART)
+ /* check for NaN */
+ if (u != u || v != v)
+ {
+ u = U_NEU;
+ v = V_NEU;
+ }
+
+ if (v < UV_VSTART)
return oog_encode(u, v);
vi = tiff_itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em);
if (vi >= UV_NVS)

50
SOURCES/0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch
View File

@ -1,50 +0,0 @@
From a7786e10d1bab22f34322e6e711b93b377d6155e Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Tue, 10 Nov 2020 01:54:30 +0100
Subject: [PATCH] (CVE-2020-35523) gtTileContig(): check Tile width for
overflow
fixes #211
(cherry picked from commit c8d613ef497058fe653c467fc84c70a62a4a71b2)
---
libtiff/tif_getimage.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index c6edd27c..b1f7cc95 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -31,6 +31,7 @@
*/
#include "tiffiop.h"
#include <stdio.h>
+#include <limits.h>
static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
flip = setorientation(img);
if (flip & FLIP_VERTICALLY) {
- y = h - 1;
- toskew = -(int32)(tw + w);
+ if ((tw + w) > INT_MAX) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+ return (0);
+ }
+ y = h - 1;
+ toskew = -(int32)(tw + w);
}
else {
- y = 0;
- toskew = -(int32)(tw - w);
+ if (tw > (INT_MAX + w)) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+ return (0);
+ }
+ y = 0;
+ toskew = -(int32)(tw - w);
}
/*

34
SOURCES/0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch Normal file
View File

@ -0,0 +1,34 @@
From 186a46ebfe483703e3120e825fc5f3eb26a1c0f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 8 Aug 2023 15:42:54 +0200
Subject: [PATCH] (CVE-2023-3576) Fix memory leak in tiffcrop.c
See merge request libtiff/libtiff!475
(cherry picked from commit 1d5b1181c980090a6518f11e61a18b0e268bf31a)
---
tools/tiffcrop.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 07fc7ea3..be72ec52 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7922,9 +7922,14 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
read_buff = *read_buff_ptr;
- /* process full image, no crop buffer needed */
- crop_buff = read_buff;
- *crop_buff_ptr = read_buff;
+ /* Memory is freed before crop_buff_ptr is overwritten */
+ if (*crop_buff_ptr != NULL )
+ {
+ _TIFFfree(*crop_buff_ptr);
+ }
+
+ /* process full image, no crop buffer needed */
+ *crop_buff_ptr = read_buff;
crop->combined_width = image->width;
crop->combined_length = image->length;

38
SOURCES/0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch
View File

@ -1,38 +0,0 @@
From 55cd158269c43c83c23636dc9197816b3b359aa4 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Sat, 14 Nov 2020 12:53:01 +0000
Subject: [PATCH] (CVE-2020-35524) tiff2pdf.c: properly calculate datasize when
saving to JPEG YCbCr
fixes #220
(cherry picked from commit 7be2e452ddcf6d7abca88f41d3761e6edab72b22)
---
tools/tiff2pdf.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index ff7b9c22..a5db1f64 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
#endif
(void) 0;
}
- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+#ifdef JPEG_SUPPORT
+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG
+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
+ } else
+#endif
+ {
+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+ }
}
if (k == 0) {
/* Assume we had overflow inside TIFFScanlineSize */

548
SOURCES/0019-CVE-2023-40090-Improved-IFD-Loop-Handling-fixes-455.patch Normal file
View File

@ -0,0 +1,548 @@
From 98648d3b62d4f123915410b8cae47954f9223000 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 6 Oct 2022 10:11:06 +0000
Subject: [PATCH] (CVE-2023-40090) Improved IFD-Loop Handling (fixes #455)
Closes #455
See merge request libtiff/libtiff!386
(cherry picked from commit d093eb5d961e21ba51420bc22382c514683a4d91)
---
libtiff/tif_close.c | 6 +-
libtiff/tif_dir.c | 129 +++++++++++++++++++++++++-----------
libtiff/tif_dir.h | 2 +
libtiff/tif_dirread.c | 147 +++++++++++++++++++++++++++++++++---------
libtiff/tif_open.c | 3 +-
libtiff/tiffiop.h | 3 +-
6 files changed, 219 insertions(+), 71 deletions(-)
diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
index 6c9f7349..b5fa9603 100644
--- a/libtiff/tif_close.c
+++ b/libtiff/tif_close.c
@@ -52,8 +52,10 @@ TIFFCleanup(TIFF* tif)
(*tif->tif_cleanup)(tif);
TIFFFreeDirectory(tif);
- if (tif->tif_dirlist)
- _TIFFfree(tif->tif_dirlist);
+ if (tif->tif_dirlistoff)
+ _TIFFfree(tif->tif_dirlistoff);
+ if (tif->tif_dirlistdirn)
+ _TIFFfree(tif->tif_dirlistdirn);
/*
* Clean up client info links.
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index a4295dc9..d9022f5b 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -1521,12 +1521,22 @@ TIFFDefaultDirectory(TIFF* tif)
}
static int
-TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
+TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdiroff, uint64_t* off, uint16_t* nextdirnum)
{
static const char module[] = "TIFFAdvanceDirectory";
+
+ /* Add this directory to the directory list, if not already in. */
+ if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) {
+ TIFFErrorExt(tif->tif_clientdata, module, "Starting directory %"PRIu16" at offset 0x%"PRIx64" (%"PRIu64") might cause an IFD loop",
+ *nextdirnum, *nextdiroff, *nextdiroff);
+ *nextdiroff = 0;
+ *nextdirnum = 0;
+ return(0);
+ }
+
if (isMapped(tif))
{
- uint64_t poff=*nextdir;
+ uint64_t poff=*nextdiroff;
if (!(tif->tif_flags&TIFF_BIGTIFF))
{
tmsize_t poffa,poffb,poffc,poffd;
@@ -1537,7 +1547,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
if (((uint64_t)poffa != poff) || (poffb < poffa) || (poffb < (tmsize_t)sizeof(uint16_t)) || (poffb > tif->tif_size))
{
TIFFErrorExt(tif->tif_clientdata,module,"Error fetching directory count");
- *nextdir=0;
+ *nextdiroff=0;
return(0);
}
_TIFFmemcpy(&dircount,tif->tif_base+poffa,sizeof(uint16_t));
@@ -1555,7 +1565,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
_TIFFmemcpy(&nextdir32,tif->tif_base+poffc,sizeof(uint32_t));
if (tif->tif_flags&TIFF_SWAB)
TIFFSwabLong(&nextdir32);
- *nextdir=nextdir32;
+ *nextdiroff=nextdir32;
}
else
{
@@ -1587,11 +1597,10 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
}
if (off!=NULL)
*off=(uint64_t)poffc;
- _TIFFmemcpy(nextdir,tif->tif_base+poffc,sizeof(uint64_t));
+ _TIFFmemcpy(nextdiroff,tif->tif_base+poffc,sizeof(uint64_t));
if (tif->tif_flags&TIFF_SWAB)
- TIFFSwabLong8(nextdir);
+ TIFFSwabLong8(nextdiroff);
}
- return(1);
}
else
{
@@ -1599,7 +1608,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
{
uint16_t dircount;
uint32_t nextdir32;
- if (!SeekOK(tif, *nextdir) ||
+ if (!SeekOK(tif, *nextdiroff) ||
!ReadOK(tif, &dircount, sizeof (uint16_t))) {
TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count",
tif->tif_name);
@@ -1620,13 +1629,13 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
}
if (tif->tif_flags & TIFF_SWAB)
TIFFSwabLong(&nextdir32);
- *nextdir=nextdir32;
+ *nextdiroff=nextdir32;
}
else
{
uint64_t dircount64;
uint16_t dircount16;
- if (!SeekOK(tif, *nextdir) ||
+ if (!SeekOK(tif, *nextdiroff) ||
!ReadOK(tif, &dircount64, sizeof (uint64_t))) {
TIFFErrorExt(tif->tif_clientdata, module, "%s: Error fetching directory count",
tif->tif_name);
@@ -1646,17 +1655,27 @@ TIFFAdvanceDirectory(TIFF* tif, uint64_t* nextdir, uint64_t* off)
else
(void) TIFFSeekFile(tif,
dircount16*20, SEEK_CUR);
- if (!ReadOK(tif, nextdir, sizeof (uint64_t))) {
+ if (!ReadOK(tif, nextdiroff, sizeof (uint64_t))) {
TIFFErrorExt(tif->tif_clientdata, module,
"%s: Error fetching directory link",
tif->tif_name);
return (0);
}
if (tif->tif_flags & TIFF_SWAB)
- TIFFSwabLong8(nextdir);
+ TIFFSwabLong8(nextdiroff);
}
- return (1);
}
+ if (*nextdiroff != 0) {
+ (*nextdirnum)++;
+ /* Check next directory for IFD looping and if so, set it as last directory. */
+ if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) {
+ TIFFWarningExt(tif->tif_clientdata, module, "the next directory %"PRIu16" at offset 0x%"PRIx64" (%"PRIu64") might be an IFD loop. Treating directory %"PRIu16" as last directory",
+ *nextdirnum, *nextdiroff, *nextdiroff, *nextdirnum-1);
+ *nextdiroff = 0;
+ (*nextdirnum)--;
+ }
+ }
+ return (1);
}
/*
@@ -1666,14 +1685,16 @@ uint16_t
TIFFNumberOfDirectories(TIFF* tif)
{
static const char module[] = "TIFFNumberOfDirectories";
- uint64_t nextdir;
+ uint64_t nextdiroff;
+ uint16_t nextdirnum;
uint16_t n;
if (!(tif->tif_flags&TIFF_BIGTIFF))
- nextdir = tif->tif_header.classic.tiff_diroff;
+ nextdiroff = tif->tif_header.classic.tiff_diroff;
else
- nextdir = tif->tif_header.big.tiff_diroff;
+ nextdiroff = tif->tif_header.big.tiff_diroff;
+ nextdirnum = 0;
n = 0;
- while (nextdir != 0 && TIFFAdvanceDirectory(tif, &nextdir, NULL))
+ while (nextdiroff != 0 && TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum))
{
if (n != 65535) {
++n;
@@ -1696,28 +1717,30 @@ TIFFNumberOfDirectories(TIFF* tif)
int
TIFFSetDirectory(TIFF* tif, uint16_t dirn)
{
- uint64_t nextdir;
+ uint64_t nextdiroff;
+ uint16_t nextdirnum;
uint16_t n;
if (!(tif->tif_flags&TIFF_BIGTIFF))
- nextdir = tif->tif_header.classic.tiff_diroff;
+ nextdiroff = tif->tif_header.classic.tiff_diroff;
else
- nextdir = tif->tif_header.big.tiff_diroff;
- for (n = dirn; n > 0 && nextdir != 0; n--)
- if (!TIFFAdvanceDirectory(tif, &nextdir, NULL))
+ nextdiroff = tif->tif_header.big.tiff_diroff;
+ nextdirnum = 0;
+ for (n = dirn; n > 0 && nextdiroff != 0; n--)
+ if (!TIFFAdvanceDirectory(tif, &nextdiroff, NULL, &nextdirnum))
return (0);
- tif->tif_nextdiroff = nextdir;
+ /* If the n-th directory could not be reached (does not exist),
+ * return here without touching anything further. */
+ if (nextdiroff == 0 || n > 0)
+ return (0);
+
+ tif->tif_nextdiroff = nextdiroff;
/*
* Set curdir to the actual directory index. The
* -1 is because TIFFReadDirectory will increment
* tif_curdir after successfully reading the directory.
*/
tif->tif_curdir = (dirn - n) - 1;
- /*
- * Reset tif_dirnumber counter and start new list of seen directories.
- * We need this to prevent IFD loops.
- */
- tif->tif_dirnumber = 0;
return (TIFFReadDirectory(tif));
}
@@ -1730,13 +1753,42 @@ TIFFSetDirectory(TIFF* tif, uint16_t dirn)
int
TIFFSetSubDirectory(TIFF* tif, uint64_t diroff)
{
- tif->tif_nextdiroff = diroff;
- /*
- * Reset tif_dirnumber counter and start new list of seen directories.
- * We need this to prevent IFD loops.
+ /* Match nextdiroff and curdir for consistent IFD-loop checking.
+ * Only with TIFFSetSubDirectory() the IFD list can be corrupted with invalid offsets
+ * within the main IFD tree.
+ * In the case of several subIFDs of a main image,
+ * there are two possibilities that are not even mutually exclusive.
+ * a.) The subIFD tag contains an array with all offsets of the subIFDs.
+ * b.) The SubIFDs are concatenated with their NextIFD parameters.
+ * (refer to https://www.awaresystems.be/imaging/tiff/specification/TIFFPM6.pdf.)
*/
- tif->tif_dirnumber = 0;
- return (TIFFReadDirectory(tif));
+ int retval;
+ uint16_t curdir = 0;
+ int8_t probablySubIFD = 0;
+ if (diroff == 0) {
+ /* Special case to invalidate the tif_lastdiroff member. */
+ tif->tif_curdir = 65535;
+ } else {
+ if (!_TIFFGetDirNumberFromOffset(tif, diroff, &curdir)) {
+ /* Non-existing offsets might point to a SubIFD or invalid IFD.*/
+ probablySubIFD = 1;
+ }
+ /* -1 because TIFFReadDirectory() will increment tif_curdir. */
+ tif->tif_curdir = curdir - 1;
+ }
+
+ tif->tif_nextdiroff = diroff;
+ retval = TIFFReadDirectory(tif);
+ /* If failed, curdir was not incremented in TIFFReadDirectory(), so set it back. */
+ if (!retval )tif->tif_curdir++;
+ if (retval && probablySubIFD) {
+ /* Reset IFD list to start new one for SubIFD chain and also start SubIFD chain with tif_curdir=0. */
+ tif->tif_dirnumber = 0;
+ tif->tif_curdir = 0; /* first directory of new chain */
+ /* add this offset to new IFD list */
+ _TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir, diroff);
+ }
+ return (retval);
}
/*
@@ -1760,12 +1812,15 @@ TIFFLastDirectory(TIFF* tif)
/*
* Unlink the specified directory from the directory chain.
+ * Note: First directory starts with number dirn=1.
+ * This is different to TIFFSetDirectory() where the first directory starts with zero.
*/
int
TIFFUnlinkDirectory(TIFF* tif, uint16_t dirn)
{
static const char module[] = "TIFFUnlinkDirectory";
uint64_t nextdir;
+ uint16_t nextdirnum;
uint64_t off;
uint16_t n;
@@ -1789,19 +1844,21 @@ TIFFUnlinkDirectory(TIFF* tif, uint16_t dirn)
nextdir = tif->tif_header.big.tiff_diroff;
off = 8;
}
+ nextdirnum = 0; /* First directory is dirn=0 */
+
for (n = dirn-1; n > 0; n--) {
if (nextdir == 0) {
TIFFErrorExt(tif->tif_clientdata, module, "Directory %"PRIu16" does not exist", dirn);
return (0);
}
- if (!TIFFAdvanceDirectory(tif, &nextdir, &off))
+ if (!TIFFAdvanceDirectory(tif, &nextdir, &off, &nextdirnum))
return (0);
}
/*
* Advance to the directory to be unlinked and fetch
* the offset of the directory that follows.
*/
- if (!TIFFAdvanceDirectory(tif, &nextdir, NULL))
+ if (!TIFFAdvanceDirectory(tif, &nextdir, NULL, &nextdirnum))
return (0);
/*
* Go back and patch the link field of the preceding
diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
index 0c251c9e..deaa4594 100644
--- a/libtiff/tif_dir.h
+++ b/libtiff/tif_dir.h
@@ -302,6 +302,8 @@ extern int _TIFFMergeFields(TIFF*, const TIFFField[], uint32_t);
extern const TIFFField* _TIFFFindOrRegisterField(TIFF *, uint32_t, TIFFDataType);
extern TIFFField* _TIFFCreateAnonField(TIFF *, uint32_t, TIFFDataType);
extern int _TIFFCheckFieldIsValidForCodec(TIFF *tif, ttag_t tag);
+extern int _TIFFCheckDirNumberAndOffset(TIFF *tif, uint16_t dirn, uint64_t diroff);
+extern int _TIFFGetDirNumberFromOffset(TIFF *tif, uint64_t diroff, uint16_t *dirn);
#if defined(__cplusplus)
}
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 32653f04..f4c1b08d 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -159,7 +159,6 @@ static void TIFFReadDirectoryFindFieldInfo(TIFF* tif, uint16_t tagid, uint32_t*
static int EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount);
static void MissingRequired(TIFF*, const char*);
-static int TIFFCheckDirOffset(TIFF* tif, uint64_t diroff);
static int CheckDirCount(TIFF*, TIFFDirEntry*, uint32_t);
static uint16_t TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir, uint64_t* nextdiroff);
static int TIFFFetchNormalTag(TIFF*, TIFFDirEntry*, int recover);
@@ -3922,12 +3921,19 @@ TIFFReadDirectory(TIFF* tif)
int bitspersample_read = FALSE;
int color_channels;
- tif->tif_diroff=tif->tif_nextdiroff;
- if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
- return 0; /* last offset or bad offset (IFD looping) */
- (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
- tif->tif_curdir++;
- nextdiroff = tif->tif_nextdiroff;
+ if (tif->tif_nextdiroff == 0) {
+ /* In this special case, tif_diroff needs also to be set to 0. */
+ tif->tif_diroff = tif->tif_nextdiroff;
+ return 0; /* last offset, thus no checking necessary */
+ }
+
+ nextdiroff = tif->tif_nextdiroff;
+ /* tif_curdir++ and tif_nextdiroff should only be updated after SUCCESSFUL reading of the directory. Otherwise, invalid IFD offsets could corrupt the IFD list. */
+ if (!_TIFFCheckDirNumberAndOffset(tif, tif->tif_curdir + 1, nextdiroff)) {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Didn't read next directory due to IFD looping at offset 0x%"PRIx64" (%"PRIu64") to offset 0x%"PRIx64" (%"PRIu64")", tif->tif_diroff, tif->tif_diroff, nextdiroff, nextdiroff);
+ return 0; /* bad offset (IFD looping) */
+ }
dircount=TIFFFetchDirectory(tif,nextdiroff,&dir,&tif->tif_nextdiroff);
if (!dircount)
{
@@ -3935,6 +3941,11 @@ TIFFReadDirectory(TIFF* tif)
"Failed to read directory at offset %" PRIu64, nextdiroff);
return 0;
}
+ /* Set global values after a valid directory has been fetched.
+ * tif_diroff is already set to nextdiroff in TIFFFetchDirectory() in the beginning. */
+ tif->tif_curdir++;
+ (*tif->tif_cleanup)(tif); /* cleanup any previous compression state */
+
TIFFReadDirectoryCheckOrder(tif,dir,dircount);
/*
@@ -5026,53 +5037,127 @@ MissingRequired(TIFF* tif, const char* tagname)
}
/*
- * Check the directory offset against the list of already seen directory
- * offsets. This is a trick to prevent IFD looping. The one can create TIFF
- * file with looped directory pointers. We will maintain a list of already
- * seen directories and check every IFD offset against that list.
+ * Check the directory number and offset against the list of already seen
+ * directory numbers and offsets. This is a trick to prevent IFD looping.
+ * The one can create TIFF file with looped directory pointers. We will
+ * maintain a list of already seen directories and check every IFD offset
+ * and its IFD number against that list. However, the offset of an IFD number
+ * can change - e.g. when writing updates to file.
+ * Returns 1 if all is ok; 0 if last directory or IFD loop is encountered,
+ * or an error has occured.
*/
-static int
-TIFFCheckDirOffset(TIFF* tif, uint64_t diroff)
+int
+_TIFFCheckDirNumberAndOffset(TIFF *tif, uint16_t dirn, uint64_t diroff)
{
uint16_t n;
if (diroff == 0) /* no more directories */
return 0;
if (tif->tif_dirnumber == 65535) {
- TIFFErrorExt(tif->tif_clientdata, "TIFFCheckDirOffset",
- "Cannot handle more than 65535 TIFF directories");
- return 0;
+ TIFFErrorExt(tif->tif_clientdata, "_TIFFCheckDirNumberAndOffset",
+ "Cannot handle more than 65535 TIFF directories");
+ return 0;
}
- for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlist; n++) {
- if (tif->tif_dirlist[n] == diroff)
- return 0;
+ /* Check if offset is already in the list:
+ * - yes: check, if offset is at the same IFD number - if not, it is an IFD loop
+ * - no: add to list or update offset at that IFD number
+ */
+ for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff; n++) {
+ if (tif->tif_dirlistoff[n] == diroff) {
+ if (tif->tif_dirlistdirn[n] == dirn) {
+ return 1;
+ } else {
+ TIFFWarningExt(tif->tif_clientdata, "_TIFFCheckDirNumberAndOffset",
+ "TIFF directory %"PRIu16" has IFD looping to directory %"PRIu16" at offset 0x%"PRIx64" (%"PRIu64")",
+ dirn-1, tif->tif_dirlistdirn[n], diroff, diroff);
+ return 0;
+ }
+ }
+ }
+ /* Check if offset of an IFD has been changed and update offset of that IFD number. */
+ if (dirn < tif->tif_dirnumber && tif->tif_dirlistdirn && tif->tif_dirlistoff) {
+ /* tif_dirlistdirn can have IFD numbers dirn in random order */
+ for (n = 0; n < tif->tif_dirnumber; n++) {
+ if (tif->tif_dirlistdirn[n] == dirn) {
+ tif->tif_dirlistoff[n] = diroff;
+ return 1;
+ }
+ }
}
+ /* Add IFD offset and dirn to IFD directory list */
tif->tif_dirnumber++;
- if (tif->tif_dirlist == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) {
- uint64_t* new_dirlist;
-
+ if (tif->tif_dirlistoff == NULL || tif->tif_dirlistdirn == NULL || tif->tif_dirnumber > tif->tif_dirlistsize) {
+ uint64_t *new_dirlist;
/*
* XXX: Reduce memory allocation granularity of the dirlist
* array.
*/
- new_dirlist = (uint64_t*)_TIFFCheckRealloc(tif, tif->tif_dirlist,
- tif->tif_dirnumber, 2 * sizeof(uint64_t), "for IFD list");
+ if (tif->tif_dirnumber >= 32768)
+ tif->tif_dirlistsize = 65535;
+ else
+ tif->tif_dirlistsize = 2 * tif->tif_dirnumber;
+
+ new_dirlist = (uint64_t *)_TIFFCheckRealloc(tif, tif->tif_dirlistoff,
+ tif->tif_dirlistsize, sizeof(uint64_t), "for IFD offset list");
if (!new_dirlist)
return 0;
- if( tif->tif_dirnumber >= 32768 )
- tif->tif_dirlistsize = 65535;
- else
- tif->tif_dirlistsize = 2 * tif->tif_dirnumber;
- tif->tif_dirlist = new_dirlist;
+ tif->tif_dirlistoff = new_dirlist;
+ new_dirlist = (uint64_t *)_TIFFCheckRealloc(tif, tif->tif_dirlistdirn,
+ tif->tif_dirlistsize, sizeof(uint16_t), "for IFD dirnumber list");
+ if (!new_dirlist)
+ return 0;
+ tif->tif_dirlistdirn = (uint16_t *)new_dirlist;
}
- tif->tif_dirlist[tif->tif_dirnumber - 1] = diroff;
+ tif->tif_dirlistoff[tif->tif_dirnumber - 1] = diroff;
+ tif->tif_dirlistdirn[tif->tif_dirnumber - 1] = dirn;
return 1;
-}
+} /* --- _TIFFCheckDirNumberAndOffset() ---*/
+
+/*
+ * Retrieve the matching IFD directory number of a given IFD offset
+ * from the list of directories already seen.
+ * Returns 1 if the offset was in the list and the directory number
+ * can be returned.
+ * Otherwise returns 0 or if an error occured.
+ */
+int
+_TIFFGetDirNumberFromOffset(TIFF *tif, uint64_t diroff, uint16_t* dirn)
+{
+ uint16_t n;
+
+ if (diroff == 0) /* no more directories */
+ return 0;
+ if (tif->tif_dirnumber == 65535) {
+ TIFFErrorExt(tif->tif_clientdata, "_TIFFGetDirNumberFromOffset",
+ "Cannot handle more than 65535 TIFF directories");
+ return 0;
+ }
+
+ /* Check if offset is already in the list and return matching directory number.
+ * Otherwise update IFD list using TIFFNumberOfDirectories()
+ * and search again in IFD list.
+ */
+ for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) {
+ if (tif->tif_dirlistoff[n] == diroff) {
+ *dirn = tif->tif_dirlistdirn[n];
+ return 1;
+ }
+ }
+ TIFFNumberOfDirectories(tif);
+ for (n = 0; n < tif->tif_dirnumber && tif->tif_dirlistoff && tif->tif_dirlistdirn; n++) {
+ if (tif->tif_dirlistoff[n] == diroff) {
+ *dirn = tif->tif_dirlistdirn[n];
+ return 1;
+ }
+ }
+ return 0;
+} /*--- _TIFFGetDirNumberFromOffset() ---*/
+
/*
* Check the count field of a directory entry against a known value. The
diff --git a/libtiff/tif_open.c b/libtiff/tif_open.c
index 549f56ce..85c2af47 100644
--- a/libtiff/tif_open.c
+++ b/libtiff/tif_open.c
@@ -354,7 +354,8 @@ TIFFClientOpen(
goto bad;
tif->tif_diroff = 0;
tif->tif_lastdiroff = 0;
- tif->tif_dirlist = NULL;
+ tif->tif_dirlistoff = NULL;
+ tif->tif_dirlistdirn = NULL;
tif->tif_dirlistsize = 0;
tif->tif_dirnumber = 0;
return (tif);
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index 4e8bdac2..8e0e2454 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -118,7 +118,8 @@ struct tiff {
uint64_t tif_diroff; /* file offset of current directory */
uint64_t tif_nextdiroff; /* file offset of following directory */
uint64_t tif_lastdiroff; /* file offset of last directory written so far */
- uint64_t* tif_dirlist; /* list of offsets to already seen directories to prevent IFD looping */
+ uint64_t* tif_dirlistoff; /* list of offsets to already seen directories to prevent IFD looping */
+ uint16_t* tif_dirlistdirn; /* list of directory numbers to already seen directories to prevent IFD looping */
uint16_t tif_dirlistsize; /* number of entries in offset list */
uint16_t tif_dirnumber; /* number of already seen directories */
TIFFDirectory tif_dir; /* internal rep of current directory */

89
SOURCES/0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch
View File

@ -1,89 +0,0 @@
From 25f99f92536fe2c7bf8e1a7fe12f0145c67a0383 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Mon, 11 Feb 2019 23:08:25 +0100
Subject: [PATCH] (CVE-2020-19131) tiffcrop.c: fix invertImage() for bps 2 and
4
too much bytes were processed, causing a heap buffer overrun
http://bugzilla.maptools.org/show_bug.cgi?id=2831
the loop counter must be
for (col = 0; col < width; col += 8 / bps)
Also the values were not properly calculated. It should be
255-x, 15-x, 3-x for bps 8, 4, 2.
But anyway it is easyer to invert all bits as 255-x = ~x, etc.
(substracting from a binary number composed of all 1 is like inverting
the bits)
(cherry picked from commit 9cfa5c469109c207bf3b916c52e618d4400ba2c0)
---
tools/tiffcrop.c | 37 ++++++-------------------------------
1 file changed, 6 insertions(+), 31 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 3862b1ca..a6129148 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -9142,7 +9142,6 @@ static int
invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff)
{
uint32 row, col;
- unsigned char bytebuff1, bytebuff2, bytebuff3, bytebuff4;
unsigned char *src;
uint16 *src_uint16;
uint32 *src_uint32;
@@ -9172,7 +9171,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
for (row = 0; row < length; row++)
for (col = 0; col < width; col++)
{
- *src_uint32 = (uint32)0xFFFFFFFF - *src_uint32;
+ *src_uint32 = ~(*src_uint32);
src_uint32++;
}
break;
@@ -9180,39 +9179,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
for (row = 0; row < length; row++)
for (col = 0; col < width; col++)
{
- *src_uint16 = (uint16)0xFFFF - *src_uint16;
+ *src_uint16 = ~(*src_uint16);
src_uint16++;
}
break;
- case 8: for (row = 0; row < length; row++)
- for (col = 0; col < width; col++)
- {
- *src = (uint8)255 - *src;
- src++;
- }
- break;
- case 4: for (row = 0; row < length; row++)
- for (col = 0; col < width; col++)
- {
- bytebuff1 = 16 - (uint8)(*src & 240 >> 4);
- bytebuff2 = 16 - (*src & 15);
- *src = bytebuff1 << 4 & bytebuff2;
- src++;
- }
- break;
- case 2: for (row = 0; row < length; row++)
- for (col = 0; col < width; col++)
- {
- bytebuff1 = 4 - (uint8)(*src & 192 >> 6);
- bytebuff2 = 4 - (uint8)(*src & 48 >> 4);
- bytebuff3 = 4 - (uint8)(*src & 12 >> 2);
- bytebuff4 = 4 - (uint8)(*src & 3);
- *src = (bytebuff1 << 6) || (bytebuff2 << 4) || (bytebuff3 << 2) || bytebuff4;
- src++;
- }
- break;
+ case 8:
+ case 4:
+ case 2:
case 1: for (row = 0; row < length; row++)
- for (col = 0; col < width; col += 8 /(spp * bps))
+ for (col = 0; col < width; col += 8 / bps)
{
*src = ~(*src);
src++;

36
SOURCES/0020-CVE-2023-3618-tiffcrop-fix-553-by-considering-error-.patch Normal file
View File

@ -0,0 +1,36 @@
From 979173fc37955d27c9550beb6c7ed1f2466c6ff4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Wed, 4 Oct 2023 13:13:08 +0200
Subject: [PATCH] (CVE-2023-3618) tiffcrop: fix 553 by considering error return
of writeSelections()
Closes #553
See merge request libtiff/libtiff!485
(cherry picked from commit 7ead6c42c70636c0ffec2e9ff3f16d614e37fb7b)
---
tools/tiffcrop.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index be72ec52..edb33e25 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2464,8 +2464,14 @@ main(int argc, char* argv[])
{ /* Whole image or sections not based on output page size */
if (crop.selections > 0)
{
- writeSelections(in, &out, &crop, &image, &dump, seg_buffs,
- mp, argv[argc - 1], &next_page, total_pages);
+ if (writeSelections(in, &out, &crop, &image, &dump,
+ seg_buffs, mp, argv[argc - 1],
+ &next_page, total_pages))
+ {
+ TIFFError("main",
+ "Unable to write new image selections");
+ exit(EXIT_FAILURE);
+ }
}
else /* One file all images and sections */
{

27
SOURCES/0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch
View File

@ -1,27 +0,0 @@
From b94f6754796d32e204b874b3660a125973815933 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 6 Feb 2022 13:08:38 +0100
Subject: [PATCH] (CVE-2022-0561) TIFFFetchStripThing(): avoid calling memcpy()
with a null source pointer and size of zero (fixes #362)
(cherry picked from commit eecb0712f4c3a5b449f70c57988260a667ddbdef)
---
libtiff/tif_dirread.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 80aaf8d1..1e6f1c2f 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5633,8 +5633,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
_TIFFfree(data);
return(0);
}
- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
+ if( dir->tdir_count )
+ _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
+ _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
_TIFFfree(data);
data=resizeddata;
}

67
SOURCES/0021-CVE-2023-40745-CVE-2023-41175-raw2tiff-fix-integer-o.patch Normal file
View File

@ -0,0 +1,67 @@
From fffa3dc40d30155a17487ba3edacb320cb29b873 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Wed, 4 Oct 2023 13:20:28 +0200
Subject: [PATCH] (CVE-2023-40745 CVE-2023-41175) raw2tiff: fix integer
overflow and bypass of the check (fixes #592)
See merge request libtiff/libtiff!516
(cherry picked from commit 6ac40fefa1763ad08c6e9654d10910e462426f82)
---
tools/raw2tiff.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
index 0c6001f7..747ede7f 100644
--- a/tools/raw2tiff.c
+++ b/tools/raw2tiff.c
@@ -36,6 +36,7 @@
#include <sys/types.h>
#include <math.h>
#include <ctype.h>
+#include <limits.h>
#ifdef HAVE_UNISTD_H
# include <unistd.h>
@@ -101,6 +102,7 @@ main(int argc, char* argv[])
int fd;
char *outfilename = NULL;
TIFF *out;
+ uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/
uint32_t row, col, band;
int c;
@@ -217,6 +219,33 @@ main(int argc, char* argv[])
if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
return EXIT_FAILURE;
+ /* check for integer overflow in */
+ /* hdr_size + (*width) * (*length) * nbands * depth */
+
+ if ((width == 0) || (length == 0) ){
+ fprintf(stderr, "Too large nbands value specified.\n");
+ return (EXIT_FAILURE);
+ }
+
+ temp_limit_check = nbands * depth;
+
+ if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) {
+ fprintf(stderr, "Too large length size specified.\n");
+ return (EXIT_FAILURE);
+ }
+ temp_limit_check = temp_limit_check * length;
+
+ if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) {
+ fprintf(stderr, "Too large width size specified.\n");
+ return (EXIT_FAILURE);
+ }
+ temp_limit_check = temp_limit_check * width;
+
+ if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) {
+ fprintf(stderr, "Too large header size specified.\n");
+ return (EXIT_FAILURE);
+ }
+
if (outfilename == NULL)
outfilename = argv[optind+1];
out = TIFFOpen(outfilename, "w");

25
SOURCES/0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch
View File

@ -1,25 +0,0 @@
From b7426cc131d837de8d139b8007f66f9db59c4f6a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 5 Feb 2022 20:36:41 +0100
Subject: [PATCH] (CVE-2022-0562) TIFFReadDirectory(): avoid calling memcpy()
with a null source pointer and size of zero (fixes #362)
(cherry picked from commit 561599c99f987dc32ae110370cfdd7df7975586b)
---
libtiff/tif_dirread.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 1e6f1c2f..d68aecc5 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4083,7 +4083,8 @@ TIFFReadDirectory(TIFF* tif)
goto bad;
}
- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+ if (old_extrasamples > 0)
+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
_TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
_TIFFfree(new_sampleinfo);
}

30
SOURCES/0022-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch Normal file
View File

@ -0,0 +1,30 @@
From b57347d203cf577a3abb02cb62aee84b82903fcf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 23 Nov 2023 11:05:35 +0100
Subject: [PATCH] (CVE-2023-6228) Merge branch
'fix_606_tiffcp_check_also_input_compression_codec' into 'master'
tiffcp: Fixes #606. Check also codec of input image, not only from output image.
Closes #606
See merge request libtiff/libtiff!533
(cherry picked from commit 668d2c1a52fa48658bbf69615924b42b5a059f9e)
---
tools/tiffcp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 07ed0ebc..9973dd4e 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -732,6 +732,8 @@ tiffcp(TIFF* in, TIFF* out)
if( !TIFFIsCODECConfigured(compression) )
return FALSE;
TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
+ if (!TIFFIsCODECConfigured(input_compression))
+ return FALSE;
TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
if (input_compression == COMPRESSION_JPEG) {
/* Force conversion to RGB */

36
SOURCES/0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch
View File

@ -1,36 +0,0 @@
From 377a37d06f8ea753cba404cd6954b988ca861ad3 Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Tue, 25 Jan 2022 16:25:28 +0000
Subject: [PATCH] (CVE-2022-22844) tiffset: fix global-buffer-overflow for
ASCII tags where count is required (fixes #355)
(cherry picked from commit 03047a26952a82daaa0792957ce211e0aa51bc64)
---
tools/tiffset.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/tools/tiffset.c b/tools/tiffset.c
index 894c9f1f..e4b0d49f 100644
--- a/tools/tiffset.c
+++ b/tools/tiffset.c
@@ -134,9 +134,19 @@ main(int argc, char* argv[])
arg_index++;
if (TIFFFieldDataType(fip) == TIFF_ASCII) {
- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
+ if(TIFFFieldPassCount( fip )) {
+ size_t len;
+ len = strlen(argv[arg_index]) + 1;
+ if (len > ((uint16)(~0)) || TIFFSetField(tiff, TIFFFieldTag(fip),
+ (uint16)len, argv[arg_index]) != 1)
fprintf( stderr, "Failed to set %s=%s\n",
TIFFFieldName(fip), argv[arg_index] );
+ } else {
+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
+ argv[arg_index]) != 1)
+ fprintf( stderr, "Failed to set %s=%s\n",
+ TIFFFieldName(fip), argv[arg_index] );
+ }
} else if (TIFFFieldWriteCount(fip) > 0
|| TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
int ret = 1;

33
SOURCES/0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch
View File

@ -1,33 +0,0 @@
From 2d598cd7523cba7ee8441fac96bfe422ec277efc Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 24 Feb 2022 22:26:02 +0100
Subject: [PATCH] (CVE-2022-0865) tif_jbig.c: fix crash when reading a file
with multiple IFD in memory-mapped mode and when bit reversal is needed
(fixes #385)
(cherry picked from commit a1c933dabd0e1c54a412f3f84ae0aa58115c6067)
---
libtiff/tif_jbig.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
index 8136c77b..698428f0 100644
--- a/libtiff/tif_jbig.c
+++ b/libtiff/tif_jbig.c
@@ -210,6 +210,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
*/
tif->tif_flags |= TIFF_NOBITREV;
tif->tif_flags &= ~TIFF_MAPPED;
+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
+ * value to be consistent with the state of a non-memory mapped file.
+ */
+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
+ tif->tif_rawdata = NULL;
+ tif->tif_rawdatasize = 0;
+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
+ tif->tif_flags |= TIFF_MYBUFFER;
+ }
/* Setup the function pointers for encode, decode, and cleanup. */
tif->tif_setupdecode = JBIGSetupDecode;

198
SOURCES/0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
View File

@ -1,198 +0,0 @@
From 465c2d93e2a2d20ac4844ad0d98b35f00e8063fb Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 8 Mar 2022 17:02:44 +0000
Subject: [PATCH] (CVE-2022-0891) tiffcrop: fix issue #380 and #382 heap buffer
overflow in extractImageSection
(cherry picked from commit 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c)
---
tools/tiffcrop.c | 84 ++++++++++++++++++------------------------------
1 file changed, 32 insertions(+), 52 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index a6129148..83cf80ad 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -6668,10 +6668,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
uint32 img_length;
#endif
- uint32 j, shift1, shift2, trailing_bits;
+ uint32 j, shift1, trailing_bits;
uint32 row, first_row, last_row, first_col, last_col;
uint32 src_offset, dst_offset, row_offset, col_offset;
- uint32 offset1, offset2, full_bytes;
+ uint32 offset1, full_bytes;
uint32 sect_width;
#ifdef DEVELMODE
uint32 sect_length;
@@ -6681,7 +6681,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
int k;
unsigned char bitset;
- static char *bitarray = NULL;
#endif
img_width = image->width;
@@ -6699,17 +6698,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
dst_offset = 0;
#ifdef DEVELMODE
- if (bitarray == NULL)
- {
- if ((bitarray = (char *)malloc(img_width)) == NULL)
- {
- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
- return (-1);
- }
- }
+ char bitarray[39];
#endif
- /* rows, columns, width, length are expressed in pixels */
+ /* rows, columns, width, length are expressed in pixels
+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
+ * last_col shall be also extracted. */
first_row = section->y1;
last_row = section->y2;
first_col = section->x1;
@@ -6719,9 +6713,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
sect_length = last_row - first_row + 1;
#endif
- img_rowsize = ((img_width * bps + 7) / 8) * spp;
+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
+ * samples rather than separate planes so the same logic works to extract regions
+ * regardless of the way the data are organized in the input file.
+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
+ */
+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
- trailing_bits = (sect_width * bps) % 8;
+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
#ifdef DEVELMODE
TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",
@@ -6734,10 +6733,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if ((bps % 8) == 0)
{
- col_offset = first_col * spp * bps / 8;
+ col_offset = (first_col * spp * bps) / 8;
for (row = first_row; row <= last_row; row++)
{
- /* row_offset = row * img_width * spp * bps / 8; */
row_offset = row * img_rowsize;
src_offset = row_offset + col_offset;
@@ -6750,14 +6748,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
}
else
{ /* bps != 8 */
- shift1 = spp * ((first_col * bps) % 8);
- shift2 = spp * ((last_col * bps) % 8);
+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
for (row = first_row; row <= last_row; row++)
{
/* pull out the first byte */
row_offset = row * img_rowsize;
- offset1 = row_offset + (first_col * bps / 8);
- offset2 = row_offset + (last_col * bps / 8);
+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
#ifdef DEVELMODE
for (j = 0, k = 7; j < 8; j++, k--)
@@ -6769,12 +6765,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
sprintf(&bitarray[9], " ");
for (j = 10, k = 7; j < 18; j++, k--)
{
- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
sprintf(&bitarray[j], (bitset) ? "1" : "0");
}
bitarray[18] = '\0';
- TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Shift2: %d\n",
- row, offset1, shift1, offset2, shift2);
+ TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Trailing_bits: %d\n",
+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
#endif
bytebuff1 = bytebuff2 = 0;
@@ -6798,11 +6794,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if (trailing_bits != 0)
{
- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
sect_buff[dst_offset] = bytebuff2;
#ifdef DEVELMODE
TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n",
- offset2, dst_offset);
+ offset1 + full_bytes, dst_offset);
for (j = 30, k = 7; j < 38; j++, k--)
{
bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
@@ -6821,8 +6818,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#endif
for (j = 0; j <= full_bytes; j++)
{
+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
}
#ifdef DEVELMODE
@@ -6838,35 +6837,16 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#endif
dst_offset += full_bytes;
+ /* Copy the trailing_bits for the last byte in the destination buffer.
+ Could come from one ore two bytes of the source buffer. */
if (trailing_bits != 0)
{
#ifdef DEVELMODE
- TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset);
-#endif
- if (shift2 > shift1)
- {
- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
- sect_buff[dst_offset] = bytebuff2;
-#ifdef DEVELMODE
- TIFFError ("", " Shift2 > Shift1\n");
+ TIFFError("", " Trailing bits %4d src offset: %8d, Dst offset: %8d\n", trailing_bits, offset1 + full_bytes, dst_offset);
#endif
- }
- else
- {
- if (shift2 < shift1)
- {
- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
- sect_buff[dst_offset] &= bytebuff2;
-#ifdef DEVELMODE
- TIFFError ("", " Shift2 < Shift1\n");
-#endif
- }
-#ifdef DEVELMODE
- else
- TIFFError ("", " Shift2 == Shift1\n");
-#endif
- }
+ /* More than necessary bits are already copied into last destination buffer,
+ * only masking of last byte in destination buffer is necessary.*/
+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
}
#ifdef DEVELMODE
sprintf(&bitarray[28], " ");
@@ -7020,7 +7000,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
width = sections[i].x2 - sections[i].x1 + 1;
length = sections[i].y2 - sections[i].y1 + 1;
sectsize = (uint32)
- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
/* allocate a buffer if we don't have one already */
if (createImageSection(sectsize, sect_buff_ptr))
{

51
SOURCES/0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
View File

@ -1,51 +0,0 @@
From 0bbe164e12be733a1b7e0fe9939ea3461ed7fff2 Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Thu, 10 Mar 2022 08:48:00 +0000
Subject: [PATCH] (CVE-2022-0924) fix heap buffer overflow in tiffcp (#278)
(cherry picked from commit 88d79a45a31c74cba98c697892fed5f7db8b963a)
---
tools/tiffcp.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 96f14728..d5f1d248 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1506,12 +1506,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
tdata_t obuf;
tstrip_t strip = 0;
tsample_t s;
+ uint16 bps = 0, bytes_per_sample;
obuf = _TIFFmalloc(stripsize);
if (obuf == NULL)
return (0);
_TIFFmemset(obuf, 0, stripsize);
(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+ if( bps == 0 )
+ {
+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
+ _TIFFfree(obuf);
+ return 0;
+ }
+ if( (bps % 8) != 0 )
+ {
+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
+ _TIFFfree(obuf);
+ return 0;
+ }
+ bytes_per_sample = bps/8;
for (s = 0; s < spp; s++) {
uint32 row;
for (row = 0; row < imagelength; row += rowsperstrip) {
@@ -1521,7 +1536,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
cpContigBufToSeparateBuf(
obuf, (uint8*) buf + row*rowsize + s,
- nrows, imagewidth, 0, 0, spp, 1);
+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
TIFFError(TIFFFileName(out),
"Error, can't write strip %u",

30
SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
View File

@ -1,30 +0,0 @@
From fb2bd72a49496d10c4860102b7c26b9bc8adff70 Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Tue, 8 Mar 2022 16:22:04 +0000
Subject: [PATCH] (CVE-2022-0909) fix the FPE in tiffcrop (#393)
(cherry picked from commit 32ea0722ee68f503b7a3f9b2d557acb293fc8cde)
---
libtiff/tif_dir.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index c36a5f3f..f126f2aa 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -320,13 +320,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
break;
case TIFFTAG_XRESOLUTION:
dblval = va_arg(ap, double);
- if( dblval < 0 )
+ if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
td->td_xresolution = TIFFClampDoubleToFloat( dblval );
break;
case TIFFTAG_YRESOLUTION:
dblval = va_arg(ap, double);
- if( dblval < 0 )
+ if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
td->td_yresolution = TIFFClampDoubleToFloat( dblval );
break;

27
SOURCES/0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
View File

@ -1,27 +0,0 @@
From e1ee7d9aa1936d5d2f8c7e1a453ad669ed6b38dd Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 17 Feb 2022 15:28:43 +0100
Subject: [PATCH] (CVE-2022-0908) TIFFFetchNormalTag(): avoid calling memcpy()
with a null source pointer and size of zero (fixes #383)
(cherry picked from commit a95b799f65064e4ba2e2dfc206808f86faf93e85)
---
libtiff/tif_dirread.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index d68aecc5..b72e6a3b 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4972,7 +4972,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
_TIFFfree(data);
return(0);
}
- _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
+ if (dp->tdir_count > 0 )
+ {
+ _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
+ }
o[(uint32)dp->tdir_count]=0;
if (data!=0)
_TIFFfree(data);

55
SOURCES/0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
View File

@ -1,55 +0,0 @@
From b43def1519d18fecb6f23778e045838e30e027cc Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sat, 2 Apr 2022 22:33:31 +0200
Subject: [PATCH] (CVE-2022-1355) tiffcp: avoid buffer overflow in "mode"
string (fixes #400)
(cherry picked from commit fb1db384959698edd6caeea84e28253d272a0f96)
---
tools/tiffcp.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index d5f1d248..fb98bd57 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -249,19 +249,34 @@ main(int argc, char* argv[])
deftilewidth = atoi(optarg);
break;
case 'B':
- *mp++ = 'b'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'b'; *mp = '\0';
+ }
break;
case 'L':
- *mp++ = 'l'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'l'; *mp = '\0';
+ }
break;
case 'M':
- *mp++ = 'm'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'm'; *mp = '\0';
+ }
break;
case 'C':
- *mp++ = 'c'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'c'; *mp = '\0';
+ }
break;
case '8':
- *mp++ = '8'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode)-1))
+ {
+ *mp++ = '8'; *mp = '\0';
+ }
break;
case 'x':
pageInSeq = 1;

161
SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch
View File

@ -1,161 +0,0 @@
From 9ed8c91366c9f6a3c9068aee6c5a7a0fe1c5c9c8 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Tue, 12 Feb 2019 16:04:28 +0100
Subject: [PATCH] move _TIFFClampDoubleToFloat() to tif_aux.c
the same function was declared in tif_dir.c and tif_dirwrite.c
see http://bugzilla.maptools.org/show_bug.cgi?id=2842
(cherry picked from commit 8420a31e8ca5181ca36580cfeeca28661b348262)
---
libtiff/tif_aux.c | 10 ++++++++++
libtiff/tif_dir.c | 20 +++++---------------
libtiff/tif_dirwrite.c | 12 +-----------
libtiff/tiffiop.h | 2 ++
4 files changed, 18 insertions(+), 26 deletions(-)
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
index 38a98b67..2071d19c 100644
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -32,6 +32,7 @@
#include "tiffiop.h"
#include "tif_predict.h"
#include <math.h>
+#include <float.h>
uint32
_TIFFMultiply32(TIFF* tif, uint32 first, uint32 second, const char* where)
@@ -398,6 +399,15 @@ _TIFFUInt64ToDouble(uint64 ui64)
}
}
+float _TIFFClampDoubleToFloat( double val )
+{
+ if( val > FLT_MAX )
+ return FLT_MAX;
+ if( val < -FLT_MAX )
+ return -FLT_MAX;
+ return (float)val;
+}
+
int _TIFFSeekOK(TIFF* tif, toff_t off)
{
/* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index f126f2aa..ad550c65 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -31,7 +31,6 @@
* (and also some miscellaneous stuff)
*/
#include "tiffiop.h"
-#include <float.h>
/*
* These are used in the backwards compatibility code...
@@ -155,15 +154,6 @@ bad:
return (0);
}
-static float TIFFClampDoubleToFloat( double val )
-{
- if( val > FLT_MAX )
- return FLT_MAX;
- if( val < -FLT_MAX )
- return -FLT_MAX;
- return (float)val;
-}
-
static int
_TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
{
@@ -322,13 +312,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
dblval = va_arg(ap, double);
if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
- td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+ td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
break;
case TIFFTAG_YRESOLUTION:
dblval = va_arg(ap, double);
if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
- td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+ td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
break;
case TIFFTAG_PLANARCONFIG:
v = (uint16) va_arg(ap, uint16_vap);
@@ -337,10 +327,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
td->td_planarconfig = (uint16) v;
break;
case TIFFTAG_XPOSITION:
- td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ td->td_xposition = _TIFFClampDoubleToFloat( va_arg(ap, double) );
break;
case TIFFTAG_YPOSITION:
- td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ td->td_yposition = _TIFFClampDoubleToFloat( va_arg(ap, double) );
break;
case TIFFTAG_RESOLUTIONUNIT:
v = (uint16) va_arg(ap, uint16_vap);
@@ -686,7 +676,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
case TIFF_SRATIONAL:
case TIFF_FLOAT:
{
- float v2 = TIFFClampDoubleToFloat(va_arg(ap, double));
+ float v2 = _TIFFClampDoubleToFloat(va_arg(ap, double));
_TIFFmemcpy(val, &v2, tv_size);
}
break;
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 5d0a6699..03a9f296 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -30,7 +30,6 @@
* Directory Write Support Routines.
*/
#include "tiffiop.h"
-#include <float.h>
#ifdef HAVE_IEEEFP
#define TIFFCvtNativeToIEEEFloat(tif, n, fp)
@@ -948,15 +947,6 @@ bad:
return(0);
}
-static float TIFFClampDoubleToFloat( double val )
-{
- if( val > FLT_MAX )
- return FLT_MAX;
- if( val < -FLT_MAX )
- return -FLT_MAX;
- return (float)val;
-}
-
static int8 TIFFClampDoubleToInt8( double val )
{
if( val > 127 )
@@ -1031,7 +1021,7 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di
if (tif->tif_dir.td_bitspersample<=32)
{
for (i = 0; i < count; ++i)
- ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
+ ((float*)conv)[i] = _TIFFClampDoubleToFloat(value[i]);
ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
}
else
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index d4b86314..05ba735b 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -377,6 +377,8 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
extern double _TIFFUInt64ToDouble(uint64);
extern float _TIFFUInt64ToFloat(uint64);
+extern float _TIFFClampDoubleToFloat(double);
+
extern tmsize_t
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
void **buf, tmsize_t bufsizetoalloc,

161
SOURCES/0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch
View File

@ -1,161 +0,0 @@
From 5d214a07db3bb8dcea8354d8f1e52f9c46264acb Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Wed, 9 Feb 2022 21:31:29 +0000
Subject: [PATCH] (CVE-2022-2867 CVE-2022-2868) tiffcrop.c: Fix issue #352
heap-buffer-overflow by correcting uint32_t underflow.
(cherry picked from commit 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c)
---
tools/tiffcrop.c | 81 +++++++++++++++++++++++++++++++-----------------
1 file changed, 53 insertions(+), 28 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index ea0b98be..5801b8f6 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5152,29 +5152,45 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
}
- if (x1 < 1)
- crop->regionlist[i].x1 = 0;
- else
- crop->regionlist[i].x1 = (uint32) (x1 - 1);
+ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
+ * b) Corners are expected to be submitted as top-left to bottom-right.
+ * Therefore, check that and reorder input.
+ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
+ */
+ uint32 aux;
+ if (x1 > x2) {
+ aux = x1;
+ x1 = x2;
+ x2 = aux;
+ }
+ if (y1 > y2) {
+ aux = y1;
+ y1 = y2;
+ y2 = aux;
+ }
+ if (x1 > image->width - 1)
+ crop->regionlist[i].x1 = image->width - 1;
+ else if (x1 > 0)
+ crop->regionlist[i].x1 = (uint32)(x1 - 1);
if (x2 > image->width - 1)
crop->regionlist[i].x2 = image->width - 1;
- else
- crop->regionlist[i].x2 = (uint32) (x2 - 1);
- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ else if (x2 > 0)
+ crop->regionlist[i].x2 = (uint32)(x2 - 1);
- if (y1 < 1)
- crop->regionlist[i].y1 = 0;
- else
- crop->regionlist[i].y1 = (uint32) (y1 - 1);
+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+
+ if (y1 > image->length - 1)
+ crop->regionlist[i].y1 = image->length - 1;
+ else if (y1 > 0)
+ crop->regionlist[i].y1 = (uint32)(y1 - 1);
if (y2 > image->length - 1)
crop->regionlist[i].y2 = image->length - 1;
- else
- crop->regionlist[i].y2 = (uint32) (y2 - 1);
-
- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ else if (y2 > 0)
+ crop->regionlist[i].y2 = (uint32)(y2 - 1);
+ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
if (zwidth > max_width)
max_width = zwidth;
if (zlength > max_length)
@@ -5204,7 +5220,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
}
}
return (0);
- }
+ } /* crop_mode == CROP_REGIONS */
/* Convert crop margins into offsets into image
* Margins are expressed as pixel rows and columns, not bytes
@@ -5240,7 +5256,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
bmargin = (uint32) 0;
return (-1);
}
- }
+ } /* crop_mode == CROP_MARGINS */
else
{ /* no margins requested */
tmargin = (uint32) 0;
@@ -5331,24 +5347,23 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
off->endx = endx;
off->endy = endy;
- crop_width = endx - startx + 1;
- crop_length = endy - starty + 1;
-
- if (crop_width <= 0)
+ if (endx + 1 <= startx)
{
TIFFError("computeInputPixelOffsets",
"Invalid left/right margins and /or image crop width requested");
return (-1);
}
+ crop_width = endx - startx + 1;
if (crop_width > image->width)
crop_width = image->width;
- if (crop_length <= 0)
+ if (endy + 1 <= starty)
{
TIFFError("computeInputPixelOffsets",
"Invalid top/bottom margins and /or image crop length requested");
return (-1);
}
+ crop_length = endy - starty + 1;
if (crop_length > image->length)
crop_length = image->length;
@@ -5448,10 +5463,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
else
crop->selections = crop->zones;
- for (i = 0; i < crop->zones; i++)
+ /* Initialize regions iterator i */
+ i = 0;
+ for (int j = 0; j < crop->zones; j++)
{
- seg = crop->zonelist[i].position;
- total = crop->zonelist[i].total;
+ seg = crop->zonelist[j].position;
+ total = crop->zonelist[j].total;
+
+ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
+ if (seg == 0 || total == 0 || seg > total) {
+ continue;
+ }
switch (crop->edge_ref)
{
@@ -5578,10 +5600,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
if (dump->outfile != NULL)
dump_info (dump->outfile, dump->format, "", "Zone %d, width: %4d, length: %4d, x1: %4d x2: %4d y1: %4d y2: %4d",
i + 1, (uint32)zwidth, (uint32)zlength,
- crop->regionlist[i].x1, crop->regionlist[i].x2,
- crop->regionlist[i].y1, crop->regionlist[i].y2);
+ crop->regionlist[i].x1, crop->regionlist[i].x2,
+ crop->regionlist[i].y1, crop->regionlist[i].y2);
+ /* increment regions iterator */
+ i++;
}
-
+ /* set number of generated regions out of given zones */
+ crop->selections = i;
return (0);
} /* end getCropOffsets */

226
SPECS/libtiff.spec
View File

@ -1,59 +1,45 @@
Summary: Library of functions for manipulating TIFF format image files
Name: libtiff
Version: 4.0.9
Release: 29%{?dist}
Version: 4.4.0
Release: 12%{?dist}
License: libtiff
Group: System Environment/Libraries
URL: http://www.simplesystems.org/libtiff/
Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/rhel-8.7.0
# Patches were generated by: git format-patch -N --no-signature ...
# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/c9s
# Patches were generated by: git format-patch --no-signature -N ...
Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch
Patch0002: 0002-Fix-Makefile.patch
Patch0003: 0003-CVE-2018-5784-Fix-for-bug-2772.patch
Patch0004: 0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch
Patch0005: 0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch
Patch0006: 0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch
Patch0007: 0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch
Patch0008: 0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch
Patch0009: 0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch
Patch0010: 0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch
Patch0011: 0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch
Patch0012: 0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch
Patch0013: 0013-bz1602597-Fix-two-resource-leaks.patch
Patch0014: 0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch
Patch0015: 0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch
Patch0016: 0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch
Patch0017: 0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch
Patch0018: 0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch
Patch0019: 0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch
Patch0020: 0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch
Patch0021: 0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch
Patch0022: 0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch
Patch0023: 0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch
Patch0024: 0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch
Patch0025: 0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
Patch0026: 0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
Patch0027: 0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
Patch0028: 0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
Patch0029: 0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
Patch0030: 0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch
Patch0031: 0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch
Patch0032: 0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch
Patch0033: 0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch
Patch0034: 0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch
Patch0035: 0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch
Patch0036: 0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
Patch0037: 0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch
Patch0038: 0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
Patch0003: 0003-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch
Patch0004: 0004-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-According-.patch
Patch0005: 0005-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-tiffcrop-S.patch
Patch0006: 0006-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch
Patch0007: 0007-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch
Patch0008: 0008-CVE-2022-3570-CVE-2022-3598-tiffcrop-subroutines-req.patch
Patch0009: 0009-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
Patch0010: 0010-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch
# CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
Patch0011: 0011-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
# Related to Patch0013
Patch0012: 0012-Merge-branch-tiffcrop_correctly_update_buffersize_af.patch
# CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
Patch0013: 0013-CVE-2023-0795-CVE-2023-0796-CVE-2023-0797-CVE-2023-0.patch
Patch0014: 0014-CVE-2023-2731-LZWDecode-avoid-crash-when-trying-to-r.patch
Patch0015: 0015-CVE-2023-26965-tiffcrop-Do-not-reuse-input-buffer-fo.patch
Patch0016: 0016-CVE-2023-3316-TIFFClose-avoid-NULL-pointer-dereferen.patch
Patch0017: 0017-CVE-2023-26966-tif_luv-Check-and-correct-for-NaN-dat.patch
Patch0018: 0018-CVE-2023-3576-Fix-memory-leak-in-tiffcrop.c.patch
Patch0019: 0019-CVE-2023-40090-Improved-IFD-Loop-Handling-fixes-455.patch
Patch0020: 0020-CVE-2023-3618-tiffcrop-fix-553-by-considering-error-.patch
Patch0021: 0021-CVE-2023-40745-CVE-2023-41175-raw2tiff-fix-integer-o.patch
Patch0022: 0022-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel
BuildRequires: libtool automake autoconf pkgconfig
BuildRequires: make
%description
The libtiff package contains a library of functions for manipulating
@ -66,9 +52,8 @@ format image files.
%package devel
Summary: Development tools for programs which will use the libtiff library
Group: Development/Libraries
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: pkgconfig%{?_isa}
Requires: pkgconfig
%description devel
This package contains the header files and documentation necessary for
@ -81,7 +66,6 @@ install the libtiff package.
%package static
Summary: Static TIFF image format file library
Group: Development/Libraries
Requires: %{name}-devel%{?_isa} = %{version}-%{release}
%description static
@ -91,7 +75,6 @@ necessary for some boot packages.
%package tools
Summary: Command-line utility programs for manipulating TIFF files
Group: Development/Libraries
Requires: %{name}%{?_isa} = %{version}-%{release}
%description tools
@ -113,10 +96,10 @@ autoheader
%build
export CFLAGS="%{optflags} -fno-strict-aliasing"
%configure --enable-ld-version-script
make %{?_smp_mflags}
%make_build
%install
make DESTDIR=$RPM_BUILD_ROOT install
%make_install
# remove what we didn't want installed
rm $RPM_BUILD_ROOT%{_libdir}/*.la
@ -183,7 +166,8 @@ LD_LIBRARY_PATH=$PWD:$LD_LIBRARY_PATH make check
find html -name 'Makefile*' | xargs rm
%files
%doc COPYRIGHT README RELEASE-DATE VERSION
%license COPYRIGHT
%doc README.md RELEASE-DATE VERSION
%{_libdir}/libtiff.so.*
%{_libdir}/libtiffxx.so.*
@ -203,78 +187,122 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/*
%changelog
* Tue Aug 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-29
* Thu Nov 23 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-12
- Fix CVE-2023-6228
- Resolves: RHEL-10084
* Wed Oct 04 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-11
- Fix CVE-2023-40090 CVE-2023-3618 CVE-2023-40745 CVE-2023-41175
- Resolves: RHEL-5458 RHEL-5455 RHEL-5405 RHEL-5450
* Tue Aug 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-10
- Fix CVE-2023-26965 CVE-2023-3316 CVE-2023-26966 CVE-2023-3576
- Resolves: CVE-2023-26965 CVE-2023-3316 CVE-2023-26966 CVE-2023-3576
* Thu Jun 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-9
- Fix CVE-2023-2731
- Resolves: CVE-2023-2731
* Tue Mar 21 2023 Matej Mužila <mmuzila@redhat.com> - 4.4.0-8
- Fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
- Resolves: RHEL-5075 RHEL-5078 RHEL-5079 RHEL-5080 RHEL-5081
CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
CVE-2022-48281
- Resolves: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803
CVE-2023-0804 CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798
CVE-2023-0799 CVE-2022-48281
* Tue May 16 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-28
- Fix CVE-2022-48281
- Resolves: CVE-2022-48281
* Tue Dec 06 2022 Matej Mužila <mmuzila@redhat.com> - 4.4.0-7
- Fix CVE-2022-3970
- Resolves: CVE-2022-3970
* Mon Jan 16 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-27
- Fix various CVEs
- Resolves: CVE-2022-3627 CVE-2022-3970
* Mon Dec 05 2022 Matej Mužila <mmuzila@redhat.com> - 4.4.0-6
- Fix CVE-2022-3597 CVE-2022-3626 CVE-2022-3599 CVE-2022-3570 CVE-2022-3598
CVE-2022-3627
- Resolves: CVE-2022-3597 CVE-2022-3626 CVE-2022-3599 CVE-2022-3570
CVE-2022-3598 CVE-2022-3627
* Mon Oct 24 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-26
- Fix various CVEs
- Resolves: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953
* Mon Oct 24 2022 Matej Mužila <mmuzila@redhat.com> - 4.4.0-5
- Bump release
- Resolves: CVE-2022-2953
* Tue Sep 06 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-25
- Fix CVE-2022-2867 (#2118857)
- Fix CVE-2022-2868 (#2118882)
- Fix CVE-2022-2869 (#2118878)
* Tue Oct 11 2022 Matej Mužila <mmuzila@redhat.com> - 4.4.0-4
- Resolves: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521
* Mon Jul 18 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-24
* Mon Jul 18 2022 Matej Mužila <mmuzila@redhat.com> 4.4.0-3
- Fix CVE-2022-2056 CVE-2022-2057 CVE-2022-2058
- Resolves: #2103222
- Resolves: #2106768
* Thu May 12 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-23
- Fix various CVEs
* Wed Jun 15 2022 Matej Mužila <mmuzila@redhat.com> 4.4.0-2
- Update to version 4.4.0
- Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865
CVE-2022-0891 CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-1355
CVE-2022-0891 CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-1354
CVE-2022-1355
* Wed Sep 29 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-21
- Fix CVE-2020-19131 (#2006535)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 4.2.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Apr 29 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-20
- Rebuild for fixed binutils (#1954437)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 4.2.0-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Apr 09 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-19
- Fix CVE-2020-35521 (#1945539)
- Fix CVE-2020-35522 (#1945555)
- Fix CVE-2020-35523 (#1945542)
- Fix CVE-2020-35524 (#1945546)
* Tue Feb 02 2021 Nikola Forró <nforro@redhat.com> - 4.2.0-1
- New upstream release 4.2.0 (#1909412)
* Thu Feb 20 2020 Nikola Forró <nforro@redhat.com> - 4.0.9-18
- Fix CVE-2019-17546 (#1771372)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Nov 28 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-17
- Add upstream test suite and enable it in gating
* Mon Jan 04 2021 Nikola Forró <nforro@redhat.com> - 4.1.0-6
- Build with ZSTD and WEBP support (#1911969)
* Wed Nov 27 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-16
- Fix CVE-2019-14973 (#1755705)
* Mon Nov 02 2020 Nikola Forró <nforro@redhat.com> - 4.1.0-5
- Remove libtiff-devel dependency on arch-specific pkgconfig
* Wed Jun 12 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-15
- Fix DIVIDE_BY_ZERO in patch for CVE-2018-12900 (#1595579)
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Jun 06 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-14
- Fix CVE-2018-12900 (#1595579)
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 4.1.0-3
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Thu Dec 13 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-13
- Fix compiler warning introduced by patch for CVE-2018-18661
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Nov 14 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-12
- Fix CVE-2018-18557 (#1647738) and CVE-2018-18661 (#1644452)
* Tue Nov 05 2019 Nikola Forró <nforro@redhat.com> - 4.1.0-1
- New upstream version libtiff-4.1.0 (#1768276)
* Mon Oct 15 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-11
- Fix important Covscan defects (#1602597)
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.10-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Oct 15 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-10
- Fix CVE-2018-17100 (#1631073)
* Wed Jun 12 2019 Nikola Forró <nforro@redhat.com> - 4.0.10-5
- Fix CVE-2018-19210 (#1649387)
* Fri Feb 15 2019 Nikola Forró <nforro@redhat.com> - 4.0.10-4
- Fix CVE-2019-7663 (#1677529)
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Jan 30 2019 Nikola Forró <nforro@redhat.com> - 4.0.10-2
- Fix CVE-2019-6128 (#1667124)
* Wed Nov 14 2018 Nikola Forró <nforro@redhat.com> - 4.0.10-1
- New upstream version libtiff-4.0.10
* Thu Oct 11 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-13
- Fix CVE-2018-17100 (#1631070) and CVE-2018-17101 (#1631079)
* Thu Oct 11 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-12
- Fix CVE-2018-10779 (#1577316)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.9-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jun 06 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-10
- Fix CVE-2017-11613 (#1475531)
* Wed May 30 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-9
- Fix CVE-2017-9935, CVE-2017-18013, CVE-2018-8905 (#1559708)
and CVE-2018-10963 (#1579060)
- Fix CVE-2017-9935, CVE-2017-18013 (#1530441),
CVE-2018-8905 (#1559705) and CVE-2018-10963 (#1579061)
* Tue Apr 17 2018 Nikola Forró <nforro@redhat.com> - 4.0.9-8
- Fix CVE-2018-7456 (#1556709)