Compare commits

...

No commits in common. "c8" and "imports/c8s/libtiff-4.0.9-23.el8" have entirely different histories.

45 changed files with 89 additions and 1566 deletions

View File

@ -38,3 +38,6 @@ index 2052487c..227f228f 100644
LIBTIFF = $(top_builddir)/libtiff/libtiff.la LIBTIFF = $(top_builddir)/libtiff/libtiff.la
--
2.34.1

View File

@ -19,3 +19,6 @@ index 3ed00d44..8a64925a 100644
tiffinfo.1.html \ tiffinfo.1.html \
tiffmedian.1.html \ tiffmedian.1.html \
tiffset.1.html \ tiffset.1.html \
--
2.34.1

View File

@ -125,3 +125,6 @@ index c69177e0..c60cb389 100644
if (image_count == 0) if (image_count == 0)
{ {
dirnum = 0; dirnum = 0;
--
2.34.1

View File

@ -168,3 +168,6 @@ index 24d4b98a..10a588ea 100644
fprintf(fd, " %5u", fprintf(fd, " %5u",
td->td_transferfunction[i][l]); td->td_transferfunction[i][l]);
fputc('\n', fd); fputc('\n', fd);
--
2.34.1

View File

@ -150,3 +150,6 @@ index bdb91262..ef5d6a01 100644
t2p->tiff_transferfunctioncount=3; t2p->tiff_transferfunctioncount=3;
} else { } else {
t2p->tiff_transferfunctioncount=1; t2p->tiff_transferfunctioncount=1;
--
2.34.1

View File

@ -56,3 +56,6 @@ index ef5d6a01..bd23c9e5 100644
) { ) {
t2p->tiff_transferfunctioncount=3; t2p->tiff_transferfunctioncount=3;
} else { } else {
--
2.34.1

View File

@ -32,3 +32,6 @@ index 10a588ea..b9b53a0f 100644
#endif #endif
} }
} }
--
2.34.1

View File

@ -50,3 +50,6 @@ index bc8f9c84..186ea3ca 100644
} else { } else {
*op++ = (char)code; *op++ = (char)code;
occ--; occ--;
--
2.34.1

View File

@ -27,3 +27,6 @@ index c68d6d21..5d0a6699 100644
} }
} }
} }
--
2.34.1

View File

@ -36,3 +36,6 @@ index 91415e96..81ffa3db 100644
} }
int int
--
2.34.1

View File

@ -105,3 +105,6 @@ index 2ba985a7..04100f4d 100644
#else #else
whole_strip = 1; whole_strip = 1;
#endif #endif
--
2.34.1

View File

@ -117,3 +117,6 @@ index c60cb389..3862b1ca 100644
#define TRUE 1 #define TRUE 1
#define FALSE 0 #define FALSE 0
--
2.34.1

View File

@ -38,3 +38,6 @@ index bd23c9e5..ff7b9c22 100644
t2p->t2p_error = T2P_ERR_ERROR; t2p->t2p_error = T2P_ERR_ERROR;
return(0); return(0);
} }
--
2.34.1

View File

@ -45,3 +45,6 @@ index 489459a7..96f14728 100644
tilebuf = _TIFFmalloc(tilesize); tilebuf = _TIFFmalloc(tilesize);
if (tilebuf == 0) if (tilebuf == 0)
return 0; return 0;
--
2.34.1

View File

@ -421,3 +421,6 @@ index 08e5dc44..d4b86314 100644
extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*); extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*); extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
--
2.34.1

View File

@ -100,3 +100,6 @@ index ec09feaf..c6edd27c 100644
&& img->stoponerr) && img->stoponerr)
{ {
ret = 0; ret = 0;
--
2.34.1

View File

@ -84,3 +84,6 @@ index 4de96aec..e6de2209 100644
NULL NULL
}; };
--
2.34.1

View File

@ -48,3 +48,6 @@ index c6edd27c..b1f7cc95 100644
} }
/* /*
--
2.34.1

View File

@ -36,3 +36,6 @@ index ff7b9c22..a5db1f64 100644
} }
if (k == 0) { if (k == 0) {
/* Assume we had overflow inside TIFFScanlineSize */ /* Assume we had overflow inside TIFFScanlineSize */
--
2.34.1

View File

@ -87,3 +87,6 @@ index 3862b1ca..a6129148 100644
{ {
*src = ~(*src); *src = ~(*src);
src++; src++;
--
2.34.1

View File

@ -25,3 +25,6 @@ index 80aaf8d1..1e6f1c2f 100644
_TIFFfree(data); _TIFFfree(data);
data=resizeddata; data=resizeddata;
} }
--
2.34.1

View File

@ -23,3 +23,6 @@ index 1e6f1c2f..d68aecc5 100644
_TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
_TIFFfree(new_sampleinfo); _TIFFfree(new_sampleinfo);
} }
--
2.34.1

View File

@ -34,3 +34,6 @@ index 894c9f1f..e4b0d49f 100644
} else if (TIFFFieldWriteCount(fip) > 0 } else if (TIFFFieldWriteCount(fip) > 0
|| TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
int ret = 1; int ret = 1;
--
2.34.1

View File

@ -31,3 +31,6 @@ index 8136c77b..698428f0 100644
/* Setup the function pointers for encode, decode, and cleanup. */ /* Setup the function pointers for encode, decode, and cleanup. */
tif->tif_setupdecode = JBIGSetupDecode; tif->tif_setupdecode = JBIGSetupDecode;
--
2.34.1

View File

@ -196,3 +196,6 @@ index a6129148..83cf80ad 100644
/* allocate a buffer if we don't have one already */ /* allocate a buffer if we don't have one already */
if (createImageSection(sectsize, sect_buff_ptr)) if (createImageSection(sectsize, sect_buff_ptr))
{ {
--
2.34.1

View File

@ -49,3 +49,6 @@ index 96f14728..d5f1d248 100644
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
TIFFError(TIFFFileName(out), TIFFError(TIFFFileName(out),
"Error, can't write strip %u", "Error, can't write strip %u",
--
2.34.1

View File

@ -28,3 +28,6 @@ index c36a5f3f..f126f2aa 100644
goto badvaluedouble; goto badvaluedouble;
td->td_yresolution = TIFFClampDoubleToFloat( dblval ); td->td_yresolution = TIFFClampDoubleToFloat( dblval );
break; break;
--
2.34.1

View File

@ -25,3 +25,6 @@ index d68aecc5..b72e6a3b 100644
o[(uint32)dp->tdir_count]=0; o[(uint32)dp->tdir_count]=0;
if (data!=0) if (data!=0)
_TIFFfree(data); _TIFFfree(data);
--
2.34.1

View File

@ -53,3 +53,6 @@ index d5f1d248..fb98bd57 100644
break; break;
case 'x': case 'x':
pageInSeq = 1; pageInSeq = 1;
--
2.34.1

View File

@ -1,161 +0,0 @@
From 9ed8c91366c9f6a3c9068aee6c5a7a0fe1c5c9c8 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Tue, 12 Feb 2019 16:04:28 +0100
Subject: [PATCH] move _TIFFClampDoubleToFloat() to tif_aux.c
the same function was declared in tif_dir.c and tif_dirwrite.c
see http://bugzilla.maptools.org/show_bug.cgi?id=2842
(cherry picked from commit 8420a31e8ca5181ca36580cfeeca28661b348262)
---
libtiff/tif_aux.c | 10 ++++++++++
libtiff/tif_dir.c | 20 +++++---------------
libtiff/tif_dirwrite.c | 12 +-----------
libtiff/tiffiop.h | 2 ++
4 files changed, 18 insertions(+), 26 deletions(-)
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
index 38a98b67..2071d19c 100644
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -32,6 +32,7 @@
#include "tiffiop.h"
#include "tif_predict.h"
#include <math.h>
+#include <float.h>
uint32
_TIFFMultiply32(TIFF* tif, uint32 first, uint32 second, const char* where)
@@ -398,6 +399,15 @@ _TIFFUInt64ToDouble(uint64 ui64)
}
}
+float _TIFFClampDoubleToFloat( double val )
+{
+ if( val > FLT_MAX )
+ return FLT_MAX;
+ if( val < -FLT_MAX )
+ return -FLT_MAX;
+ return (float)val;
+}
+
int _TIFFSeekOK(TIFF* tif, toff_t off)
{
/* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index f126f2aa..ad550c65 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -31,7 +31,6 @@
* (and also some miscellaneous stuff)
*/
#include "tiffiop.h"
-#include <float.h>
/*
* These are used in the backwards compatibility code...
@@ -155,15 +154,6 @@ bad:
return (0);
}
-static float TIFFClampDoubleToFloat( double val )
-{
- if( val > FLT_MAX )
- return FLT_MAX;
- if( val < -FLT_MAX )
- return -FLT_MAX;
- return (float)val;
-}
-
static int
_TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
{
@@ -322,13 +312,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
dblval = va_arg(ap, double);
if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
- td->td_xresolution = TIFFClampDoubleToFloat( dblval );
+ td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
break;
case TIFFTAG_YRESOLUTION:
dblval = va_arg(ap, double);
if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
- td->td_yresolution = TIFFClampDoubleToFloat( dblval );
+ td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
break;
case TIFFTAG_PLANARCONFIG:
v = (uint16) va_arg(ap, uint16_vap);
@@ -337,10 +327,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
td->td_planarconfig = (uint16) v;
break;
case TIFFTAG_XPOSITION:
- td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ td->td_xposition = _TIFFClampDoubleToFloat( va_arg(ap, double) );
break;
case TIFFTAG_YPOSITION:
- td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
+ td->td_yposition = _TIFFClampDoubleToFloat( va_arg(ap, double) );
break;
case TIFFTAG_RESOLUTIONUNIT:
v = (uint16) va_arg(ap, uint16_vap);
@@ -686,7 +676,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
case TIFF_SRATIONAL:
case TIFF_FLOAT:
{
- float v2 = TIFFClampDoubleToFloat(va_arg(ap, double));
+ float v2 = _TIFFClampDoubleToFloat(va_arg(ap, double));
_TIFFmemcpy(val, &v2, tv_size);
}
break;
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 5d0a6699..03a9f296 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -30,7 +30,6 @@
* Directory Write Support Routines.
*/
#include "tiffiop.h"
-#include <float.h>
#ifdef HAVE_IEEEFP
#define TIFFCvtNativeToIEEEFloat(tif, n, fp)
@@ -948,15 +947,6 @@ bad:
return(0);
}
-static float TIFFClampDoubleToFloat( double val )
-{
- if( val > FLT_MAX )
- return FLT_MAX;
- if( val < -FLT_MAX )
- return -FLT_MAX;
- return (float)val;
-}
-
static int8 TIFFClampDoubleToInt8( double val )
{
if( val > 127 )
@@ -1031,7 +1021,7 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di
if (tif->tif_dir.td_bitspersample<=32)
{
for (i = 0; i < count; ++i)
- ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
+ ((float*)conv)[i] = _TIFFClampDoubleToFloat(value[i]);
ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
}
else
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index d4b86314..05ba735b 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -377,6 +377,8 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
extern double _TIFFUInt64ToDouble(uint64);
extern float _TIFFUInt64ToFloat(uint64);
+extern float _TIFFClampDoubleToFloat(double);
+
extern tmsize_t
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
void **buf, tmsize_t bufsizetoalloc,

View File

@ -1,179 +0,0 @@
From fddff26550de7a5ea9735649a74aa3829e461ae5 Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Sat, 11 Jun 2022 09:31:43 +0000
Subject: [PATCH] (CVE-2022-2056 CVE-2022-2057 CVE-2022-2058) fix the FPE in
tiffcrop (#415, #427, and #428)
(cherry picked from commit dd1bcc7abb26094e93636e85520f0d8f81ab0fab)
---
libtiff/tif_aux.c | 9 +++++++
libtiff/tiffiop.h | 1 +
tools/tiffcrop.c | 62 ++++++++++++++++++++++++++---------------------
3 files changed, 44 insertions(+), 28 deletions(-)
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
index 2071d19c..4d1869b4 100644
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -408,6 +408,15 @@ float _TIFFClampDoubleToFloat( double val )
return (float)val;
}
+uint32 _TIFFClampDoubleToUInt32(double val)
+{
+ if( val < 0 )
+ return 0;
+ if( val > 0xFFFFFFFFU || val != val )
+ return 0xFFFFFFFFU;
+ return (uint32)val;
+}
+
int _TIFFSeekOK(TIFF* tif, toff_t off)
{
/* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index 05ba735b..5b106e03 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -378,6 +378,7 @@ extern double _TIFFUInt64ToDouble(uint64);
extern float _TIFFUInt64ToFloat(uint64);
extern float _TIFFClampDoubleToFloat(double);
+extern uint32 _TIFFClampDoubleToUInt32(double);
extern tmsize_t
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 83cf80ad..ea0b98be 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5140,17 +5140,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
{
- x1 = (uint32) (crop->corners[i].X1 * scale * xres);
- x2 = (uint32) (crop->corners[i].X2 * scale * xres);
- y1 = (uint32) (crop->corners[i].Y1 * scale * yres);
- y2 = (uint32) (crop->corners[i].Y2 * scale * yres);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
}
else
{
- x1 = (uint32) (crop->corners[i].X1);
- x2 = (uint32) (crop->corners[i].X2);
- y1 = (uint32) (crop->corners[i].Y1);
- y2 = (uint32) (crop->corners[i].Y2);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
}
if (x1 < 1)
crop->regionlist[i].x1 = 0;
@@ -5213,17 +5213,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{ /* User has specified pixels as reference unit */
- tmargin = (uint32)(crop->margins[0]);
- lmargin = (uint32)(crop->margins[1]);
- bmargin = (uint32)(crop->margins[2]);
- rmargin = (uint32)(crop->margins[3]);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
}
else
{ /* inches or centimeters specified */
- tmargin = (uint32)(crop->margins[0] * scale * yres);
- lmargin = (uint32)(crop->margins[1] * scale * xres);
- bmargin = (uint32)(crop->margins[2] * scale * yres);
- rmargin = (uint32)(crop->margins[3] * scale * xres);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
}
if ((lmargin + rmargin) > image->width)
@@ -5253,24 +5253,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32)crop->width;
+ width = _TIFFClampDoubleToUInt32(crop->width);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32)crop->length;
+ length = _TIFFClampDoubleToUInt32(crop->length);
else
length = image->length - tmargin - bmargin;
}
else
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32)(crop->width * scale * image->xres);
+ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32)(crop->length * scale * image->yres);
+ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
else
length = image->length - tmargin - bmargin;
}
@@ -5669,13 +5669,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
{ /* inches or centimeters specified */
- hmargin = (uint32)(page->hmargin * scale * page->hres * ((image->bps + 7)/ 8));
- vmargin = (uint32)(page->vmargin * scale * page->vres * ((image->bps + 7)/ 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
}
else
{ /* Otherwise user has specified pixels as reference unit */
- hmargin = (uint32)(page->hmargin * scale * ((image->bps + 7)/ 8));
- vmargin = (uint32)(page->vmargin * scale * ((image->bps + 7)/ 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
}
if ((hmargin * 2.0) > (pwidth * page->hres))
@@ -5713,13 +5713,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->mode & PAGE_MODE_PAPERSIZE )
{
- owidth = (uint32)((pwidth * page->hres) - (hmargin * 2));
- olength = (uint32)((plength * page->vres) - (vmargin * 2));
+ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
+ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
}
else
{
- owidth = (uint32)(iwidth - (hmargin * 2 * page->hres));
- olength = (uint32)(ilength - (vmargin * 2 * page->vres));
+ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
+ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
}
}
@@ -5728,6 +5728,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
if (olength > ilength)
olength = ilength;
+ if (owidth == 0 || olength == 0)
+ {
+ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
+ exit(EXIT_FAILURE);
+ }
+
/* Compute the number of pages required for Portrait or Landscape */
switch (page->orient)
{

View File

@ -1,161 +0,0 @@
From 5d214a07db3bb8dcea8354d8f1e52f9c46264acb Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Wed, 9 Feb 2022 21:31:29 +0000
Subject: [PATCH] (CVE-2022-2867 CVE-2022-2868) tiffcrop.c: Fix issue #352
heap-buffer-overflow by correcting uint32_t underflow.
(cherry picked from commit 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c)
---
tools/tiffcrop.c | 81 +++++++++++++++++++++++++++++++-----------------
1 file changed, 53 insertions(+), 28 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index ea0b98be..5801b8f6 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5152,29 +5152,45 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
}
- if (x1 < 1)
- crop->regionlist[i].x1 = 0;
- else
- crop->regionlist[i].x1 = (uint32) (x1 - 1);
+ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
+ * b) Corners are expected to be submitted as top-left to bottom-right.
+ * Therefore, check that and reorder input.
+ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
+ */
+ uint32 aux;
+ if (x1 > x2) {
+ aux = x1;
+ x1 = x2;
+ x2 = aux;
+ }
+ if (y1 > y2) {
+ aux = y1;
+ y1 = y2;
+ y2 = aux;
+ }
+ if (x1 > image->width - 1)
+ crop->regionlist[i].x1 = image->width - 1;
+ else if (x1 > 0)
+ crop->regionlist[i].x1 = (uint32)(x1 - 1);
if (x2 > image->width - 1)
crop->regionlist[i].x2 = image->width - 1;
- else
- crop->regionlist[i].x2 = (uint32) (x2 - 1);
- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ else if (x2 > 0)
+ crop->regionlist[i].x2 = (uint32)(x2 - 1);
- if (y1 < 1)
- crop->regionlist[i].y1 = 0;
- else
- crop->regionlist[i].y1 = (uint32) (y1 - 1);
+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+
+ if (y1 > image->length - 1)
+ crop->regionlist[i].y1 = image->length - 1;
+ else if (y1 > 0)
+ crop->regionlist[i].y1 = (uint32)(y1 - 1);
if (y2 > image->length - 1)
crop->regionlist[i].y2 = image->length - 1;
- else
- crop->regionlist[i].y2 = (uint32) (y2 - 1);
-
- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ else if (y2 > 0)
+ crop->regionlist[i].y2 = (uint32)(y2 - 1);
+ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
if (zwidth > max_width)
max_width = zwidth;
if (zlength > max_length)
@@ -5204,7 +5220,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
}
}
return (0);
- }
+ } /* crop_mode == CROP_REGIONS */
/* Convert crop margins into offsets into image
* Margins are expressed as pixel rows and columns, not bytes
@@ -5240,7 +5256,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
bmargin = (uint32) 0;
return (-1);
}
- }
+ } /* crop_mode == CROP_MARGINS */
else
{ /* no margins requested */
tmargin = (uint32) 0;
@@ -5331,24 +5347,23 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
off->endx = endx;
off->endy = endy;
- crop_width = endx - startx + 1;
- crop_length = endy - starty + 1;
-
- if (crop_width <= 0)
+ if (endx + 1 <= startx)
{
TIFFError("computeInputPixelOffsets",
"Invalid left/right margins and /or image crop width requested");
return (-1);
}
+ crop_width = endx - startx + 1;
if (crop_width > image->width)
crop_width = image->width;
- if (crop_length <= 0)
+ if (endy + 1 <= starty)
{
TIFFError("computeInputPixelOffsets",
"Invalid top/bottom margins and /or image crop length requested");
return (-1);
}
+ crop_length = endy - starty + 1;
if (crop_length > image->length)
crop_length = image->length;
@@ -5448,10 +5463,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
else
crop->selections = crop->zones;
- for (i = 0; i < crop->zones; i++)
+ /* Initialize regions iterator i */
+ i = 0;
+ for (int j = 0; j < crop->zones; j++)
{
- seg = crop->zonelist[i].position;
- total = crop->zonelist[i].total;
+ seg = crop->zonelist[j].position;
+ total = crop->zonelist[j].total;
+
+ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
+ if (seg == 0 || total == 0 || seg > total) {
+ continue;
+ }
switch (crop->edge_ref)
{
@@ -5578,10 +5600,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
if (dump->outfile != NULL)
dump_info (dump->outfile, dump->format, "", "Zone %d, width: %4d, length: %4d, x1: %4d x2: %4d y1: %4d y2: %4d",
i + 1, (uint32)zwidth, (uint32)zlength,
- crop->regionlist[i].x1, crop->regionlist[i].x2,
- crop->regionlist[i].y1, crop->regionlist[i].y2);
+ crop->regionlist[i].x1, crop->regionlist[i].x2,
+ crop->regionlist[i].y1, crop->regionlist[i].y2);
+ /* increment regions iterator */
+ i++;
}
-
+ /* set number of generated regions out of given zones */
+ crop->selections = i;
return (0);
} /* end getCropOffsets */

View File

@ -1,92 +0,0 @@
From d26748dd8fb90b0af8c9344615f65d273dc66f93 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Mon, 15 Aug 2022 22:11:03 +0200
Subject: [PATCH] =?UTF-8?q?(CVE-2022-2519=20CVE-2022-2520=20CVE-2022-2521?=
=?UTF-8?q?=20CVE-2022-2953)=20According=20to=20Richard=20Nolde=20https://?=
=?UTF-8?q?gitlab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the?=
=?UTF-8?q?=20tiffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutua?=
=?UTF-8?q?lly=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),?=
=?UTF-8?q?=20-Z=20and=20-z.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is now checked and ends tiffcrop if those arguments are not mutually exclusive.
This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
(cherry picked from commit 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf)
---
tools/tiffcrop.c | 31 +++++++++++++++++++++++--------
1 file changed, 23 insertions(+), 8 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 5801b8f6..27e6f81c 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -104,7 +104,10 @@
* includes annotations for image parameters and scanline info. Level
* selects which functions dump data, with higher numbers selecting
* lower level, scanline level routines. Debug reports a limited set
- * of messages to monitor progess without enabling dump logs.
+ * of messages to monitor progress without enabling dump logs.
+ *
+ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
+ * In no case should the options be applied to a given selection successively.
*/
static char tiffcrop_version_id[] = "2.4";
@@ -177,12 +180,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
#define ROTATECW_270 32
#define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
-#define CROP_NONE 0
-#define CROP_MARGINS 1
-#define CROP_WIDTH 2
-#define CROP_LENGTH 4
-#define CROP_ZONES 8
-#define CROP_REGIONS 16
+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
+#define CROP_MARGINS 1 /* "-m" */
+#define CROP_WIDTH 2 /* "-X" */
+#define CROP_LENGTH 4 /* "-Y" */
+#define CROP_ZONES 8 /* "-Z" */
+#define CROP_REGIONS 16 /* "-z" */
#define CROP_ROTATE 32
#define CROP_MIRROR 64
#define CROP_INVERT 128
@@ -320,7 +323,7 @@ struct crop_mask {
#define PAGE_MODE_RESOLUTION 1
#define PAGE_MODE_PAPERSIZE 2
#define PAGE_MODE_MARGINS 4
-#define PAGE_MODE_ROWSCOLS 8
+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
#define INVERT_DATA_ONLY 10
#define INVERT_DATA_AND_TAG 11
@@ -751,6 +754,8 @@ static char* usage_info[] = {
" The four debug/dump options are independent, though it makes little sense to",
" specify a dump file without specifying a detail level.",
" ",
+"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive."
+" ",
NULL
};
@@ -2099,6 +2104,16 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
/*NOTREACHED*/
}
}
+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
+ char XY, Z, R, S;
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
+ Z = (crop_data->crop_mode & CROP_ZONES);
+ R = (crop_data->crop_mode & CROP_REGIONS);
+ S = (page->mode & PAGE_MODE_ROWSCOLS);
+ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
+ exit(EXIT_FAILURE);
+ }
} /* end process_command_opts */
/* Start a new output file if one has not been previously opened or

View File

@ -1,32 +0,0 @@
From 3635844b59578eb572372e7546548ea84c967ba1 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sat, 20 Aug 2022 23:35:26 +0200
Subject: [PATCH] (CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953)
tiffcrop -S option: Make decision simpler.
(cherry picked from commit bad48e90b410df32172006c7876da449ba62cdba)
---
tools/tiffcrop.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 27e6f81c..ff118496 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2106,11 +2106,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
}
/*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
char XY, Z, R, S;
- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
- Z = (crop_data->crop_mode & CROP_ZONES);
- R = (crop_data->crop_mode & CROP_REGIONS);
- S = (page->mode & PAGE_MODE_ROWSCOLS);
- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
+ if (XY + Z + R + S > 1) {
TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
exit(EXIT_FAILURE);
}

View File

@ -1,97 +0,0 @@
From 84f9ede8075774dd9a10080a9eea9016229adbaa Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Thu, 25 Aug 2022 16:11:41 +0200
Subject: [PATCH] (CVE-2022-3597 CVE-2022-3626 CVE-2022-3627) tiffcrop: disable
incompatibility of -Z, -X, -Y, -z options with any PAGE_MODE_x option (fixes
#411 and #413)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
tiffcrop does not support Z, -z, -X and Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or S.
Code analysis:
With the options Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[].
In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) .
Execution of the else-clause often leads to buffer-overflows.
Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows.
The MR solves issues #411 and #413.
(cherry picked from commit 4746f16253b784287bc8a5003990c1c3b9a03a62)
---
tools/tiffcrop.c | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index ff118496..848b2b49 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -106,9 +106,11 @@
* lower level, scanline level routines. Debug reports a limited set
* of messages to monitor progress without enabling dump logs.
*
- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
+ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
* In no case should the options be applied to a given selection successively.
- */
+ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
+ */
static char tiffcrop_version_id[] = "2.4";
static char tiffcrop_rev_date[] = "12-13-2010";
@@ -754,7 +756,11 @@ static char* usage_info[] = {
" The four debug/dump options are independent, though it makes little sense to",
" specify a dump file without specifying a detail level.",
" ",
-"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive."
+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.",
+" In no case should the options be applied to a given selection successively.",
+" ",
+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options",
+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.",
" ",
NULL
};
@@ -2111,9 +2117,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
if (XY + Z + R + S > 1) {
- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
exit(EXIT_FAILURE);
}
+
+ /* Check for not allowed combination:
+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
+. */
+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
+ TIFFError("tiffcrop input error",
+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
+ exit(EXIT_FAILURE);
+ }
+
} /* end process_command_opts */
/* Start a new output file if one has not been previously opened or
@@ -2381,6 +2398,7 @@ main(int argc, char* argv[])
exit (-1);
}
+ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */
if (crop.selections > 0)
{
if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
@@ -2397,6 +2415,7 @@ main(int argc, char* argv[])
exit (-1);
}
}
+ /* Format and write selected image parts to output file(s). */
if (page.mode == PAGE_MODE_NONE)
{ /* Whole image or sections not based on output page size */
if (crop.selections > 0)

View File

@ -1,37 +0,0 @@
From a28b2e1b23fc936989dc4bbc857e9a8a851c5ff0 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 8 Nov 2022 15:16:58 +0100
Subject: [PATCH] (CVE-2022-3970) TIFFReadRGBATileExt(): fix (unsigned) integer
overflow on strips/tiles > 2 GB
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
(cherry picked from commit 227500897dfb07fb7d27f7aa570050e62617e3be)
---
libtiff/tif_getimage.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index b1f7cc95..00cd5510 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -3044,15 +3044,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
return( ok );
for( i_row = 0; i_row < read_ysize; i_row++ ) {
- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
- raster + (read_ysize - i_row - 1) * read_xsize,
+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
read_xsize * sizeof(uint32) );
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
0, sizeof(uint32) * (tile_xsize - read_xsize) );
}
for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
0, sizeof(uint32) * tile_xsize );
}

View File

@ -1,24 +0,0 @@
From 72bbfc1ecd58f7732946719a0aeb2070f056bb6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Tue, 16 May 2023 13:04:55 +0200
Subject: [PATCH] (CVE-2022-48281) tiffcrop: Correct simple copy paste error.
Fix #488.
(cherry picked from commit d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5)
---
tools/tiffcrop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 848b2b49..7f738d91 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7537,7 +7537,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
else
{
- prev_cropsize = seg_buffs[0].size;
+ prev_cropsize = seg_buffs[i].size;
if (prev_cropsize < cropsize)
{
next_buff = _TIFFrealloc(crop_buff, cropsize);

View File

@ -1,128 +0,0 @@
From 73b3f582caa08a976d647537346790b182bbcc10 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 5 Feb 2023 15:53:16 +0000
Subject: [PATCH] (CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803
CVE-2023-0804) tiffcrop: added check for assumption on composite images
(fixes #496)
Closes #501, #500, #498, #497 et #496
See merge request libtiff/libtiff!466
(cherry picked from commit 33aee1275d9d1384791d2206776eb8152d397f00)
---
tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 66 insertions(+), 2 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 7f738d91..77923cf3 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5235,18 +5235,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
crop->regionlist[i].buffsize = buffsize;
crop->bufftotal += buffsize;
+
+ /* For composite images with more than one region, the
+ * combined_length or combined_width always needs to be equal,
+ * respectively.
+ * Otherwise, even the first section/region copy
+ * action might cause buffer overrun. */
if (crop->img_mode == COMPOSITE_IMAGES)
{
switch (crop->edge_ref)
{
case EDGE_LEFT:
case EDGE_RIGHT:
+ if (i > 0 && zlength != crop->combined_length)
+ {
+ TIFFError(
+ "computeInputPixelOffsets",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (-1);
+ }
crop->combined_length = zlength;
crop->combined_width += zwidth;
break;
case EDGE_BOTTOM:
case EDGE_TOP: /* width from left, length from top */
default:
+ if (i > 0 && zwidth != crop->combined_width)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Only equal width regions can be "
+ "combined for -E "
+ "top or bottom");
+ return (-1);
+ }
crop->combined_width = zwidth;
crop->combined_length += zlength;
break;
@@ -6390,6 +6412,46 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
crop->combined_width = 0;
crop->combined_length = 0;
+ /* If there is more than one region, check beforehand whether all the width
+ * and length values of the regions are the same, respectively. */
+ switch (crop->edge_ref)
+ {
+ default:
+ case EDGE_TOP:
+ case EDGE_BOTTOM:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_width0 =
+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
+ uint32_t crop_width1 =
+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ if (crop_width0 != crop_width1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal width regions can be combined for -E "
+ "top or bottom");
+ return (1);
+ }
+ }
+ break;
+ case EDGE_LEFT:
+ case EDGE_RIGHT:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_length0 =
+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
+ uint32_t crop_length1 =
+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ if (crop_length0 != crop_length1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (1);
+ }
+ }
+ }
+
for (i = 0; i < crop->selections; i++)
{
/* rows, columns, width, length are expressed in pixels */
@@ -6414,7 +6476,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
default:
case EDGE_TOP:
case EDGE_BOTTOM:
- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
+ if ((crop->selections > i + 1) &&
+ (crop_width != crop->regionlist[i + 1].width))
{
TIFFError ("extractCompositeRegions",
"Only equal width regions can be combined for -E top or bottom");
@@ -6495,7 +6558,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
break;
case EDGE_LEFT: /* splice the pieces of each row together, side by side */
case EDGE_RIGHT:
- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
+ if ((crop->selections > i + 1) &&
+ (crop_length != crop->regionlist[i + 1].length))
{
TIFFError ("extractCompositeRegions",
"Only equal length regions can be combined for -E left or right");

View File

@ -1,260 +0,0 @@
From 01de2299ed1cf3137235ef8a6657905ef04fc65c Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Tue, 30 Aug 2022 16:56:48 +0200
Subject: [PATCH] (CVE-2022-3599) Revised handling of TIFFTAG_INKNAMES and
related TIFFTAG_NUMBEROFINKS value
In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
Behaviour for writing:
`NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
`NumberOfInks` is automatically set when `InkNames` is set.
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
Behaviour for reading:
When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
(cherry picked from commit f00484b9519df933723deb38fff943dc291a793d)
---
libtiff/tif_dir.c | 118 ++++++++++++++++++++++++-----------------
libtiff/tif_dir.h | 2 +
libtiff/tif_dirinfo.c | 2 +-
libtiff/tif_dirwrite.c | 5 ++
libtiff/tif_print.c | 4 ++
5 files changed, 82 insertions(+), 49 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index ad550c65..cb329fd8 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -125,32 +125,30 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
}
/*
- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
+ * Count ink names separated by \0. Returns
* zero if the ink names are not as expected.
*/
-static uint32
-checkInkNamesString(TIFF* tif, uint32 slen, const char* s)
+static uint16
+countInkNamesString(TIFF *tif, uint32 slen, const char *s)
{
- TIFFDirectory* td = &tif->tif_dir;
- uint16 i = td->td_samplesperpixel;
+ uint16 i = 0;
+ const char *ep = s + slen;
+ const char *cp = s;
if (slen > 0) {
- const char* ep = s+slen;
- const char* cp = s;
- for (; i > 0; i--) {
+ do {
for (; cp < ep && *cp != '\0'; cp++) {}
if (cp >= ep)
goto bad;
cp++; /* skip \0 */
- }
- return ((uint32)(cp-s));
+ i++;
+ } while (cp < ep);
+ return (i);
}
bad:
TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
- "%s: Invalid InkNames value; expecting %d names, found %d",
- tif->tif_name,
- td->td_samplesperpixel,
- td->td_samplesperpixel-i);
+ "%s: Invalid InkNames value; no NUL at given buffer end location %d, after %d ink",
+ tif->tif_name, slen, i);
return (0);
}
@@ -452,13 +450,61 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
_TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
break;
case TIFFTAG_INKNAMES:
- v = (uint16) va_arg(ap, uint16_vap);
- s = va_arg(ap, char*);
- v = checkInkNamesString(tif, v, s);
- status = v > 0;
- if( v > 0 ) {
- _TIFFsetNString(&td->td_inknames, s, v);
- td->td_inknameslen = v;
+ {
+ v = (uint16) va_arg(ap, uint16_vap);
+ s = va_arg(ap, char*);
+ uint16 ninksinstring;
+ ninksinstring = countInkNamesString(tif, v, s);
+ status = ninksinstring > 0;
+ if(ninksinstring > 0 ) {
+ _TIFFsetNString(&td->td_inknames, s, v);
+ td->td_inknameslen = v;
+ /* Set NumberOfInks to the value ninksinstring */
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
+ {
+ if (td->td_numberofinks != ninksinstring) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the number of inks %d.\n -> NumberOfInks value adapted to %d",
+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
+ td->td_numberofinks = ninksinstring;
+ }
+ } else {
+ td->td_numberofinks = ninksinstring;
+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
+ }
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
+ {
+ if (td->td_numberofinks != td->td_samplesperpixel) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d",
+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
+ }
+ }
+ }
+ }
+ break;
+ case TIFFTAG_NUMBEROFINKS:
+ v = (uint16)va_arg(ap, uint16_vap);
+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
+ if (TIFFFieldSet(tif, FIELD_INKNAMES))
+ {
+ if (v != td->td_numberofinks) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Error %s; Tag %s:\n It is not possible to set the value %d for NumberOfInks\n which is different from the number of inks in the InkNames tag (%d)",
+ tif->tif_name, fip->field_name, v, td->td_numberofinks);
+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
+ status = 0;
+ }
+ } else {
+ td->td_numberofinks = (uint16)v;
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
+ {
+ if (td->td_numberofinks != td->td_samplesperpixel) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d",
+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
+ }
+ }
}
break;
case TIFFTAG_PERSAMPLE:
@@ -854,33 +900,6 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
return 0;
- if( tag == TIFFTAG_NUMBEROFINKS )
- {
- int i;
- for (i = 0; i < td->td_customValueCount; i++) {
- uint16 val;
- TIFFTagValue *tv = td->td_customValues + i;
- if (tv->info->field_tag != tag)
- continue;
- if( tv->value == NULL )
- return 0;
- val = *(uint16 *)tv->value;
- /* Truncate to SamplesPerPixel, since the */
- /* setting code for INKNAMES assume that there are SamplesPerPixel */
- /* inknames. */
- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
- if( val > td->td_samplesperpixel )
- {
- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
- "Truncating NumberOfInks from %u to %u",
- val, td->td_samplesperpixel);
- val = td->td_samplesperpixel;
- }
- *va_arg(ap, uint16*) = val;
- return 1;
- }
- return 0;
- }
/*
* We want to force the custom code to be used for custom
@@ -1068,6 +1087,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
case TIFFTAG_INKNAMES:
*va_arg(ap, char**) = td->td_inknames;
break;
+ case TIFFTAG_NUMBEROFINKS:
+ *va_arg(ap, uint16 *) = td->td_numberofinks;
+ break;
default:
{
int i;
diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
index 5a380767..b5881b02 100644
--- a/libtiff/tif_dir.h
+++ b/libtiff/tif_dir.h
@@ -113,6 +113,7 @@ typedef struct {
/* CMYK parameters */
int td_inknameslen;
char* td_inknames;
+ uint16 td_numberofinks; /* number of inks in InkNames string */
int td_customValueCount;
TIFFTagValue *td_customValues;
@@ -168,6 +169,7 @@ typedef struct {
#define FIELD_TRANSFERFUNCTION 44
#define FIELD_INKNAMES 46
#define FIELD_SUBIFD 49
+#define FIELD_NUMBEROFINKS 50
/* FIELD_CUSTOM (see tiffio.h) 65 */
/* end of support for well-known tags; codec-private tags follow */
#define FIELD_CODEC 66 /* base of codec-private tags */
diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
index 4904f540..8bbc8323 100644
--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
@@ -106,7 +106,7 @@ tiffFields[] = {
{ TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
{ TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
{ TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
{ TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
{ TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
{ TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 03a9f296..994fa57a 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -634,6 +634,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
goto bad;
}
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
+ {
+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
+ goto bad;
+ }
if (TIFFFieldSet(tif,FIELD_SUBIFD))
{
if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index b9b53a0f..9caba038 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -404,6 +404,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
}
fputs("\n", fd);
}
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
+ fprintf(fd, " NumberOfInks: %d\n",
+ td->td_numberofinks);
+ }
if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
fprintf(fd, " Thresholding: ");
switch (td->td_threshholding) {

View File

@ -1,37 +0,0 @@
From b7bc0d684cee380f7497cb095a115361dbabef71 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@mines-paris.org>
Date: Tue, 13 Mar 2018 14:39:30 +0000
Subject: [PATCH] (CVE-2018-15209) Merge branch
'avoid_memory_exhaustion_in_ChopUpSingleUncompressedStrip' into 'master'
ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)
See merge request libtiff/libtiff!26
(cherry picked from commit 0a2e5e98b353a987ea69985d2283bba569a7e063)
---
libtiff/tif_dirread.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index b72e6a3b..bc1ab083 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5765,6 +5765,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
if( nstrips == 0 )
return;
+ /* If we are going to allocate a lot of memory, make sure that the */
+ /* file is as big as needed */
+ if( tif->tif_mode == O_RDONLY &&
+ nstrips > 1000000 &&
+ (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||
+ tif->tif_dir.td_stripbytecount[0] >
+ TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )
+ {
+ return;
+ }
+
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array");
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),

View File

@ -1,172 +0,0 @@
From 83f6ae4cce52cd4feaebf2bc4fc2d5077a10677c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 16 May 2024 14:43:44 +0200
Subject: [PATCH] (CVE-2023-25433) Merge branch
'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master'
tiffcrop correctly update buffersize after rotateImage() fix#520
Closes #520
See merge request libtiff/libtiff!467
(cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3)
---
tools/tiffcrop.c | 72 ++++++++++++++++++++++++++++++++++++++----------
1 file changed, 58 insertions(+), 14 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 77923cf3..8b761874 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -529,7 +529,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
uint32, uint32, uint8 *, uint8 *);
static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
- unsigned char **);
+ unsigned char **, tsize_t *);
static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
unsigned char *);
static int invertImage(uint16, uint16, uint16, uint32, uint32,
@@ -6358,7 +6358,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
return (-1);
}
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
+ if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
{
TIFFError ("correct_orientation", "Unable to rotate image");
return (-1);
@@ -7578,16 +7578,20 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
+ /* rotateImage() set up a new buffer and calculates its size
+ * individually. Therefore, seg_buffs size needs to be updated
+ * accordingly. */
+
+ tsize_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff))
+ &crop->combined_length, &crop_buff, &rot_buf_size))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %d degrees", crop->rotation);
return (-1);
}
seg_buffs[0].buffer = crop_buff;
- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
- * image->spp) * crop->combined_length;
+ seg_buffs[0].size = rot_buf_size;
}
}
else /* Separated Images */
@@ -7684,8 +7688,18 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff))
+ /* rotateImage() changes image->width, ->length, ->xres and
+ * ->yres, what it schouldn't do here, when more than one
+ * section is processed. ToDo: Therefore rotateImage() and its
+ * usage has to be reworked (e.g. like mirrorImage()) !!
+ * Furthermore, rotateImage() set up a new buffer and calculates
+ * its size individually. Therefore, seg_buffs size needs to be
+ * updated accordingly. */
+ tsize_t rot_buf_size = 0;
+ if (rotateImage(
+ crop->rotation, image, &crop->regionlist[i].width,
+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %d degrees", crop->rotation);
@@ -7696,8 +7710,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
crop->combined_width = total_width;
crop->combined_length = total_length;
seg_buffs[i].buffer = crop_buff;
- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
- * image->spp) * crop->regionlist[i].length;
+ seg_buffs[i].size = rot_buf_size;
}
}
}
@@ -7813,7 +7826,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr))
+ &crop->combined_length, crop_buff_ptr, NULL))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %d degrees", crop->rotation);
@@ -8476,13 +8489,14 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
/* Rotate an image by a multiple of 90 degrees clockwise */
static int
rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
- uint32 *img_length, unsigned char **ibuff_ptr)
+ uint32 *img_length, unsigned char **ibuff_ptr, tsize_t *rot_buf_size)
{
int shift_width;
uint32 bytes_per_pixel, bytes_per_sample;
uint32 row, rowsize, src_offset, dst_offset;
uint32 i, col, width, length;
- uint32 colsize, buffsize, col_offset, pix_offset;
+ uint32 colsize, col_offset, pix_offset;
+ tmsize_t buffsize;
unsigned char *ibuff;
unsigned char *src;
unsigned char *dst;
@@ -8495,12 +8509,40 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
spp = image->spp;
bps = image->bps;
+ if ((spp != 0 && bps != 0 &&
+ width > (uint32)((UINT32_MAX - 7) / spp / bps)) ||
+ (spp != 0 && bps != 0 &&
+ length > (uint32)((UINT32_MAX - 7) / spp / bps)))
+ {
+ TIFFError("rotateImage", "Integer overflow detected.");
+ return (-1);
+ }
rowsize = ((bps * spp * width) + 7) / 8;
colsize = ((bps * spp * length) + 7) / 8;
if ((colsize * width) > (rowsize * length))
- buffsize = (colsize + 1) * width;
+ {
+ if (((tmsize_t)colsize + 1) != 0 &&
+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - 3) /
+ ((tmsize_t)colsize + 1)))
+ {
+ TIFFError("rotateImage",
+ "Integer overflow when calculating buffer size.");
+ return (-1);
+ }
+ buffsize = ((tmsize_t)colsize + 1) * width;
+ }
else
- buffsize = (rowsize + 1) * length;
+ {
+ if (((tmsize_t)rowsize + 1) != 0 &&
+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - 3) /
+ ((tmsize_t)rowsize + 1)))
+ {
+ TIFFError("rotateImage",
+ "Integer overflow when calculating buffer size.");
+ return (-1);
+ }
+ buffsize = (rowsize + 1) * length;
+ }
bytes_per_sample = (bps + 7) / 8;
bytes_per_pixel = ((bps * spp) + 7) / 8;
@@ -8526,6 +8568,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
return (-1);
}
_TIFFmemset(rbuff, '\0', buffsize);
+ if (rot_buf_size != NULL)
+ *rot_buf_size = buffsize;
ibuff = *ibuff_ptr;
switch (rotation)

View File

@ -1,50 +0,0 @@
From df8410cee20798b1d63c291c1bf106e3a52d59b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
Date: Thu, 16 May 2024 14:54:52 +0200
Subject: [PATCH] (CVE-2023-52356) Merge branch 'fix_622' into 'master'
TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of col/row (fixes #622)
Closes #622
See merge request libtiff/libtiff!546
(cherry picked from commit dfacff5a84d153d7febdfcbcb341b38c1f03b34e)
---
libtiff/tif_getimage.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 00cd5510..4f32b3a4 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -2929,6 +2929,14 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 row, uint32 * raster, int stop_on_error)
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
+ if (row >= img.height)
+ {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+ "Invalid row passed to TIFFReadRGBAStrip().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
+
img.row_offset = row;
img.col_offset = 0;
@@ -3004,6 +3012,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
return( 0 );
}
+ if (col >= img.width || row >= img.height)
+ {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+ "Invalid row/col passed to TIFFReadRGBATile().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
+
/*
* The TIFFRGBAImageGet() function doesn't allow us to get off the
* edge of the image, even to fill an otherwise valid tile. So we

View File

@ -1,30 +0,0 @@
From 32346d49db890969d7de19e8eebff00400280926 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 9 Sep 2023 15:11:42 +0000
Subject: [PATCH] (CVE-2023-6228) Merge branch
'fix_606_tiffcp_check_also_input_compression_codec' into 'master'
tiffcp: Fixes #606. Check also codec of input image, not only from output image.
Closes #606
See merge request libtiff/libtiff!533
(cherry picked from commit 668d2c1a52fa48658bbf69615924b42b5a059f9e)
---
tools/tiffcp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index fb98bd57..81ec6bbd 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -622,6 +622,8 @@ tiffcp(TIFF* in, TIFF* out)
else
CopyField(TIFFTAG_COMPRESSION, compression);
TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
+ if (!TIFFIsCODECConfigured(input_compression))
+ return FALSE;
TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
if (input_compression == COMPRESSION_JPEG) {
/* Force conversion to RGB */

View File

@ -1,46 +0,0 @@
diff -up tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 tiff-4.4.0/libtiff/tif_dirinfo.c
--- tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 2024-08-16 00:35:35.339965778 +0200
+++ tiff-4.4.0/libtiff/tif_dirinfo.c 2024-08-16 00:54:58.255221954 +0200
@@ -824,7 +824,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint
fld = TIFFFindField(tif, tag, dt);
if (fld == NULL) {
fld = _TIFFCreateAnonField(tif, tag, dt);
- if (!_TIFFMergeFields(tif, fld, 1))
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
return NULL;
}
diff -up tiff-4.0.9/libtiff/tif_dirread.c~ tiff-4.0.9/libtiff/tif_dirread.c
--- tiff-4.0.9/libtiff/tif_dirread.c~ 2024-08-29 23:31:19.884308223 +0200
+++ tiff-4.0.9/libtiff/tif_dirread.c 2024-08-29 23:31:19.909308479 +0200
@@ -3667,11 +3667,10 @@ TIFFReadDirectory(TIFF* tif)
dp->tdir_tag,dp->tdir_tag);
/* the following knowingly leaks the
anonymous field structure */
- if (!_TIFFMergeFields(tif,
- _TIFFCreateAnonField(tif,
- dp->tdir_tag,
- (TIFFDataType) dp->tdir_type),
- 1)) {
+ const TIFFField *fld = _TIFFCreateAnonField(
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+ {
TIFFWarningExt(tif->tif_clientdata,
module,
"Registering anonymous field with tag %d (0x%x) failed",
@@ -4392,10 +4391,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_
TIFFWarningExt(tif->tif_clientdata, module,
"Unknown field with tag %d (0x%x) encountered",
dp->tdir_tag, dp->tdir_tag);
- if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
- dp->tdir_tag,
- (TIFFDataType) dp->tdir_type),
- 1)) {
+ const TIFFField *fld = _TIFFCreateAnonField(
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+ {
TIFFWarningExt(tif->tif_clientdata, module,
"Registering anonymous field with tag %d (0x%x) failed",
dp->tdir_tag, dp->tdir_tag);

View File

@ -1,7 +1,7 @@
Summary: Library of functions for manipulating TIFF format image files Summary: Library of functions for manipulating TIFF format image files
Name: libtiff Name: libtiff
Version: 4.0.9 Version: 4.0.9
Release: 33%{?dist} Release: 23%{?dist}
License: libtiff License: libtiff
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.simplesystems.org/libtiff/ URL: http://www.simplesystems.org/libtiff/
@ -10,7 +10,7 @@ Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/rhel-8.7.0 # Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/rhel-8.7.0
# Patches were generated by: git format-patch -N --no-signature ... # Patches were generated by: git format-patch -N ...
Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch
Patch0002: 0002-Fix-Makefile.patch Patch0002: 0002-Fix-Makefile.patch
Patch0003: 0003-CVE-2018-5784-Fix-for-bug-2772.patch Patch0003: 0003-CVE-2018-5784-Fix-for-bug-2772.patch
@ -40,24 +40,7 @@ Patch0026: 0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
Patch0027: 0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch Patch0027: 0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
Patch0028: 0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch Patch0028: 0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
Patch0029: 0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch Patch0029: 0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
Patch0030: 0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch
Patch0031: 0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch
Patch0032: 0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch
Patch0033: 0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch
Patch0034: 0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch
Patch0035: 0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch
Patch0036: 0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
Patch0037: 0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch
Patch0038: 0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
Patch0039: 0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch
Patch0040: 0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch
Patch0041: 0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch
Patch0042: 0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch
Patch0043: 0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
# from upstream, for <=4.6.0, RHEL-52927
# https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779
Patch44: libtiff-4.6.0-CVE-2024-7006.patch
BuildRequires: gcc, gcc-c++ BuildRequires: gcc, gcc-c++
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
@ -211,47 +194,6 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Thu Aug 29 2024 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-33
- fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52927)
* Thu May 16 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-32
- Fix CVE-2023-6228 CVE-2023-52356 CVE-2023-25433 CVE-2018-15209
- Resolves: RHEL-30682 RHEL-30520 RHEL-30474 RHEL-5406
* Fri Jan 05 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-31
- Fix CVE-2022-3599 CVE-2022-4645
- Resolves: RHEL-5399
* Thu Sep 21 2023 Ondrej Sloup <osloup@redhat.com> - 4.0.9-30
- Bump specfile to retrigger gating
- Add tests folder for standard beakerlib
- Related: RHEL-4683 RHEL-4685 RHEL-4686 RHEL-4687 RHEL-4688
* Tue Aug 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-29
- Fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
- Resolves: RHEL-4683 RHEL-4685 RHEL-4686 RHEL-4687 RHEL-4688
* Tue May 16 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-28
- Fix CVE-2022-48281
- Resolves: CVE-2022-48281
* Mon Jan 16 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-27
- Fix various CVEs
- Resolves: CVE-2022-3627 CVE-2022-3970
* Mon Oct 24 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-26
- Fix various CVEs
- Resolves: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953
* Tue Sep 06 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-25
- Fix CVE-2022-2867 (#2118857)
- Fix CVE-2022-2868 (#2118882)
- Fix CVE-2022-2869 (#2118878)
* Mon Jul 18 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-24
- Fix CVE-2022-2056 CVE-2022-2057 CVE-2022-2058
- Resolves: #2103222
* Thu May 12 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-23 * Thu May 12 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-23
- Fix various CVEs - Fix various CVEs
- Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865 - Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865