Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
@ -1,37 +0,0 @@
|
||||
From b7bc0d684cee380f7497cb095a115361dbabef71 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@mines-paris.org>
|
||||
Date: Tue, 13 Mar 2018 14:39:30 +0000
|
||||
Subject: [PATCH] (CVE-2018-15209) Merge branch
|
||||
'avoid_memory_exhaustion_in_ChopUpSingleUncompressedStrip' into 'master'
|
||||
|
||||
ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)
|
||||
|
||||
See merge request libtiff/libtiff!26
|
||||
|
||||
(cherry picked from commit 0a2e5e98b353a987ea69985d2283bba569a7e063)
|
||||
---
|
||||
libtiff/tif_dirread.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||||
index b72e6a3b..bc1ab083 100644
|
||||
--- a/libtiff/tif_dirread.c
|
||||
+++ b/libtiff/tif_dirread.c
|
||||
@@ -5765,6 +5765,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
|
||||
if( nstrips == 0 )
|
||||
return;
|
||||
|
||||
+ /* If we are going to allocate a lot of memory, make sure that the */
|
||||
+ /* file is as big as needed */
|
||||
+ if( tif->tif_mode == O_RDONLY &&
|
||||
+ nstrips > 1000000 &&
|
||||
+ (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||
|
||||
+ tif->tif_dir.td_stripbytecount[0] >
|
||||
+ TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )
|
||||
+ {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|
||||
"for chopped \"StripByteCounts\" array");
|
||||
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|
||||
@ -1,172 +0,0 @@
|
||||
From 83f6ae4cce52cd4feaebf2bc4fc2d5077a10677c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
||||
Date: Thu, 16 May 2024 14:43:44 +0200
|
||||
Subject: [PATCH] (CVE-2023-25433) Merge branch
|
||||
'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master'
|
||||
|
||||
tiffcrop correctly update buffersize after rotateImage() fix#520
|
||||
|
||||
Closes #520
|
||||
|
||||
See merge request libtiff/libtiff!467
|
||||
|
||||
(cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3)
|
||||
---
|
||||
tools/tiffcrop.c | 72 ++++++++++++++++++++++++++++++++++++++----------
|
||||
1 file changed, 58 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||
index 77923cf3..8b761874 100644
|
||||
--- a/tools/tiffcrop.c
|
||||
+++ b/tools/tiffcrop.c
|
||||
@@ -529,7 +529,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
|
||||
static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
|
||||
uint32, uint32, uint8 *, uint8 *);
|
||||
static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
|
||||
- unsigned char **);
|
||||
+ unsigned char **, tsize_t *);
|
||||
static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
|
||||
unsigned char *);
|
||||
static int invertImage(uint16, uint16, uint16, uint32, uint32,
|
||||
@@ -6358,7 +6358,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
|
||||
return (-1);
|
||||
}
|
||||
|
||||
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
|
||||
+ if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
|
||||
{
|
||||
TIFFError ("correct_orientation", "Unable to rotate image");
|
||||
return (-1);
|
||||
@@ -7578,16 +7578,20 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
||||
|
||||
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
|
||||
{
|
||||
+ /* rotateImage() set up a new buffer and calculates its size
|
||||
+ * individually. Therefore, seg_buffs size needs to be updated
|
||||
+ * accordingly. */
|
||||
+
|
||||
+ tsize_t rot_buf_size = 0;
|
||||
if (rotateImage(crop->rotation, image, &crop->combined_width,
|
||||
- &crop->combined_length, &crop_buff))
|
||||
+ &crop->combined_length, &crop_buff, &rot_buf_size))
|
||||
{
|
||||
TIFFError("processCropSelections",
|
||||
"Failed to rotate composite regions by %d degrees", crop->rotation);
|
||||
return (-1);
|
||||
}
|
||||
seg_buffs[0].buffer = crop_buff;
|
||||
- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
|
||||
- * image->spp) * crop->combined_length;
|
||||
+ seg_buffs[0].size = rot_buf_size;
|
||||
}
|
||||
}
|
||||
else /* Separated Images */
|
||||
@@ -7684,8 +7688,18 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
||||
|
||||
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
|
||||
{
|
||||
- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
|
||||
- &crop->regionlist[i].length, &crop_buff))
|
||||
+ /* rotateImage() changes image->width, ->length, ->xres and
|
||||
+ * ->yres, what it schouldn't do here, when more than one
|
||||
+ * section is processed. ToDo: Therefore rotateImage() and its
|
||||
+ * usage has to be reworked (e.g. like mirrorImage()) !!
|
||||
+ * Furthermore, rotateImage() set up a new buffer and calculates
|
||||
+ * its size individually. Therefore, seg_buffs size needs to be
|
||||
+ * updated accordingly. */
|
||||
+ tsize_t rot_buf_size = 0;
|
||||
+ if (rotateImage(
|
||||
+ crop->rotation, image, &crop->regionlist[i].width,
|
||||
+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
|
||||
+
|
||||
{
|
||||
TIFFError("processCropSelections",
|
||||
"Failed to rotate crop region by %d degrees", crop->rotation);
|
||||
@@ -7696,8 +7710,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
||||
crop->combined_width = total_width;
|
||||
crop->combined_length = total_length;
|
||||
seg_buffs[i].buffer = crop_buff;
|
||||
- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
|
||||
- * image->spp) * crop->regionlist[i].length;
|
||||
+ seg_buffs[i].size = rot_buf_size;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -7813,7 +7826,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
|
||||
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
|
||||
{
|
||||
if (rotateImage(crop->rotation, image, &crop->combined_width,
|
||||
- &crop->combined_length, crop_buff_ptr))
|
||||
+ &crop->combined_length, crop_buff_ptr, NULL))
|
||||
{
|
||||
TIFFError("createCroppedImage",
|
||||
"Failed to rotate image or cropped selection by %d degrees", crop->rotation);
|
||||
@@ -8476,13 +8489,14 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
|
||||
/* Rotate an image by a multiple of 90 degrees clockwise */
|
||||
static int
|
||||
rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
|
||||
- uint32 *img_length, unsigned char **ibuff_ptr)
|
||||
+ uint32 *img_length, unsigned char **ibuff_ptr, tsize_t *rot_buf_size)
|
||||
{
|
||||
int shift_width;
|
||||
uint32 bytes_per_pixel, bytes_per_sample;
|
||||
uint32 row, rowsize, src_offset, dst_offset;
|
||||
uint32 i, col, width, length;
|
||||
- uint32 colsize, buffsize, col_offset, pix_offset;
|
||||
+ uint32 colsize, col_offset, pix_offset;
|
||||
+ tmsize_t buffsize;
|
||||
unsigned char *ibuff;
|
||||
unsigned char *src;
|
||||
unsigned char *dst;
|
||||
@@ -8495,12 +8509,40 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
|
||||
spp = image->spp;
|
||||
bps = image->bps;
|
||||
|
||||
+ if ((spp != 0 && bps != 0 &&
|
||||
+ width > (uint32)((UINT32_MAX - 7) / spp / bps)) ||
|
||||
+ (spp != 0 && bps != 0 &&
|
||||
+ length > (uint32)((UINT32_MAX - 7) / spp / bps)))
|
||||
+ {
|
||||
+ TIFFError("rotateImage", "Integer overflow detected.");
|
||||
+ return (-1);
|
||||
+ }
|
||||
rowsize = ((bps * spp * width) + 7) / 8;
|
||||
colsize = ((bps * spp * length) + 7) / 8;
|
||||
if ((colsize * width) > (rowsize * length))
|
||||
- buffsize = (colsize + 1) * width;
|
||||
+ {
|
||||
+ if (((tmsize_t)colsize + 1) != 0 &&
|
||||
+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - 3) /
|
||||
+ ((tmsize_t)colsize + 1)))
|
||||
+ {
|
||||
+ TIFFError("rotateImage",
|
||||
+ "Integer overflow when calculating buffer size.");
|
||||
+ return (-1);
|
||||
+ }
|
||||
+ buffsize = ((tmsize_t)colsize + 1) * width;
|
||||
+ }
|
||||
else
|
||||
- buffsize = (rowsize + 1) * length;
|
||||
+ {
|
||||
+ if (((tmsize_t)rowsize + 1) != 0 &&
|
||||
+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - 3) /
|
||||
+ ((tmsize_t)rowsize + 1)))
|
||||
+ {
|
||||
+ TIFFError("rotateImage",
|
||||
+ "Integer overflow when calculating buffer size.");
|
||||
+ return (-1);
|
||||
+ }
|
||||
+ buffsize = (rowsize + 1) * length;
|
||||
+ }
|
||||
|
||||
bytes_per_sample = (bps + 7) / 8;
|
||||
bytes_per_pixel = ((bps * spp) + 7) / 8;
|
||||
@@ -8526,6 +8568,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
|
||||
return (-1);
|
||||
}
|
||||
_TIFFmemset(rbuff, '\0', buffsize);
|
||||
+ if (rot_buf_size != NULL)
|
||||
+ *rot_buf_size = buffsize;
|
||||
|
||||
ibuff = *ibuff_ptr;
|
||||
switch (rotation)
|
||||
@ -1,50 +0,0 @@
|
||||
From df8410cee20798b1d63c291c1bf106e3a52d59b1 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
||||
Date: Thu, 16 May 2024 14:54:52 +0200
|
||||
Subject: [PATCH] (CVE-2023-52356) Merge branch 'fix_622' into 'master'
|
||||
|
||||
TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of col/row (fixes #622)
|
||||
|
||||
Closes #622
|
||||
|
||||
See merge request libtiff/libtiff!546
|
||||
|
||||
(cherry picked from commit dfacff5a84d153d7febdfcbcb341b38c1f03b34e)
|
||||
---
|
||||
libtiff/tif_getimage.c | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index 00cd5510..4f32b3a4 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -2929,6 +2929,14 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 row, uint32 * raster, int stop_on_error)
|
||||
|
||||
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
|
||||
|
||||
+ if (row >= img.height)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
|
||||
+ "Invalid row passed to TIFFReadRGBAStrip().");
|
||||
+ TIFFRGBAImageEnd(&img);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
img.row_offset = row;
|
||||
img.col_offset = 0;
|
||||
|
||||
@@ -3004,6 +3012,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
+ if (col >= img.width || row >= img.height)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
|
||||
+ "Invalid row/col passed to TIFFReadRGBATile().");
|
||||
+ TIFFRGBAImageEnd(&img);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* The TIFFRGBAImageGet() function doesn't allow us to get off the
|
||||
* edge of the image, even to fill an otherwise valid tile. So we
|
||||
@ -1,30 +0,0 @@
|
||||
From 32346d49db890969d7de19e8eebff00400280926 Mon Sep 17 00:00:00 2001
|
||||
From: Even Rouault <even.rouault@spatialys.com>
|
||||
Date: Sat, 9 Sep 2023 15:11:42 +0000
|
||||
Subject: [PATCH] (CVE-2023-6228) Merge branch
|
||||
'fix_606_tiffcp_check_also_input_compression_codec' into 'master'
|
||||
|
||||
tiffcp: Fixes #606. Check also codec of input image, not only from output image.
|
||||
|
||||
Closes #606
|
||||
|
||||
See merge request libtiff/libtiff!533
|
||||
|
||||
(cherry picked from commit 668d2c1a52fa48658bbf69615924b42b5a059f9e)
|
||||
---
|
||||
tools/tiffcp.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
||||
index fb98bd57..81ec6bbd 100644
|
||||
--- a/tools/tiffcp.c
|
||||
+++ b/tools/tiffcp.c
|
||||
@@ -622,6 +622,8 @@ tiffcp(TIFF* in, TIFF* out)
|
||||
else
|
||||
CopyField(TIFFTAG_COMPRESSION, compression);
|
||||
TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
|
||||
+ if (!TIFFIsCODECConfigured(input_compression))
|
||||
+ return FALSE;
|
||||
TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
|
||||
if (input_compression == COMPRESSION_JPEG) {
|
||||
/* Force conversion to RGB */
|
||||
@ -1,51 +0,0 @@
|
||||
From 3e164d0fa9c48dbdc76620442ffbb02de9e5724e Mon Sep 17 00:00:00 2001
|
||||
From: Su Laus <sulau@freenet.de>
|
||||
Date: Wed, 11 Jun 2025 19:45:19 +0000
|
||||
Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
|
||||
rows at TIFFReadRGBAImageOriented()
|
||||
|
||||
---
|
||||
libtiff/tif_getimage.c | 20 +++++++++++++++++---
|
||||
1 file changed, 17 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||
index 4f32b3a..70a0362 100644
|
||||
--- a/libtiff/tif_getimage.c
|
||||
+++ b/libtiff/tif_getimage.c
|
||||
@@ -511,6 +511,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||
"No \"put\" routine setupl; probably can not handle image format");
|
||||
return (0);
|
||||
}
|
||||
+ /* Verify raster width and height against image width and height. */
|
||||
+ if (h > img->height)
|
||||
+ {
|
||||
+ /* Adapt parameters to read only available lines and put image at
|
||||
+ * the bottom of the raster. */
|
||||
+ raster += (size_t)(h - img->height) * w;
|
||||
+ h = img->height;
|
||||
+ }
|
||||
+ if (w > img->width)
|
||||
+ {
|
||||
+ TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif),
|
||||
+ "Raster width of %d shall not be larger than image "
|
||||
+ "width of %d -> raster width adapted for reading",
|
||||
+ w, img->width);
|
||||
+ w = img->width;
|
||||
+ }
|
||||
return (*img->get)(img, raster, w, h);
|
||||
}
|
||||
|
||||
@@ -529,9 +545,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
|
||||
|
||||
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
|
||||
img.req_orientation = (uint16)orientation;
|
||||
- /* XXX verify rwidth and rheight against width and height */
|
||||
- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
|
||||
- rwidth, img.height);
|
||||
+ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
|
||||
TIFFRGBAImageEnd(&img);
|
||||
} else {
|
||||
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
|
||||
--
|
||||
2.47.3
|
||||
|
||||
@ -1,70 +0,0 @@
|
||||
From 0117a16f9c0b6e3462b8547fa56ea90f3e198b10 Mon Sep 17 00:00:00 2001
|
||||
From: Lee Howard <faxguy@howardsilvan.com>
|
||||
Date: Mon, 19 May 2025 10:53:30 -0700
|
||||
Subject: [PATCH] Don't skip the first line of the input image. Addresses issue
|
||||
#703
|
||||
|
||||
---
|
||||
tools/tiffdither.c | 4 ++--
|
||||
tools/tiffmedian.c | 9 ++++++---
|
||||
2 files changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/tools/tiffdither.c b/tools/tiffdither.c
|
||||
index 247553c..cc41c51 100644
|
||||
--- a/tools/tiffdither.c
|
||||
+++ b/tools/tiffdither.c
|
||||
@@ -93,7 +93,7 @@ fsdither(TIFF* in, TIFF* out)
|
||||
nextptr = nextline;
|
||||
for (j = 0; j < imagewidth; ++j)
|
||||
*nextptr++ = *inptr++;
|
||||
- for (i = 1; i < imagelength; ++i) {
|
||||
+ for (i = 0; i < imagelength; ++i) {
|
||||
tmpptr = thisline;
|
||||
thisline = nextline;
|
||||
nextline = tmpptr;
|
||||
@@ -136,7 +136,7 @@ fsdither(TIFF* in, TIFF* out)
|
||||
nextptr[0] += v / 16;
|
||||
}
|
||||
}
|
||||
- if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
|
||||
+ if (TIFFWriteScanline(out, outline, i, 0) < 0)
|
||||
goto skip_on_error;
|
||||
}
|
||||
goto exit_label;
|
||||
diff --git a/tools/tiffmedian.c b/tools/tiffmedian.c
|
||||
index f0c892e..99fd1f2 100644
|
||||
--- a/tools/tiffmedian.c
|
||||
+++ b/tools/tiffmedian.c
|
||||
@@ -370,7 +370,10 @@ get_histogram(TIFF* in, Colorbox* box)
|
||||
}
|
||||
for (i = 0; i < imagelength; i++) {
|
||||
if (TIFFReadScanline(in, inputline, i, 0) <= 0)
|
||||
- break;
|
||||
+ {
|
||||
+ fprintf(stderr, "Error reading scanline\n");
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
inptr = inputline;
|
||||
for (j = imagewidth; j-- > 0;) {
|
||||
red = (*inptr++) & 0xff >> COLOR_SHIFT;
|
||||
@@ -829,7 +832,7 @@ quant_fsdither(TIFF* in, TIFF* out)
|
||||
outline = (unsigned char *) _TIFFmalloc(TIFFScanlineSize(out));
|
||||
|
||||
GetInputLine(in, 0, goto bad); /* get first line */
|
||||
- for (i = 1; i <= imagelength; ++i) {
|
||||
+ for (i = 0; i < imagelength; ++i) {
|
||||
SWAP(short *, thisline, nextline);
|
||||
lastline = (i >= imax);
|
||||
if (i <= imax)
|
||||
@@ -900,7 +903,7 @@ quant_fsdither(TIFF* in, TIFF* out)
|
||||
nextptr += 3;
|
||||
}
|
||||
}
|
||||
- if (TIFFWriteScanline(out, outline, i-1, 0) < 0)
|
||||
+ if (TIFFWriteScanline(out, outline, i, 0) < 0)
|
||||
break;
|
||||
}
|
||||
bad:
|
||||
--
|
||||
2.47.3
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
From 9171da596c88e6a2dadcab4a3a89dddd6e1b4655 Mon Sep 17 00:00:00 2001
|
||||
From: Nathan Baker <elitebadger@gmail.com>
|
||||
Date: Thu, 25 Jan 2018 21:28:15 +0000
|
||||
Subject: [PATCH] Add workaround to pal2rgb buffer overflow.
|
||||
|
||||
---
|
||||
tools/pal2rgb.c | 17 +++++++++++++++--
|
||||
1 file changed, 15 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/tools/pal2rgb.c b/tools/pal2rgb.c
|
||||
index 0423598f0..01fcf9411 100644
|
||||
--- a/tools/pal2rgb.c
|
||||
+++ b/tools/pal2rgb.c
|
||||
@@ -182,8 +182,21 @@ main(int argc, char* argv[])
|
||||
{ unsigned char *ibuf, *obuf;
|
||||
register unsigned char* pp;
|
||||
register uint32 x;
|
||||
- ibuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(in));
|
||||
- obuf = (unsigned char*)_TIFFmalloc(TIFFScanlineSize(out));
|
||||
+ tmsize_t tss_in = TIFFScanlineSize(in);
|
||||
+ tmsize_t tss_out = TIFFScanlineSize(out);
|
||||
+ if (tss_out / tss_in < 3) {
|
||||
+ /*
|
||||
+ * BUG 2750: The following code does not know about chroma
|
||||
+ * subsampling of JPEG data. It assumes that the output buffer is 3x
|
||||
+ * the length of the input buffer due to exploding the palette into
|
||||
+ * RGB tuples. If this assumption is incorrect, it could lead to a
|
||||
+ * buffer overflow. Go ahead and fail now to prevent that.
|
||||
+ */
|
||||
+ fprintf(stderr, "Could not determine correct image size for output. Exiting.\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ ibuf = (unsigned char*)_TIFFmalloc(tss_in);
|
||||
+ obuf = (unsigned char*)_TIFFmalloc(tss_out);
|
||||
switch (config) {
|
||||
case PLANARCONFIG_CONTIG:
|
||||
for (row = 0; row < imagelength; row++) {
|
||||
--
|
||||
GitLab
|
||||
|
||||
@ -1,46 +0,0 @@
|
||||
diff -up tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 tiff-4.4.0/libtiff/tif_dirinfo.c
|
||||
--- tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 2024-08-16 00:35:35.339965778 +0200
|
||||
+++ tiff-4.4.0/libtiff/tif_dirinfo.c 2024-08-16 00:54:58.255221954 +0200
|
||||
@@ -824,7 +824,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint
|
||||
fld = TIFFFindField(tif, tag, dt);
|
||||
if (fld == NULL) {
|
||||
fld = _TIFFCreateAnonField(tif, tag, dt);
|
||||
- if (!_TIFFMergeFields(tif, fld, 1))
|
||||
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
|
||||
return NULL;
|
||||
}
|
||||
|
||||
diff -up tiff-4.0.9/libtiff/tif_dirread.c~ tiff-4.0.9/libtiff/tif_dirread.c
|
||||
--- tiff-4.0.9/libtiff/tif_dirread.c~ 2024-08-29 23:31:19.884308223 +0200
|
||||
+++ tiff-4.0.9/libtiff/tif_dirread.c 2024-08-29 23:31:19.909308479 +0200
|
||||
@@ -3667,11 +3667,10 @@ TIFFReadDirectory(TIFF* tif)
|
||||
dp->tdir_tag,dp->tdir_tag);
|
||||
/* the following knowingly leaks the
|
||||
anonymous field structure */
|
||||
- if (!_TIFFMergeFields(tif,
|
||||
- _TIFFCreateAnonField(tif,
|
||||
- dp->tdir_tag,
|
||||
- (TIFFDataType) dp->tdir_type),
|
||||
- 1)) {
|
||||
+ const TIFFField *fld = _TIFFCreateAnonField(
|
||||
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
|
||||
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
|
||||
+ {
|
||||
TIFFWarningExt(tif->tif_clientdata,
|
||||
module,
|
||||
"Registering anonymous field with tag %d (0x%x) failed",
|
||||
@@ -4392,10 +4391,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_
|
||||
TIFFWarningExt(tif->tif_clientdata, module,
|
||||
"Unknown field with tag %d (0x%x) encountered",
|
||||
dp->tdir_tag, dp->tdir_tag);
|
||||
- if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
|
||||
- dp->tdir_tag,
|
||||
- (TIFFDataType) dp->tdir_type),
|
||||
- 1)) {
|
||||
+ const TIFFField *fld = _TIFFCreateAnonField(
|
||||
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
|
||||
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
|
||||
+ {
|
||||
TIFFWarningExt(tif->tif_clientdata, module,
|
||||
"Registering anonymous field with tag %d (0x%x) failed",
|
||||
dp->tdir_tag, dp->tdir_tag);
|
||||
@ -1,7 +1,7 @@
|
||||
Summary: Library of functions for manipulating TIFF format image files
|
||||
Name: libtiff
|
||||
Version: 4.0.9
|
||||
Release: 36%{?dist}
|
||||
Release: 31%{?dist}
|
||||
License: libtiff
|
||||
Group: System Environment/Libraries
|
||||
URL: http://www.simplesystems.org/libtiff/
|
||||
@ -50,26 +50,7 @@ Patch0036: 0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
|
||||
Patch0037: 0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch
|
||||
Patch0038: 0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
|
||||
Patch0039: 0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch
|
||||
Patch0040: 0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch
|
||||
Patch0041: 0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch
|
||||
Patch0042: 0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch
|
||||
Patch0043: 0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
|
||||
|
||||
# from upstream, for <=4.6.0, RHEL-52927
|
||||
# https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779
|
||||
Patch44: libtiff-4.6.0-CVE-2024-7006.patch
|
||||
|
||||
# from upstream, for < 4.0.10, RHEL-87363
|
||||
# https://gitlab.com/libtiff/libtiff/-/commit/9171da596c88e6a2dadcab4a3a89dddd6e1b4655
|
||||
Patch45: libtiff-4.0.9-CVE-2017-17095.patch
|
||||
|
||||
# Fix buffer underflow crash for less raster rows at TIFFReadRGBAImageOriented(), RHEL-112533
|
||||
# CVE-2025-9900
|
||||
Patch46: RHEL-112533.patch
|
||||
|
||||
# Fix skipping first line of input image in tiffdither and tiffmedian, RHEL-120230
|
||||
# CVE-2025-8176
|
||||
Patch47: RHEL-120230.patch
|
||||
|
||||
BuildRequires: gcc, gcc-c++
|
||||
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
|
||||
@ -223,24 +204,6 @@ find html -name 'Makefile*' | xargs rm
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Mon Nov 03 2025 RHEL Packaging Agent <jotnar@redhat.com> - 4.0.9-36
|
||||
- fix CVE-2025-8176: prevent skipping first line in tiffdither and
|
||||
tiffmedian tools (RHEL-120230)
|
||||
|
||||
* Tue Oct 14 2025 RHEL Packaging Agent <jotnar@redhat.com> - 4.0.9-35
|
||||
- fix CVE-2025-9900: buffer underflow crash in TIFFReadRGBAImageOriented()
|
||||
(RHEL-112533)
|
||||
|
||||
* Tue Apr 22 2025 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-34
|
||||
- fix CVE-2017-17095: heap-based buffer overflow in pal2rgb (RHEL-87363)
|
||||
|
||||
* Thu Aug 29 2024 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-33
|
||||
- fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52927)
|
||||
|
||||
* Thu May 16 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-32
|
||||
- Fix CVE-2023-6228 CVE-2023-52356 CVE-2023-25433 CVE-2018-15209
|
||||
- Resolves: RHEL-30682 RHEL-30520 RHEL-30474 RHEL-5406
|
||||
|
||||
* Fri Jan 05 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-31
|
||||
- Fix CVE-2022-3599 CVE-2022-4645
|
||||
- Resolves: RHEL-5399
|
||||
|
||||
Loading…
Reference in New Issue
Block a user