Compare commits
No commits in common. "imports/c8-beta/libtiff-4.0.9-15.el8" and "c8" have entirely different histories.
imports/c8
...
c8
@ -0,0 +1,40 @@
|
|||||||
|
From 686002d8cd9d41f0a4b7915be9866979c25bd5d7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
||||||
|
Date: Thu, 5 May 2022 14:38:04 +0200
|
||||||
|
Subject: [PATCH] Back off the minimum required automake version to 1.11.
|
||||||
|
|
||||||
|
There isn't anything in libtiff currently that actually requires 1.12,
|
||||||
|
and changing this allows the package to be built on pre-F18 machines for
|
||||||
|
easier testing. This patch can go away once we no longer care about
|
||||||
|
testing on pre-F18.
|
||||||
|
---
|
||||||
|
Makefile.am | 2 +-
|
||||||
|
test/Makefile.am | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index 418a3b93..fa8bf4c0 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -25,7 +25,7 @@
|
||||||
|
|
||||||
|
docdir = $(LIBTIFF_DOCDIR)
|
||||||
|
|
||||||
|
-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
|
||||||
|
+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
|
||||||
|
ACLOCAL_AMFLAGS = -I m4
|
||||||
|
|
||||||
|
docfiles = \
|
||||||
|
diff --git a/test/Makefile.am b/test/Makefile.am
|
||||||
|
index 2052487c..227f228f 100644
|
||||||
|
--- a/test/Makefile.am
|
||||||
|
+++ b/test/Makefile.am
|
||||||
|
@@ -23,7 +23,7 @@
|
||||||
|
|
||||||
|
# Process this file with automake to produce Makefile.in.
|
||||||
|
|
||||||
|
-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
|
||||||
|
+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
|
||||||
|
|
||||||
|
LIBTIFF = $(top_builddir)/libtiff/libtiff.la
|
||||||
|
|
21
SOURCES/0002-Fix-Makefile.patch
Normal file
21
SOURCES/0002-Fix-Makefile.patch
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
From 42425abcf2204e46544aff5cd95a129944e15894 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
||||||
|
Date: Thu, 5 May 2022 14:42:52 +0200
|
||||||
|
Subject: [PATCH] Fix Makefile
|
||||||
|
|
||||||
|
---
|
||||||
|
html/man/Makefile.am | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/html/man/Makefile.am b/html/man/Makefile.am
|
||||||
|
index 3ed00d44..8a64925a 100644
|
||||||
|
--- a/html/man/Makefile.am
|
||||||
|
+++ b/html/man/Makefile.am
|
||||||
|
@@ -90,7 +90,6 @@ docfiles = \
|
||||||
|
tiffcrop.1.html \
|
||||||
|
tiffdither.1.html \
|
||||||
|
tiffdump.1.html \
|
||||||
|
- tiffgt.1.html \
|
||||||
|
tiffinfo.1.html \
|
||||||
|
tiffmedian.1.html \
|
||||||
|
tiffset.1.html \
|
@ -1,7 +1,7 @@
|
|||||||
From 49723b0eb683cca80142b01a48ba1475fed5188a Mon Sep 17 00:00:00 2001
|
From e5d227c83f487e8a87d336f6cebf39042520d5cd Mon Sep 17 00:00:00 2001
|
||||||
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
|
From: Nathan Baker <nathanb@lenovo-chrome.com>
|
||||||
Date: Fri, 23 Mar 2018 15:35:39 +0100
|
Date: Tue, 6 Feb 2018 10:13:57 -0500
|
||||||
Subject: [PATCH] Fix for bug 2772
|
Subject: [PATCH] (CVE-2018-5784) Fix for bug 2772
|
||||||
|
|
||||||
It is possible to craft a TIFF document where the IFD list is circular,
|
It is possible to craft a TIFF document where the IFD list is circular,
|
||||||
leading to an infinite loop while traversing the chain. The libtiff
|
leading to an infinite loop while traversing the chain. The libtiff
|
||||||
@ -12,6 +12,8 @@ document.
|
|||||||
|
|
||||||
This change fixes the above behavior by breaking out of processing when
|
This change fixes the above behavior by breaking out of processing when
|
||||||
a TIFF document has >= 65535 directories and terminating with an error.
|
a TIFF document has >= 65535 directories and terminating with an error.
|
||||||
|
|
||||||
|
(cherry picked from commit 473851d211cf8805a161820337ca74cc9615d6ef)
|
||||||
---
|
---
|
||||||
contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
|
contrib/addtiffo/tif_overview.c | 14 +++++++++++++-
|
||||||
tools/tiff2pdf.c | 10 ++++++++++
|
tools/tiff2pdf.c | 10 ++++++++++
|
||||||
@ -19,7 +21,7 @@ a TIFF document has >= 65535 directories and terminating with an error.
|
|||||||
3 files changed, 34 insertions(+), 3 deletions(-)
|
3 files changed, 34 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
|
diff --git a/contrib/addtiffo/tif_overview.c b/contrib/addtiffo/tif_overview.c
|
||||||
index c61ffbb..03b3573 100644
|
index c61ffbb8..03b35733 100644
|
||||||
--- a/contrib/addtiffo/tif_overview.c
|
--- a/contrib/addtiffo/tif_overview.c
|
||||||
+++ b/contrib/addtiffo/tif_overview.c
|
+++ b/contrib/addtiffo/tif_overview.c
|
||||||
@@ -65,6 +65,8 @@
|
@@ -65,6 +65,8 @@
|
||||||
@ -58,7 +60,7 @@ index c61ffbb..03b3573 100644
|
|||||||
nOffset = TIFFCurrentDirOffset( hTIFF );
|
nOffset = TIFFCurrentDirOffset( hTIFF );
|
||||||
|
|
||||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||||
index 454befb..bdb9126 100644
|
index 454befbd..bdb91262 100644
|
||||||
--- a/tools/tiff2pdf.c
|
--- a/tools/tiff2pdf.c
|
||||||
+++ b/tools/tiff2pdf.c
|
+++ b/tools/tiff2pdf.c
|
||||||
@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
|
@@ -68,6 +68,8 @@ extern int getopt(int, char**, char*);
|
||||||
@ -86,7 +88,7 @@ index 454befb..bdb9126 100644
|
|||||||
if(t2p->tiff_pages==NULL){
|
if(t2p->tiff_pages==NULL){
|
||||||
TIFFError(
|
TIFFError(
|
||||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||||
index c69177e..c60cb38 100644
|
index c69177e0..c60cb389 100644
|
||||||
--- a/tools/tiffcrop.c
|
--- a/tools/tiffcrop.c
|
||||||
+++ b/tools/tiffcrop.c
|
+++ b/tools/tiffcrop.c
|
||||||
@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
|
@@ -217,6 +217,8 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
|
||||||
@ -123,6 +125,3 @@ index c69177e..c60cb38 100644
|
|||||||
if (image_count == 0)
|
if (image_count == 0)
|
||||||
{
|
{
|
||||||
dirnum = 0;
|
dirnum = 0;
|
||||||
--
|
|
||||||
2.13.6
|
|
||||||
|
|
@ -1,7 +1,8 @@
|
|||||||
From de5385cd882a5ff0970f63f4d93da0cbc87230c2 Mon Sep 17 00:00:00 2001
|
From 688dc47dfcbbc4e54dc617c9701cf46a03f8e069 Mon Sep 17 00:00:00 2001
|
||||||
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
|
From: Hugo Lefeuvre <hle@debian.org>
|
||||||
Date: Tue, 17 Apr 2018 18:42:09 +0200
|
Date: Sun, 8 Apr 2018 14:07:08 -0400
|
||||||
Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
|
Subject: [PATCH] (CVE-2018-7456) Fix NULL pointer dereference in
|
||||||
|
TIFFPrintDirectory
|
||||||
|
|
||||||
The TIFFPrintDirectory function relies on the following assumptions,
|
The TIFFPrintDirectory function relies on the following assumptions,
|
||||||
supposed to be guaranteed by the specification:
|
supposed to be guaranteed by the specification:
|
||||||
@ -53,13 +54,15 @@ TIFFReadDirectory function by making sure any non-color channel is
|
|||||||
counted in ExtraSamples.
|
counted in ExtraSamples.
|
||||||
|
|
||||||
This commit addresses CVE-2018-7456.
|
This commit addresses CVE-2018-7456.
|
||||||
|
|
||||||
|
(cherry picked from commit be4c85b16e8801a16eec25e80eb9f3dd6a96731b)
|
||||||
---
|
---
|
||||||
libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++
|
libtiff/tif_dirread.c | 62 +++++++++++++++++++++++++++++++++++++++++++
|
||||||
libtiff/tif_print.c | 2 +-
|
libtiff/tif_print.c | 2 +-
|
||||||
2 files changed, 63 insertions(+), 1 deletion(-)
|
2 files changed, 63 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||||||
index 5e62e81..80aaf8d 100644
|
index 5e62e813..80aaf8d1 100644
|
||||||
--- a/libtiff/tif_dirread.c
|
--- a/libtiff/tif_dirread.c
|
||||||
+++ b/libtiff/tif_dirread.c
|
+++ b/libtiff/tif_dirread.c
|
||||||
@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
|
@@ -167,6 +167,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
|
||||||
@ -153,7 +156,7 @@ index 5e62e81..80aaf8d 100644
|
|||||||
* Verify Palette image has a Colormap.
|
* Verify Palette image has a Colormap.
|
||||||
*/
|
*/
|
||||||
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
|
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
|
||||||
index 24d4b98..10a588e 100644
|
index 24d4b98a..10a588ea 100644
|
||||||
--- a/libtiff/tif_print.c
|
--- a/libtiff/tif_print.c
|
||||||
+++ b/libtiff/tif_print.c
|
+++ b/libtiff/tif_print.c
|
||||||
@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
|
@@ -546,7 +546,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
|
||||||
@ -165,6 +168,3 @@ index 24d4b98..10a588e 100644
|
|||||||
fprintf(fd, " %5u",
|
fprintf(fd, " %5u",
|
||||||
td->td_transferfunction[i][l]);
|
td->td_transferfunction[i][l]);
|
||||||
fputc('\n', fd);
|
fputc('\n', fd);
|
||||||
--
|
|
||||||
2.17.0
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
From e1cd2d7ab032e7fe80b4c13e07895194c8bac85e Mon Sep 17 00:00:00 2001
|
From 5b984e1b9296c4a3b80c5650f17cb4db575250e4 Mon Sep 17 00:00:00 2001
|
||||||
From: Brian May <brian@linuxpenguins.xyz>
|
From: Brian May <brian@linuxpenguins.xyz>
|
||||||
Date: Thu, 7 Dec 2017 07:46:47 +1100
|
Date: Thu, 7 Dec 2017 07:46:47 +1100
|
||||||
Subject: [PATCH 1/4] [PATCH] tiff2pdf: Fix CVE-2017-9935
|
Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix CVE-2017-9935
|
||||||
|
|
||||||
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
|
Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704
|
||||||
|
|
||||||
@ -37,13 +37,15 @@ function is the same for every page. If this changes, we abort with an
|
|||||||
error. In theory, we should perhaps check that the transfer function
|
error. In theory, we should perhaps check that the transfer function
|
||||||
itself is identical for every page, however we don't do that due to the
|
itself is identical for every page, however we don't do that due to the
|
||||||
confusion of the type of the data in the transfer function.
|
confusion of the type of the data in the transfer function.
|
||||||
|
|
||||||
|
(cherry picked from commit 3dd8f6a357981a4090f126ab9025056c938b6940)
|
||||||
---
|
---
|
||||||
libtiff/tif_dir.c | 3 +++
|
libtiff/tif_dir.c | 3 +++
|
||||||
tools/tiff2pdf.c | 69 +++++++++++++++++++++++++++++++----------------
|
tools/tiff2pdf.c | 65 ++++++++++++++++++++++++++++++++---------------
|
||||||
2 files changed, 49 insertions(+), 23 deletions(-)
|
2 files changed, 47 insertions(+), 21 deletions(-)
|
||||||
|
|
||||||
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
||||||
index f00f808..c36a5f3 100644
|
index f00f8080..c36a5f3f 100644
|
||||||
--- a/libtiff/tif_dir.c
|
--- a/libtiff/tif_dir.c
|
||||||
+++ b/libtiff/tif_dir.c
|
+++ b/libtiff/tif_dir.c
|
||||||
@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
|
@@ -1067,6 +1067,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
|
||||||
@ -57,24 +59,15 @@ index f00f808..c36a5f3 100644
|
|||||||
break;
|
break;
|
||||||
case TIFFTAG_REFERENCEBLACKWHITE:
|
case TIFFTAG_REFERENCEBLACKWHITE:
|
||||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||||
index bdb9126..bd23c9e 100644
|
index bdb91262..ef5d6a01 100644
|
||||||
--- a/tools/tiff2pdf.c
|
--- a/tools/tiff2pdf.c
|
||||||
+++ b/tools/tiff2pdf.c
|
+++ b/tools/tiff2pdf.c
|
||||||
@@ -239,7 +239,7 @@ typedef struct {
|
|
||||||
float tiff_whitechromaticities[2];
|
|
||||||
float tiff_primarychromaticities[6];
|
|
||||||
float tiff_referenceblackwhite[2];
|
|
||||||
- float* tiff_transferfunction[3];
|
|
||||||
+ uint16* tiff_transferfunction[3];
|
|
||||||
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
|
|
||||||
1 : interpolate */
|
|
||||||
uint16 tiff_transferfunctioncount;
|
|
||||||
@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
@@ -1049,6 +1049,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
||||||
uint16 pagen=0;
|
uint16 pagen=0;
|
||||||
uint16 paged=0;
|
uint16 paged=0;
|
||||||
uint16 xuint16=0;
|
uint16 xuint16=0;
|
||||||
+ uint16 tiff_transferfunctioncount=0;
|
+ uint16 tiff_transferfunctioncount=0;
|
||||||
+ uint16* tiff_transferfunction[3];
|
+ float* tiff_transferfunction[3];
|
||||||
|
|
||||||
directorycount=TIFFNumberOfDirectories(input);
|
directorycount=TIFFNumberOfDirectories(input);
|
||||||
if(directorycount > TIFF_DIR_MAX) {
|
if(directorycount > TIFF_DIR_MAX) {
|
||||||
@ -103,8 +96,8 @@ index bdb9126..bd23c9e 100644
|
|||||||
+ &(tiff_transferfunction[1]),
|
+ &(tiff_transferfunction[1]),
|
||||||
+ &(tiff_transferfunction[2]))) {
|
+ &(tiff_transferfunction[2]))) {
|
||||||
+
|
+
|
||||||
+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
|
+ if((tiff_transferfunction[1] != (float*) NULL) &&
|
||||||
+ (tiff_transferfunction[2] != (uint16*) NULL)
|
+ (tiff_transferfunction[2] != (float*) NULL)
|
||||||
+ ) {
|
+ ) {
|
||||||
+ tiff_transferfunctioncount=3;
|
+ tiff_transferfunctioncount=3;
|
||||||
+ } else {
|
+ } else {
|
||||||
@ -145,20 +138,15 @@ index bdb9126..bd23c9e 100644
|
|||||||
if( TIFFGetField(
|
if( TIFFGetField(
|
||||||
input,
|
input,
|
||||||
TIFFTAG_ICCPROFILE,
|
TIFFTAG_ICCPROFILE,
|
||||||
@@ -1837,10 +1861,9 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
|
@@ -1838,9 +1862,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
|
||||||
&(t2p->tiff_transferfunction[0]),
|
|
||||||
&(t2p->tiff_transferfunction[1]),
|
&(t2p->tiff_transferfunction[1]),
|
||||||
&(t2p->tiff_transferfunction[2]))) {
|
&(t2p->tiff_transferfunction[2]))) {
|
||||||
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
|
if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
|
||||||
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
|
- (t2p->tiff_transferfunction[2] != (float*) NULL) &&
|
||||||
- (t2p->tiff_transferfunction[1] !=
|
- (t2p->tiff_transferfunction[1] !=
|
||||||
- t2p->tiff_transferfunction[0])) {
|
- t2p->tiff_transferfunction[0])) {
|
||||||
+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
|
+ (t2p->tiff_transferfunction[2] != (float*) NULL)
|
||||||
+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
|
|
||||||
+ ) {
|
+ ) {
|
||||||
t2p->tiff_transferfunctioncount=3;
|
t2p->tiff_transferfunctioncount=3;
|
||||||
} else {
|
} else {
|
||||||
t2p->tiff_transferfunctioncount=1;
|
t2p->tiff_transferfunctioncount=1;
|
||||||
--
|
|
||||||
2.17.0
|
|
||||||
|
|
@ -0,0 +1,58 @@
|
|||||||
|
From 8e3772f232bf8f8c1959f229b5d922dd33a1e558 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brian May <brian@linuxpenguins.xyz>
|
||||||
|
Date: Thu, 7 Dec 2017 07:49:20 +1100
|
||||||
|
Subject: [PATCH] (CVE-2017-9935) tiff2pdf: Fix apparent incorrect type for
|
||||||
|
transfer table
|
||||||
|
|
||||||
|
The standard says the transfer table contains unsigned 16 bit values,
|
||||||
|
I have no idea why we refer to them as floats.
|
||||||
|
|
||||||
|
(cherry picked from commit d4f213636b6f950498a1386083199bd7f65676b9)
|
||||||
|
---
|
||||||
|
tools/tiff2pdf.c | 12 ++++++------
|
||||||
|
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||||
|
index ef5d6a01..bd23c9e5 100644
|
||||||
|
--- a/tools/tiff2pdf.c
|
||||||
|
+++ b/tools/tiff2pdf.c
|
||||||
|
@@ -239,7 +239,7 @@ typedef struct {
|
||||||
|
float tiff_whitechromaticities[2];
|
||||||
|
float tiff_primarychromaticities[6];
|
||||||
|
float tiff_referenceblackwhite[2];
|
||||||
|
- float* tiff_transferfunction[3];
|
||||||
|
+ uint16* tiff_transferfunction[3];
|
||||||
|
int pdf_image_interpolate; /* 0 (default) : do not interpolate,
|
||||||
|
1 : interpolate */
|
||||||
|
uint16 tiff_transferfunctioncount;
|
||||||
|
@@ -1050,7 +1050,7 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
||||||
|
uint16 paged=0;
|
||||||
|
uint16 xuint16=0;
|
||||||
|
uint16 tiff_transferfunctioncount=0;
|
||||||
|
- float* tiff_transferfunction[3];
|
||||||
|
+ uint16* tiff_transferfunction[3];
|
||||||
|
|
||||||
|
directorycount=TIFFNumberOfDirectories(input);
|
||||||
|
if(directorycount > TIFF_DIR_MAX) {
|
||||||
|
@@ -1163,8 +1163,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
|
||||||
|
&(tiff_transferfunction[1]),
|
||||||
|
&(tiff_transferfunction[2]))) {
|
||||||
|
|
||||||
|
- if((tiff_transferfunction[1] != (float*) NULL) &&
|
||||||
|
- (tiff_transferfunction[2] != (float*) NULL)
|
||||||
|
+ if((tiff_transferfunction[1] != (uint16*) NULL) &&
|
||||||
|
+ (tiff_transferfunction[2] != (uint16*) NULL)
|
||||||
|
) {
|
||||||
|
tiff_transferfunctioncount=3;
|
||||||
|
} else {
|
||||||
|
@@ -1861,8 +1861,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){
|
||||||
|
&(t2p->tiff_transferfunction[0]),
|
||||||
|
&(t2p->tiff_transferfunction[1]),
|
||||||
|
&(t2p->tiff_transferfunction[2]))) {
|
||||||
|
- if((t2p->tiff_transferfunction[1] != (float*) NULL) &&
|
||||||
|
- (t2p->tiff_transferfunction[2] != (float*) NULL)
|
||||||
|
+ if((t2p->tiff_transferfunction[1] != (uint16*) NULL) &&
|
||||||
|
+ (t2p->tiff_transferfunction[2] != (uint16*) NULL)
|
||||||
|
) {
|
||||||
|
t2p->tiff_transferfunctioncount=3;
|
||||||
|
} else {
|
@ -1,16 +1,17 @@
|
|||||||
From b1997b9c3ac0d6bac5effd7558141986487217a9 Mon Sep 17 00:00:00 2001
|
From 4d6c37328f38636d5002a6f1b584ad8e6031c61c Mon Sep 17 00:00:00 2001
|
||||||
From: Even Rouault <even.rouault@spatialys.com>
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
Date: Sun, 31 Dec 2017 15:09:41 +0100
|
Date: Sun, 31 Dec 2017 15:09:41 +0100
|
||||||
Subject: [PATCH 2/4] libtiff/tif_print.c: TIFFPrintDirectory(): fix null
|
Subject: [PATCH] (CVE-2017-18013) libtiff/tif_print.c: TIFFPrintDirectory():
|
||||||
pointer dereference on corrupted file. Fixes
|
fix null pointer dereference on corrupted file. Fixes
|
||||||
http://bugzilla.maptools.org/show_bug.cgi?id=2770 / CVE-2017-18013
|
http://bugzilla.maptools.org/show_bug.cgi?id=2770
|
||||||
|
|
||||||
|
(cherry picked from commit c6f41df7b581402dfba3c19a1e3df4454c551a01)
|
||||||
---
|
---
|
||||||
libtiff/tif_print.c | 8 ++++----
|
libtiff/tif_print.c | 8 ++++----
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
|
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
|
||||||
index 10a588e..b9b53a0 100644
|
index 10a588ea..b9b53a0f 100644
|
||||||
--- a/libtiff/tif_print.c
|
--- a/libtiff/tif_print.c
|
||||||
+++ b/libtiff/tif_print.c
|
+++ b/libtiff/tif_print.c
|
||||||
@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
|
@@ -667,13 +667,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
|
||||||
@ -31,6 +32,3 @@ index 10a588e..b9b53a0 100644
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
--
|
|
||||||
2.17.0
|
|
||||||
|
|
@ -1,18 +1,20 @@
|
|||||||
From 1c127eb3cb7653bd61b61f9c3cfeb36fd10edab1 Mon Sep 17 00:00:00 2001
|
From 54972f69399628fd2105753cbcddb36ede510507 Mon Sep 17 00:00:00 2001
|
||||||
From: Even Rouault <even.rouault@spatialys.com>
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
Date: Sat, 12 May 2018 15:32:31 +0200
|
Date: Sat, 12 May 2018 15:32:31 +0200
|
||||||
Subject: [PATCH 3/4] LZWDecodeCompat(): fix potential index-out-of-bounds
|
Subject: [PATCH] (CVE-2018-8905) LZWDecodeCompat(): fix potential
|
||||||
write. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 /
|
index-out-of-bounds write. Fixes
|
||||||
CVE-2018-8905
|
http://bugzilla.maptools.org/show_bug.cgi?id=2780 / CVE-2018-8905
|
||||||
|
|
||||||
The fix consists in using the similar code LZWDecode() to validate we
|
The fix consists in using the similar code LZWDecode() to validate we
|
||||||
don't write outside of the output buffer.
|
don't write outside of the output buffer.
|
||||||
|
|
||||||
|
(cherry picked from commit 58a898cb4459055bb488ca815c23b880c242a27d)
|
||||||
---
|
---
|
||||||
libtiff/tif_lzw.c | 18 ++++++++++++------
|
libtiff/tif_lzw.c | 18 ++++++++++++------
|
||||||
1 file changed, 12 insertions(+), 6 deletions(-)
|
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
|
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
|
||||||
index bc8f9c8..186ea3c 100644
|
index bc8f9c84..186ea3ca 100644
|
||||||
--- a/libtiff/tif_lzw.c
|
--- a/libtiff/tif_lzw.c
|
||||||
+++ b/libtiff/tif_lzw.c
|
+++ b/libtiff/tif_lzw.c
|
||||||
@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
|
@@ -604,6 +604,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
|
||||||
@ -48,6 +50,3 @@ index bc8f9c8..186ea3c 100644
|
|||||||
} else {
|
} else {
|
||||||
*op++ = (char)code;
|
*op++ = (char)code;
|
||||||
occ--;
|
occ--;
|
||||||
--
|
|
||||||
2.17.0
|
|
||||||
|
|
@ -1,15 +1,16 @@
|
|||||||
From 98ed6179dec22db48f6e235d8ca9e2708bf4e71a Mon Sep 17 00:00:00 2001
|
From 142912f9f5bce169d9d0b16a687c00f9edec5825 Mon Sep 17 00:00:00 2001
|
||||||
From: Even Rouault <even.rouault@spatialys.com>
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
Date: Sat, 12 May 2018 14:24:15 +0200
|
Date: Sat, 12 May 2018 14:24:15 +0200
|
||||||
Subject: [PATCH 4/4] TIFFWriteDirectorySec: avoid assertion. Fixes
|
Subject: [PATCH] (CVE-2018-10963) TIFFWriteDirectorySec: avoid assertion.
|
||||||
http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
|
Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2795. CVE-2018-10963
|
||||||
|
|
||||||
|
(cherry picked from commit de144fd228e4be8aa484c3caf3d814b6fa88c6d9)
|
||||||
---
|
---
|
||||||
libtiff/tif_dirwrite.c | 7 +++++--
|
libtiff/tif_dirwrite.c | 7 +++++--
|
||||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
|
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
|
||||||
index c68d6d2..5d0a669 100644
|
index c68d6d21..5d0a6699 100644
|
||||||
--- a/libtiff/tif_dirwrite.c
|
--- a/libtiff/tif_dirwrite.c
|
||||||
+++ b/libtiff/tif_dirwrite.c
|
+++ b/libtiff/tif_dirwrite.c
|
||||||
@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
|
@@ -697,8 +697,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
|
||||||
@ -26,6 +27,3 @@ index c68d6d2..5d0a669 100644
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
--
|
|
||||||
2.17.0
|
|
||||||
|
|
@ -1,14 +1,16 @@
|
|||||||
From 491e3acc55d7a54e2588de476733e93c4c7ffea0 Mon Sep 17 00:00:00 2001
|
From a04b4c4aec3bbfbbde9602ddb4e00809a1a4f92c Mon Sep 17 00:00:00 2001
|
||||||
From: Young_X <YangX92@hotmail.com>
|
From: Young_X <YangX92@hotmail.com>
|
||||||
Date: Sat, 8 Sep 2018 14:46:27 +0800
|
Date: Sat, 8 Sep 2018 14:46:27 +0800
|
||||||
Subject: [PATCH] avoid potential int32 overflows in multiply_ms()
|
Subject: [PATCH] (CVE-2018-17100) avoid potential int32 overflows in
|
||||||
|
multiply_ms()
|
||||||
|
|
||||||
|
(cherry picked from commit 6da1fb3f64d43be37e640efbec60400d1f1ac39e)
|
||||||
---
|
---
|
||||||
tools/ppm2tiff.c | 13 +++++++------
|
tools/ppm2tiff.c | 13 +++++++------
|
||||||
1 file changed, 7 insertions(+), 6 deletions(-)
|
1 file changed, 7 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
|
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
|
||||||
index 91415e9..81ffa3d 100644
|
index 91415e96..81ffa3db 100644
|
||||||
--- a/tools/ppm2tiff.c
|
--- a/tools/ppm2tiff.c
|
||||||
+++ b/tools/ppm2tiff.c
|
+++ b/tools/ppm2tiff.c
|
||||||
@@ -72,15 +72,16 @@ BadPPM(char* file)
|
@@ -72,15 +72,16 @@ BadPPM(char* file)
|
||||||
@ -34,6 +36,3 @@ index 91415e9..81ffa3d 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
--
|
|
||||||
2.17.2
|
|
||||||
|
|
@ -1,7 +1,8 @@
|
|||||||
From 2683f6c21aefc760d2f7e56dac6b4383841886d6 Mon Sep 17 00:00:00 2001
|
From dfd5030637f8643990161311eb6b47f3292ab076 Mon Sep 17 00:00:00 2001
|
||||||
From: Even Rouault <even.rouault@spatialys.com>
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
Date: Sun, 14 Oct 2018 16:38:29 +0200
|
Date: Sun, 14 Oct 2018 16:38:29 +0200
|
||||||
Subject: [PATCH 2/2] JBIG: fix potential out-of-bounds write in JBIGDecode()
|
Subject: [PATCH] (CVE-2018-18557) JBIG: fix potential out-of-bounds write in
|
||||||
|
JBIGDecode()
|
||||||
|
|
||||||
JBIGDecode doesn't check if the user provided buffer is large enough
|
JBIGDecode doesn't check if the user provided buffer is large enough
|
||||||
to store the JBIG decoded image, which can potentially cause out-of-bounds
|
to store the JBIG decoded image, which can potentially cause out-of-bounds
|
||||||
@ -13,13 +14,15 @@ tif->tif_rawsize > tif->tif_rawcc
|
|||||||
|
|
||||||
And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
|
And in case libtiff is compiled with CHUNKY_STRIP_READ_SUPPORT, make sure
|
||||||
that whole strip data is provided to JBIGDecode()
|
that whole strip data is provided to JBIGDecode()
|
||||||
|
|
||||||
|
(cherry picked from commit 681748ec2f5ce88da5f9fa6831e1653e46af8a66)
|
||||||
---
|
---
|
||||||
libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------
|
libtiff/tif_jbig.c | 32 ++++++++++++++++++++++++++------
|
||||||
libtiff/tif_read.c | 6 ++++++
|
libtiff/tif_read.c | 6 ++++++
|
||||||
2 files changed, 32 insertions(+), 6 deletions(-)
|
2 files changed, 32 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
|
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
|
||||||
index 7a14dd9..8136c77 100644
|
index 7a14dd9a..8136c77b 100644
|
||||||
--- a/libtiff/tif_jbig.c
|
--- a/libtiff/tif_jbig.c
|
||||||
+++ b/libtiff/tif_jbig.c
|
+++ b/libtiff/tif_jbig.c
|
||||||
@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
|
@@ -53,17 +53,18 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t size, uint16 s)
|
||||||
@ -86,7 +89,7 @@ index 7a14dd9..8136c77 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
|
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
|
||||||
index 2ba985a..04100f4 100644
|
index 2ba985a7..04100f4d 100644
|
||||||
--- a/libtiff/tif_read.c
|
--- a/libtiff/tif_read.c
|
||||||
+++ b/libtiff/tif_read.c
|
+++ b/libtiff/tif_read.c
|
||||||
@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
|
@@ -348,6 +348,12 @@ TIFFSeek(TIFF* tif, uint32 row, uint16 sample )
|
||||||
@ -102,6 +105,3 @@ index 2ba985a..04100f4 100644
|
|||||||
#else
|
#else
|
||||||
whole_strip = 1;
|
whole_strip = 1;
|
||||||
#endif
|
#endif
|
||||||
--
|
|
||||||
2.17.2
|
|
||||||
|
|
@ -1,10 +1,11 @@
|
|||||||
From 20dbecdf69cf0209ad0246707aaf142bb1fee96e Mon Sep 17 00:00:00 2001
|
From 44ef4d3a8e92171f7470620649e8911a8056297c Mon Sep 17 00:00:00 2001
|
||||||
From: Even Rouault <even.rouault@spatialys.com>
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
Date: Tue, 30 Oct 2018 18:50:27 +0100
|
Date: Tue, 30 Oct 2018 18:50:27 +0100
|
||||||
Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of
|
Subject: [PATCH] (CVE-2018-18661) tiff2bw: avoid null pointer dereference in
|
||||||
memory situation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2819 /
|
case of out of memory situation. Fixes
|
||||||
CVE-2018-18661
|
http://bugzilla.maptools.org/show_bug.cgi?id=2819 / CVE-2018-18661
|
||||||
|
|
||||||
|
(cherry picked from commit 99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f)
|
||||||
---
|
---
|
||||||
libtiff/tiffiop.h | 1 +
|
libtiff/tiffiop.h | 1 +
|
||||||
tools/tiff2bw.c | 30 ++++++++++++++++++++++++++----
|
tools/tiff2bw.c | 30 ++++++++++++++++++++++++++----
|
||||||
@ -12,7 +13,7 @@ Subject: [PATCH] tiff2bw: avoid null pointer dereference in case of out of
|
|||||||
3 files changed, 27 insertions(+), 9 deletions(-)
|
3 files changed, 27 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
|
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
|
||||||
index daa291c..08e5dc4 100644
|
index daa291c0..08e5dc44 100644
|
||||||
--- a/libtiff/tiffiop.h
|
--- a/libtiff/tiffiop.h
|
||||||
+++ b/libtiff/tiffiop.h
|
+++ b/libtiff/tiffiop.h
|
||||||
@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
|
@@ -72,6 +72,7 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
|
||||||
@ -24,7 +25,7 @@ index daa291c..08e5dc4 100644
|
|||||||
#ifndef TRUE
|
#ifndef TRUE
|
||||||
#define TRUE 1
|
#define TRUE 1
|
||||||
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
|
diff --git a/tools/tiff2bw.c b/tools/tiff2bw.c
|
||||||
index dad54af..1f3bb2c 100644
|
index dad54afa..1f3bb2cd 100644
|
||||||
--- a/tools/tiff2bw.c
|
--- a/tools/tiff2bw.c
|
||||||
+++ b/tools/tiff2bw.c
|
+++ b/tools/tiff2bw.c
|
||||||
@@ -40,9 +40,7 @@
|
@@ -40,9 +40,7 @@
|
||||||
@ -101,7 +102,7 @@ index dad54af..1f3bb2c 100644
|
|||||||
#undef pack
|
#undef pack
|
||||||
if (inbuf)
|
if (inbuf)
|
||||||
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||||
index c60cb38..3862b1c 100644
|
index c60cb389..3862b1ca 100644
|
||||||
--- a/tools/tiffcrop.c
|
--- a/tools/tiffcrop.c
|
||||||
+++ b/tools/tiffcrop.c
|
+++ b/tools/tiffcrop.c
|
||||||
@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
|
@@ -150,11 +150,6 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
|
||||||
@ -116,6 +117,3 @@ index c60cb38..3862b1c 100644
|
|||||||
#define TRUE 1
|
#define TRUE 1
|
||||||
#define FALSE 0
|
#define FALSE 0
|
||||||
|
|
||||||
--
|
|
||||||
2.17.2
|
|
||||||
|
|
40
SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch
Normal file
40
SOURCES/0013-bz1602597-Fix-two-resource-leaks.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From 14212e5d19b47d02a4989aa31b9a326c1b131460 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
|
||||||
|
Date: Wed, 31 Oct 2018 11:50:48 +0100
|
||||||
|
Subject: [PATCH] (bz1602597) Fix two resource leaks
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Signed-off-by: Nikola Forró <nforro@redhat.com>
|
||||||
|
(cherry picked from commit 2f694198f1931e144e0a07a7fb50546b5b70e3ef)
|
||||||
|
---
|
||||||
|
tools/ppm2tiff.c | 2 ++
|
||||||
|
tools/tiff2pdf.c | 1 +
|
||||||
|
2 files changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
|
||||||
|
index 81ffa3db..a02e865a 100644
|
||||||
|
--- a/tools/ppm2tiff.c
|
||||||
|
+++ b/tools/ppm2tiff.c
|
||||||
|
@@ -285,6 +285,8 @@ main(int argc, char* argv[])
|
||||||
|
if (TIFFWriteScanline(out, buf, row, 0) < 0)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ if (in != stdin)
|
||||||
|
+ fclose(in);
|
||||||
|
(void) TIFFClose(out);
|
||||||
|
if (buf)
|
||||||
|
_TIFFfree(buf);
|
||||||
|
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||||
|
index bd23c9e5..ff7b9c22 100644
|
||||||
|
--- a/tools/tiff2pdf.c
|
||||||
|
+++ b/tools/tiff2pdf.c
|
||||||
|
@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
|
||||||
|
"for t2p_readwrite_pdf_image_tile, %s",
|
||||||
|
(unsigned long) t2p->tiff_datasize,
|
||||||
|
TIFFFileName(input));
|
||||||
|
+ _TIFFfree(buffer);
|
||||||
|
t2p->t2p_error = T2P_ERR_ERROR;
|
||||||
|
return(0);
|
||||||
|
}
|
@ -1,15 +1,18 @@
|
|||||||
From 775b0d85eab499ccf577e72ec202eb4c6fb37197 Mon Sep 17 00:00:00 2001
|
From 98e37a5c822bdfed2343e6ab9d03680e85783aef Mon Sep 17 00:00:00 2001
|
||||||
From: Thomas Bernard <miniupnp@free.fr>
|
From: Thomas Bernard <miniupnp@free.fr>
|
||||||
Date: Mon, 11 Feb 2019 10:05:33 +0100
|
Date: Mon, 11 Feb 2019 10:05:33 +0100
|
||||||
Subject: [PATCH] check that (Tile Width)*(Samples/Pixel) do no overflow
|
Subject: [PATCH] (CVE-2018-12900) check that (Tile Width)*(Samples/Pixel) do
|
||||||
|
no overflow
|
||||||
|
|
||||||
fixes bug 2833
|
fixes bug 2833
|
||||||
|
|
||||||
|
(cherry picked from commit 2b0d0e699730d1f26bbeba8397bfdf0e9e01e59d)
|
||||||
---
|
---
|
||||||
tools/tiffcp.c | 9 ++++++++-
|
tools/tiffcp.c | 9 ++++++++-
|
||||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
||||||
index 489459a..0c66229 100644
|
index 489459a7..96f14728 100644
|
||||||
--- a/tools/tiffcp.c
|
--- a/tools/tiffcp.c
|
||||||
+++ b/tools/tiffcp.c
|
+++ b/tools/tiffcp.c
|
||||||
@@ -43,6 +43,7 @@
|
@@ -43,6 +43,7 @@
|
||||||
@ -42,6 +45,3 @@ index 489459a..0c66229 100644
|
|||||||
tilebuf = _TIFFmalloc(tilesize);
|
tilebuf = _TIFFmalloc(tilesize);
|
||||||
if (tilebuf == 0)
|
if (tilebuf == 0)
|
||||||
return 0;
|
return 0;
|
||||||
--
|
|
||||||
2.21.0
|
|
||||||
|
|
@ -0,0 +1,423 @@
|
|||||||
|
From 00aeede6bdba3cb74943932b24accc7ba61d2cb0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
|
Date: Sat, 10 Aug 2019 18:25:03 +0200
|
||||||
|
Subject: [PATCH] (CVE-2019-14973) Fix integer overflow in _TIFFCheckMalloc()
|
||||||
|
and other implementation-defined behaviour (CVE-2019-14973)
|
||||||
|
|
||||||
|
_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
|
||||||
|
in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
|
||||||
|
signed), which was especially easily triggered on 32-bit builds (with recent
|
||||||
|
enough compilers that assume that signed multiplication cannot overflow, since
|
||||||
|
this is undefined behaviour by the C standard). The original issue which lead to
|
||||||
|
this fix was trigged from tif_fax3.c
|
||||||
|
|
||||||
|
There were also unsafe (implementation defied), and broken in practice on 64bit
|
||||||
|
builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
|
||||||
|
(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
|
||||||
|
at that time exploits, but are better to fix in a more bullet-proof way.
|
||||||
|
Or similarly use of (int64)uint64_var <= 0.
|
||||||
|
|
||||||
|
(cherry picked from commit 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773)
|
||||||
|
---
|
||||||
|
libtiff/tif_aux.c | 49 +++++++++++++++++++++++++++++++++++++-----
|
||||||
|
libtiff/tif_getimage.c | 6 ++----
|
||||||
|
libtiff/tif_luv.c | 8 +------
|
||||||
|
libtiff/tif_pixarlog.c | 7 +-----
|
||||||
|
libtiff/tif_read.c | 38 +++++++++-----------------------
|
||||||
|
libtiff/tif_strip.c | 35 ++++--------------------------
|
||||||
|
libtiff/tif_tile.c | 27 +++--------------------
|
||||||
|
libtiff/tiffiop.h | 7 +++++-
|
||||||
|
8 files changed, 71 insertions(+), 106 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
|
||||||
|
index 10b8d00c..38a98b67 100644
|
||||||
|
--- a/libtiff/tif_aux.c
|
||||||
|
+++ b/libtiff/tif_aux.c
|
||||||
|
@@ -59,18 +59,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
|
||||||
|
return bytes;
|
||||||
|
}
|
||||||
|
|
||||||
|
+tmsize_t
|
||||||
|
+_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
|
||||||
|
+{
|
||||||
|
+ if( first <= 0 || second <= 0 )
|
||||||
|
+ {
|
||||||
|
+ if( tif != NULL && where != NULL )
|
||||||
|
+ {
|
||||||
|
+ TIFFErrorExt(tif->tif_clientdata, where,
|
||||||
|
+ "Invalid argument to _TIFFMultiplySSize() in %s", where);
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if( first > TIFF_TMSIZE_T_MAX / second )
|
||||||
|
+ {
|
||||||
|
+ if( tif != NULL && where != NULL )
|
||||||
|
+ {
|
||||||
|
+ TIFFErrorExt(tif->tif_clientdata, where,
|
||||||
|
+ "Integer overflow in %s", where);
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return first * second;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
|
||||||
|
+{
|
||||||
|
+ if( val > (uint64)TIFF_TMSIZE_T_MAX )
|
||||||
|
+ {
|
||||||
|
+ if( tif != NULL && module != NULL )
|
||||||
|
+ {
|
||||||
|
+ TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return (tmsize_t)val;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
void*
|
||||||
|
_TIFFCheckRealloc(TIFF* tif, void* buffer,
|
||||||
|
tmsize_t nmemb, tmsize_t elem_size, const char* what)
|
||||||
|
{
|
||||||
|
void* cp = NULL;
|
||||||
|
- tmsize_t bytes = nmemb * elem_size;
|
||||||
|
-
|
||||||
|
+ tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
|
||||||
|
/*
|
||||||
|
- * XXX: Check for integer overflow.
|
||||||
|
+ * Check for integer overflow.
|
||||||
|
*/
|
||||||
|
- if (nmemb && elem_size && bytes / elem_size == nmemb)
|
||||||
|
- cp = _TIFFrealloc(buffer, bytes);
|
||||||
|
+ if (count != 0)
|
||||||
|
+ {
|
||||||
|
+ cp = _TIFFrealloc(buffer, count);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (cp == NULL) {
|
||||||
|
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
|
||||||
|
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||||
|
index fc554cca..ec09feaf 100644
|
||||||
|
--- a/libtiff/tif_getimage.c
|
||||||
|
+++ b/libtiff/tif_getimage.c
|
||||||
|
@@ -757,9 +757,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||||
|
uint32 leftmost_tw;
|
||||||
|
|
||||||
|
tilesize = TIFFTileSize(tif);
|
||||||
|
- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
|
||||||
|
+ bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
|
||||||
|
if (bufsize == 0) {
|
||||||
|
- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1021,9 +1020,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||||
|
uint16 colorchannels;
|
||||||
|
|
||||||
|
stripsize = TIFFStripSize(tif);
|
||||||
|
- bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
|
||||||
|
+ bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
|
||||||
|
if (bufsize == 0) {
|
||||||
|
- TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
|
||||||
|
index 4b25244b..c4cb73a3 100644
|
||||||
|
--- a/libtiff/tif_luv.c
|
||||||
|
+++ b/libtiff/tif_luv.c
|
||||||
|
@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
|
||||||
|
return (SGILOGDATAFMT_UNKNOWN);
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
|
||||||
|
-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
|
||||||
|
-
|
||||||
|
static tmsize_t
|
||||||
|
multiply_ms(tmsize_t m1, tmsize_t m2)
|
||||||
|
{
|
||||||
|
- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
|
||||||
|
- return 0;
|
||||||
|
- return m1 * m2;
|
||||||
|
+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
|
||||||
|
index 979858da..8e9eaa1d 100644
|
||||||
|
--- a/libtiff/tif_pixarlog.c
|
||||||
|
+++ b/libtiff/tif_pixarlog.c
|
||||||
|
@@ -636,15 +636,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
|
||||||
|
return guess;
|
||||||
|
}
|
||||||
|
|
||||||
|
-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
|
||||||
|
-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
|
||||||
|
-
|
||||||
|
static tmsize_t
|
||||||
|
multiply_ms(tmsize_t m1, tmsize_t m2)
|
||||||
|
{
|
||||||
|
- if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
|
||||||
|
- return 0;
|
||||||
|
- return m1 * m2;
|
||||||
|
+ return _TIFFMultiplySSize(NULL, m1, m2, NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
static tmsize_t
|
||||||
|
diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
|
||||||
|
index 04100f4d..9a0e6e95 100644
|
||||||
|
--- a/libtiff/tif_read.c
|
||||||
|
+++ b/libtiff/tif_read.c
|
||||||
|
@@ -31,9 +31,6 @@
|
||||||
|
#include "tiffiop.h"
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
|
||||||
|
-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
|
||||||
|
-
|
||||||
|
int TIFFFillStrip(TIFF* tif, uint32 strip);
|
||||||
|
int TIFFFillTile(TIFF* tif, uint32 tile);
|
||||||
|
static int TIFFStartStrip(TIFF* tif, uint32 strip);
|
||||||
|
@@ -51,6 +48,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
|
||||||
|
#define THRESHOLD_MULTIPLIER 10
|
||||||
|
#define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
|
||||||
|
|
||||||
|
+#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
|
||||||
|
+
|
||||||
|
/* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
|
||||||
|
* Returns 1 in case of success, 0 otherwise. */
|
||||||
|
static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
|
||||||
|
@@ -735,23 +734,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
|
||||||
|
return ((tmsize_t)(-1));
|
||||||
|
}
|
||||||
|
bytecount = td->td_stripbytecount[strip];
|
||||||
|
- if ((int64)bytecount <= 0) {
|
||||||
|
-#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||||
|
- TIFFErrorExt(tif->tif_clientdata, module,
|
||||||
|
- "%I64u: Invalid strip byte count, strip %lu",
|
||||||
|
- (unsigned __int64) bytecount,
|
||||||
|
- (unsigned long) strip);
|
||||||
|
-#else
|
||||||
|
- TIFFErrorExt(tif->tif_clientdata, module,
|
||||||
|
- "%llu: Invalid strip byte count, strip %lu",
|
||||||
|
- (unsigned long long) bytecount,
|
||||||
|
- (unsigned long) strip);
|
||||||
|
-#endif
|
||||||
|
- return ((tmsize_t)(-1));
|
||||||
|
- }
|
||||||
|
- bytecountm = (tmsize_t)bytecount;
|
||||||
|
- if ((uint64)bytecountm!=bytecount) {
|
||||||
|
- TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
|
||||||
|
+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
|
||||||
|
+ if (bytecountm == 0) {
|
||||||
|
return ((tmsize_t)(-1));
|
||||||
|
}
|
||||||
|
if (size != (tmsize_t)(-1) && size < bytecountm)
|
||||||
|
@@ -775,7 +759,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
|
||||||
|
if ((tif->tif_flags&TIFF_NOREADRAW)==0)
|
||||||
|
{
|
||||||
|
uint64 bytecount = td->td_stripbytecount[strip];
|
||||||
|
- if ((int64)bytecount <= 0) {
|
||||||
|
+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
|
||||||
|
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||||
|
TIFFErrorExt(tif->tif_clientdata, module,
|
||||||
|
"Invalid strip byte count %I64u, strip %lu",
|
||||||
|
@@ -802,7 +786,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
|
||||||
|
(bytecount - 4096) / 10 > (uint64)stripsize )
|
||||||
|
{
|
||||||
|
uint64 newbytecount = (uint64)stripsize * 10 + 4096;
|
||||||
|
- if( (int64)newbytecount >= 0 )
|
||||||
|
+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
|
||||||
|
{
|
||||||
|
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||||
|
TIFFWarningExt(tif->tif_clientdata, module,
|
||||||
|
@@ -1197,10 +1181,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
|
||||||
|
bytecount64 = td->td_stripbytecount[tile];
|
||||||
|
if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
|
||||||
|
bytecount64 = (uint64)size;
|
||||||
|
- bytecountm = (tmsize_t)bytecount64;
|
||||||
|
- if ((uint64)bytecountm!=bytecount64)
|
||||||
|
- {
|
||||||
|
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||||
|
+ bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
|
||||||
|
+ if( bytecountm == 0 ) {
|
||||||
|
return ((tmsize_t)(-1));
|
||||||
|
}
|
||||||
|
return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
|
||||||
|
@@ -1222,7 +1204,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
|
||||||
|
if ((tif->tif_flags&TIFF_NOREADRAW)==0)
|
||||||
|
{
|
||||||
|
uint64 bytecount = td->td_stripbytecount[tile];
|
||||||
|
- if ((int64)bytecount <= 0) {
|
||||||
|
+ if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
|
||||||
|
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||||
|
TIFFErrorExt(tif->tif_clientdata, module,
|
||||||
|
"%I64u: Invalid tile byte count, tile %lu",
|
||||||
|
@@ -1249,7 +1231,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
|
||||||
|
(bytecount - 4096) / 10 > (uint64)stripsize )
|
||||||
|
{
|
||||||
|
uint64 newbytecount = (uint64)stripsize * 10 + 4096;
|
||||||
|
- if( (int64)newbytecount >= 0 )
|
||||||
|
+ if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
|
||||||
|
{
|
||||||
|
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
|
||||||
|
TIFFWarningExt(tif->tif_clientdata, module,
|
||||||
|
diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
|
||||||
|
index 6e9f2ef6..321ad6b9 100644
|
||||||
|
--- a/libtiff/tif_strip.c
|
||||||
|
+++ b/libtiff/tif_strip.c
|
||||||
|
@@ -131,15 +131,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
|
||||||
|
{
|
||||||
|
static const char module[] = "TIFFVStripSize";
|
||||||
|
uint64 m;
|
||||||
|
- tmsize_t n;
|
||||||
|
m=TIFFVStripSize64(tif,nrows);
|
||||||
|
- n=(tmsize_t)m;
|
||||||
|
- if ((uint64)n!=m)
|
||||||
|
- {
|
||||||
|
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||||
|
- n=0;
|
||||||
|
- }
|
||||||
|
- return(n);
|
||||||
|
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -213,15 +206,8 @@ TIFFStripSize(TIFF* tif)
|
||||||
|
{
|
||||||
|
static const char module[] = "TIFFStripSize";
|
||||||
|
uint64 m;
|
||||||
|
- tmsize_t n;
|
||||||
|
m=TIFFStripSize64(tif);
|
||||||
|
- n=(tmsize_t)m;
|
||||||
|
- if ((uint64)n!=m)
|
||||||
|
- {
|
||||||
|
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||||
|
- n=0;
|
||||||
|
- }
|
||||||
|
- return(n);
|
||||||
|
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -332,14 +318,8 @@ TIFFScanlineSize(TIFF* tif)
|
||||||
|
{
|
||||||
|
static const char module[] = "TIFFScanlineSize";
|
||||||
|
uint64 m;
|
||||||
|
- tmsize_t n;
|
||||||
|
m=TIFFScanlineSize64(tif);
|
||||||
|
- n=(tmsize_t)m;
|
||||||
|
- if ((uint64)n!=m) {
|
||||||
|
- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
|
||||||
|
- n=0;
|
||||||
|
- }
|
||||||
|
- return(n);
|
||||||
|
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -368,15 +348,8 @@ TIFFRasterScanlineSize(TIFF* tif)
|
||||||
|
{
|
||||||
|
static const char module[] = "TIFFRasterScanlineSize";
|
||||||
|
uint64 m;
|
||||||
|
- tmsize_t n;
|
||||||
|
m=TIFFRasterScanlineSize64(tif);
|
||||||
|
- n=(tmsize_t)m;
|
||||||
|
- if ((uint64)n!=m)
|
||||||
|
- {
|
||||||
|
- TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
|
||||||
|
- n=0;
|
||||||
|
- }
|
||||||
|
- return(n);
|
||||||
|
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* vim: set ts=8 sts=8 sw=8 noet: */
|
||||||
|
diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
|
||||||
|
index 388e168a..7d057509 100644
|
||||||
|
--- a/libtiff/tif_tile.c
|
||||||
|
+++ b/libtiff/tif_tile.c
|
||||||
|
@@ -183,15 +183,8 @@ TIFFTileRowSize(TIFF* tif)
|
||||||
|
{
|
||||||
|
static const char module[] = "TIFFTileRowSize";
|
||||||
|
uint64 m;
|
||||||
|
- tmsize_t n;
|
||||||
|
m=TIFFTileRowSize64(tif);
|
||||||
|
- n=(tmsize_t)m;
|
||||||
|
- if ((uint64)n!=m)
|
||||||
|
- {
|
||||||
|
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||||
|
- n=0;
|
||||||
|
- }
|
||||||
|
- return(n);
|
||||||
|
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -250,15 +243,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
|
||||||
|
{
|
||||||
|
static const char module[] = "TIFFVTileSize";
|
||||||
|
uint64 m;
|
||||||
|
- tmsize_t n;
|
||||||
|
m=TIFFVTileSize64(tif,nrows);
|
||||||
|
- n=(tmsize_t)m;
|
||||||
|
- if ((uint64)n!=m)
|
||||||
|
- {
|
||||||
|
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||||
|
- n=0;
|
||||||
|
- }
|
||||||
|
- return(n);
|
||||||
|
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -274,15 +260,8 @@ TIFFTileSize(TIFF* tif)
|
||||||
|
{
|
||||||
|
static const char module[] = "TIFFTileSize";
|
||||||
|
uint64 m;
|
||||||
|
- tmsize_t n;
|
||||||
|
m=TIFFTileSize64(tif);
|
||||||
|
- n=(tmsize_t)m;
|
||||||
|
- if ((uint64)n!=m)
|
||||||
|
- {
|
||||||
|
- TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
|
||||||
|
- n=0;
|
||||||
|
- }
|
||||||
|
- return(n);
|
||||||
|
+ return _TIFFCastUInt64ToSSize(tif, m, module);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
|
||||||
|
index 08e5dc44..d4b86314 100644
|
||||||
|
--- a/libtiff/tiffiop.h
|
||||||
|
+++ b/libtiff/tiffiop.h
|
||||||
|
@@ -79,6 +79,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
|
||||||
|
#define FALSE 0
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
|
||||||
|
+#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
|
||||||
|
+
|
||||||
|
typedef struct client_info {
|
||||||
|
struct client_info *next;
|
||||||
|
void *data;
|
||||||
|
@@ -260,7 +263,7 @@ struct tiff {
|
||||||
|
#define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
|
||||||
|
#define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
|
||||||
|
|
||||||
|
-/* Safe multiply which returns zero if there is an integer overflow */
|
||||||
|
+/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */
|
||||||
|
#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
|
||||||
|
|
||||||
|
#define TIFFmax(A,B) ((A)>(B)?(A):(B))
|
||||||
|
@@ -366,6 +369,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
|
||||||
|
|
||||||
|
extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*);
|
||||||
|
extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*);
|
||||||
|
+extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*);
|
||||||
|
+extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*);
|
||||||
|
extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
|
||||||
|
extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
|
||||||
|
|
@ -0,0 +1,102 @@
|
|||||||
|
From a1c493aa4f22f9d1a4757c05a60addc877519cea Mon Sep 17 00:00:00 2001
|
||||||
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
|
Date: Thu, 15 Aug 2019 15:05:28 +0200
|
||||||
|
Subject: [PATCH] (CVE-2019-17546) RGBA interface: fix integer overflow
|
||||||
|
potentially causing write heap buffer overflow, especially on 32 bit builds.
|
||||||
|
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to
|
||||||
|
OSS Fuzz
|
||||||
|
|
||||||
|
(cherry picked from commit 4bb584a35f87af42d6cf09d15e9ce8909a839145)
|
||||||
|
---
|
||||||
|
libtiff/tif_getimage.c | 26 ++++++++++++++++++++------
|
||||||
|
1 file changed, 20 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||||
|
index ec09feaf..c6edd27c 100644
|
||||||
|
--- a/libtiff/tif_getimage.c
|
||||||
|
+++ b/libtiff/tif_getimage.c
|
||||||
|
@@ -951,16 +951,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||||
|
fromskew = (w < imagewidth ? imagewidth - w : 0);
|
||||||
|
for (row = 0; row < h; row += nrow)
|
||||||
|
{
|
||||||
|
+ uint32 temp;
|
||||||
|
rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
|
||||||
|
nrow = (row + rowstoread > h ? h - row : rowstoread);
|
||||||
|
nrowsub = nrow;
|
||||||
|
if ((nrowsub%subsamplingver)!=0)
|
||||||
|
nrowsub+=subsamplingver-nrowsub%subsamplingver;
|
||||||
|
+ temp = (row + img->row_offset)%rowsperstrip + nrowsub;
|
||||||
|
+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
|
||||||
|
+ {
|
||||||
|
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
if (_TIFFReadEncodedStripAndAllocBuffer(tif,
|
||||||
|
TIFFComputeStrip(tif,row+img->row_offset, 0),
|
||||||
|
(void**)(&buf),
|
||||||
|
maxstripsize,
|
||||||
|
- ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
|
||||||
|
+ temp * scanline)==(tmsize_t)(-1)
|
||||||
|
&& (buf == NULL || img->stoponerr))
|
||||||
|
{
|
||||||
|
ret = 0;
|
||||||
|
@@ -1053,15 +1060,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||||
|
fromskew = (w < imagewidth ? imagewidth - w : 0);
|
||||||
|
for (row = 0; row < h; row += nrow)
|
||||||
|
{
|
||||||
|
+ uint32 temp;
|
||||||
|
rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
|
||||||
|
nrow = (row + rowstoread > h ? h - row : rowstoread);
|
||||||
|
offset_row = row + img->row_offset;
|
||||||
|
+ temp = (row + img->row_offset)%rowsperstrip + nrow;
|
||||||
|
+ if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
|
||||||
|
+ {
|
||||||
|
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
if( buf == NULL )
|
||||||
|
{
|
||||||
|
if (_TIFFReadEncodedStripAndAllocBuffer(
|
||||||
|
tif, TIFFComputeStrip(tif, offset_row, 0),
|
||||||
|
(void**) &buf, bufsize,
|
||||||
|
- ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
|
||||||
|
+ temp * scanline)==(tmsize_t)(-1)
|
||||||
|
&& (buf == NULL || img->stoponerr))
|
||||||
|
{
|
||||||
|
ret = 0;
|
||||||
|
@@ -1081,7 +1095,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
|
||||||
|
- p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
|
||||||
|
+ p0, temp * scanline)==(tmsize_t)(-1)
|
||||||
|
&& img->stoponerr)
|
||||||
|
{
|
||||||
|
ret = 0;
|
||||||
|
@@ -1089,7 +1103,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||||
|
}
|
||||||
|
if (colorchannels > 1
|
||||||
|
&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
|
||||||
|
- p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
|
||||||
|
+ p1, temp * scanline) == (tmsize_t)(-1)
|
||||||
|
&& img->stoponerr)
|
||||||
|
{
|
||||||
|
ret = 0;
|
||||||
|
@@ -1097,7 +1111,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||||
|
}
|
||||||
|
if (colorchannels > 1
|
||||||
|
&& TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
|
||||||
|
- p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
|
||||||
|
+ p2, temp * scanline) == (tmsize_t)(-1)
|
||||||
|
&& img->stoponerr)
|
||||||
|
{
|
||||||
|
ret = 0;
|
||||||
|
@@ -1106,7 +1120,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||||
|
if (alpha)
|
||||||
|
{
|
||||||
|
if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
|
||||||
|
- pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
|
||||||
|
+ pa, temp * scanline)==(tmsize_t)(-1)
|
||||||
|
&& img->stoponerr)
|
||||||
|
{
|
||||||
|
ret = 0;
|
@ -0,0 +1,86 @@
|
|||||||
|
From 8f70b086e6553b4d41aaff2c5fb4266859436626 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Bernard <miniupnp@free.fr>
|
||||||
|
Date: Sun, 15 Nov 2020 17:02:51 +0100
|
||||||
|
Subject: [PATCH] (CVE-2020-35521 CVE-2020-35522) enforce (configurable) memory
|
||||||
|
limit in tiff2rgba
|
||||||
|
|
||||||
|
fixes #207
|
||||||
|
fixes #209
|
||||||
|
|
||||||
|
(cherry picked from commit 98a254f5b92cea22f5436555ff7fceb12afee84d)
|
||||||
|
---
|
||||||
|
tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
|
||||||
|
1 file changed, 23 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
|
||||||
|
index 4de96aec..e6de2209 100644
|
||||||
|
--- a/tools/tiff2rgba.c
|
||||||
|
+++ b/tools/tiff2rgba.c
|
||||||
|
@@ -55,6 +55,10 @@ uint32 rowsperstrip = (uint32) -1;
|
||||||
|
int process_by_block = 0; /* default is whole image at once */
|
||||||
|
int no_alpha = 0;
|
||||||
|
int bigtiff_output = 0;
|
||||||
|
+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
|
||||||
|
+/* malloc size limit (in bytes)
|
||||||
|
+ * disabled when set to 0 */
|
||||||
|
+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
|
||||||
|
|
||||||
|
|
||||||
|
static int tiffcvt(TIFF* in, TIFF* out);
|
||||||
|
@@ -70,8 +74,11 @@ main(int argc, char* argv[])
|
||||||
|
extern char *optarg;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
|
||||||
|
+ while ((c = getopt(argc, argv, "c:r:t:bn8M:")) != -1)
|
||||||
|
switch (c) {
|
||||||
|
+ case 'M':
|
||||||
|
+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
|
||||||
|
+ break;
|
||||||
|
case 'b':
|
||||||
|
process_by_block = 1;
|
||||||
|
break;
|
||||||
|
@@ -397,6 +404,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
|
||||||
|
(unsigned long)width, (unsigned long)height);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
|
||||||
|
+ TIFFError(TIFFFileName(in),
|
||||||
|
+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
|
||||||
|
+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip);
|
||||||
|
TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip);
|
||||||
|
@@ -522,6 +535,13 @@ tiffcvt(TIFF* in, TIFF* out)
|
||||||
|
TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
|
||||||
|
CopyField(TIFFTAG_DOCUMENTNAME, stringv);
|
||||||
|
|
||||||
|
+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
|
||||||
|
+ {
|
||||||
|
+ TIFFError(TIFFFileName(in),
|
||||||
|
+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
|
||||||
|
+ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
if( process_by_block && TIFFIsTiled( in ) )
|
||||||
|
return( cvt_by_tile( in, out ) );
|
||||||
|
else if( process_by_block )
|
||||||
|
@@ -531,7 +551,7 @@ tiffcvt(TIFF* in, TIFF* out)
|
||||||
|
}
|
||||||
|
|
||||||
|
static char* stuff[] = {
|
||||||
|
- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
|
||||||
|
+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
|
||||||
|
"where comp is one of the following compression algorithms:",
|
||||||
|
" jpeg\t\tJPEG encoding",
|
||||||
|
" zip\t\tZip/Deflate encoding",
|
||||||
|
@@ -543,6 +563,7 @@ static char* stuff[] = {
|
||||||
|
" -b (progress by block rather than as a whole image)",
|
||||||
|
" -n don't emit alpha component.",
|
||||||
|
" -8 write BigTIFF file instead of ClassicTIFF",
|
||||||
|
+ " -M set the memory allocation limit in MiB. 0 to disable limit",
|
||||||
|
NULL
|
||||||
|
};
|
||||||
|
|
@ -0,0 +1,50 @@
|
|||||||
|
From a7786e10d1bab22f34322e6e711b93b377d6155e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Bernard <miniupnp@free.fr>
|
||||||
|
Date: Tue, 10 Nov 2020 01:54:30 +0100
|
||||||
|
Subject: [PATCH] (CVE-2020-35523) gtTileContig(): check Tile width for
|
||||||
|
overflow
|
||||||
|
|
||||||
|
fixes #211
|
||||||
|
|
||||||
|
(cherry picked from commit c8d613ef497058fe653c467fc84c70a62a4a71b2)
|
||||||
|
---
|
||||||
|
libtiff/tif_getimage.c | 17 +++++++++++++----
|
||||||
|
1 file changed, 13 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||||
|
index c6edd27c..b1f7cc95 100644
|
||||||
|
--- a/libtiff/tif_getimage.c
|
||||||
|
+++ b/libtiff/tif_getimage.c
|
||||||
|
@@ -31,6 +31,7 @@
|
||||||
|
*/
|
||||||
|
#include "tiffiop.h"
|
||||||
|
#include <stdio.h>
|
||||||
|
+#include <limits.h>
|
||||||
|
|
||||||
|
static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
|
||||||
|
static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
|
||||||
|
@@ -647,12 +648,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
||||||
|
|
||||||
|
flip = setorientation(img);
|
||||||
|
if (flip & FLIP_VERTICALLY) {
|
||||||
|
- y = h - 1;
|
||||||
|
- toskew = -(int32)(tw + w);
|
||||||
|
+ if ((tw + w) > INT_MAX) {
|
||||||
|
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
|
||||||
|
+ return (0);
|
||||||
|
+ }
|
||||||
|
+ y = h - 1;
|
||||||
|
+ toskew = -(int32)(tw + w);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
- y = 0;
|
||||||
|
- toskew = -(int32)(tw - w);
|
||||||
|
+ if (tw > (INT_MAX + w)) {
|
||||||
|
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
|
||||||
|
+ return (0);
|
||||||
|
+ }
|
||||||
|
+ y = 0;
|
||||||
|
+ toskew = -(int32)(tw - w);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
@ -0,0 +1,38 @@
|
|||||||
|
From 55cd158269c43c83c23636dc9197816b3b359aa4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Bernard <miniupnp@free.fr>
|
||||||
|
Date: Sat, 14 Nov 2020 12:53:01 +0000
|
||||||
|
Subject: [PATCH] (CVE-2020-35524) tiff2pdf.c: properly calculate datasize when
|
||||||
|
saving to JPEG YCbCr
|
||||||
|
|
||||||
|
fixes #220
|
||||||
|
|
||||||
|
(cherry picked from commit 7be2e452ddcf6d7abca88f41d3761e6edab72b22)
|
||||||
|
---
|
||||||
|
tools/tiff2pdf.c | 14 +++++++++++---
|
||||||
|
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
||||||
|
index ff7b9c22..a5db1f64 100644
|
||||||
|
--- a/tools/tiff2pdf.c
|
||||||
|
+++ b/tools/tiff2pdf.c
|
||||||
|
@@ -2049,9 +2049,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* input){
|
||||||
|
#endif
|
||||||
|
(void) 0;
|
||||||
|
}
|
||||||
|
- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
|
||||||
|
- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
|
||||||
|
- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
|
||||||
|
+#ifdef JPEG_SUPPORT
|
||||||
|
+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG
|
||||||
|
+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
|
||||||
|
+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
|
||||||
|
+ } else
|
||||||
|
+#endif
|
||||||
|
+ {
|
||||||
|
+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
|
||||||
|
+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
|
||||||
|
+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
if (k == 0) {
|
||||||
|
/* Assume we had overflow inside TIFFScanlineSize */
|
@ -0,0 +1,89 @@
|
|||||||
|
From 25f99f92536fe2c7bf8e1a7fe12f0145c67a0383 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Bernard <miniupnp@free.fr>
|
||||||
|
Date: Mon, 11 Feb 2019 23:08:25 +0100
|
||||||
|
Subject: [PATCH] (CVE-2020-19131) tiffcrop.c: fix invertImage() for bps 2 and
|
||||||
|
4
|
||||||
|
|
||||||
|
too much bytes were processed, causing a heap buffer overrun
|
||||||
|
http://bugzilla.maptools.org/show_bug.cgi?id=2831
|
||||||
|
the loop counter must be
|
||||||
|
for (col = 0; col < width; col += 8 / bps)
|
||||||
|
|
||||||
|
Also the values were not properly calculated. It should be
|
||||||
|
255-x, 15-x, 3-x for bps 8, 4, 2.
|
||||||
|
|
||||||
|
But anyway it is easyer to invert all bits as 255-x = ~x, etc.
|
||||||
|
(substracting from a binary number composed of all 1 is like inverting
|
||||||
|
the bits)
|
||||||
|
|
||||||
|
(cherry picked from commit 9cfa5c469109c207bf3b916c52e618d4400ba2c0)
|
||||||
|
---
|
||||||
|
tools/tiffcrop.c | 37 ++++++-------------------------------
|
||||||
|
1 file changed, 6 insertions(+), 31 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||||
|
index 3862b1ca..a6129148 100644
|
||||||
|
--- a/tools/tiffcrop.c
|
||||||
|
+++ b/tools/tiffcrop.c
|
||||||
|
@@ -9142,7 +9142,6 @@ static int
|
||||||
|
invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 length, unsigned char *work_buff)
|
||||||
|
{
|
||||||
|
uint32 row, col;
|
||||||
|
- unsigned char bytebuff1, bytebuff2, bytebuff3, bytebuff4;
|
||||||
|
unsigned char *src;
|
||||||
|
uint16 *src_uint16;
|
||||||
|
uint32 *src_uint32;
|
||||||
|
@@ -9172,7 +9171,7 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
|
||||||
|
for (row = 0; row < length; row++)
|
||||||
|
for (col = 0; col < width; col++)
|
||||||
|
{
|
||||||
|
- *src_uint32 = (uint32)0xFFFFFFFF - *src_uint32;
|
||||||
|
+ *src_uint32 = ~(*src_uint32);
|
||||||
|
src_uint32++;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
@@ -9180,39 +9179,15 @@ invertImage(uint16 photometric, uint16 spp, uint16 bps, uint32 width, uint32 len
|
||||||
|
for (row = 0; row < length; row++)
|
||||||
|
for (col = 0; col < width; col++)
|
||||||
|
{
|
||||||
|
- *src_uint16 = (uint16)0xFFFF - *src_uint16;
|
||||||
|
+ *src_uint16 = ~(*src_uint16);
|
||||||
|
src_uint16++;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
- case 8: for (row = 0; row < length; row++)
|
||||||
|
- for (col = 0; col < width; col++)
|
||||||
|
- {
|
||||||
|
- *src = (uint8)255 - *src;
|
||||||
|
- src++;
|
||||||
|
- }
|
||||||
|
- break;
|
||||||
|
- case 4: for (row = 0; row < length; row++)
|
||||||
|
- for (col = 0; col < width; col++)
|
||||||
|
- {
|
||||||
|
- bytebuff1 = 16 - (uint8)(*src & 240 >> 4);
|
||||||
|
- bytebuff2 = 16 - (*src & 15);
|
||||||
|
- *src = bytebuff1 << 4 & bytebuff2;
|
||||||
|
- src++;
|
||||||
|
- }
|
||||||
|
- break;
|
||||||
|
- case 2: for (row = 0; row < length; row++)
|
||||||
|
- for (col = 0; col < width; col++)
|
||||||
|
- {
|
||||||
|
- bytebuff1 = 4 - (uint8)(*src & 192 >> 6);
|
||||||
|
- bytebuff2 = 4 - (uint8)(*src & 48 >> 4);
|
||||||
|
- bytebuff3 = 4 - (uint8)(*src & 12 >> 2);
|
||||||
|
- bytebuff4 = 4 - (uint8)(*src & 3);
|
||||||
|
- *src = (bytebuff1 << 6) || (bytebuff2 << 4) || (bytebuff3 << 2) || bytebuff4;
|
||||||
|
- src++;
|
||||||
|
- }
|
||||||
|
- break;
|
||||||
|
+ case 8:
|
||||||
|
+ case 4:
|
||||||
|
+ case 2:
|
||||||
|
case 1: for (row = 0; row < length; row++)
|
||||||
|
- for (col = 0; col < width; col += 8 /(spp * bps))
|
||||||
|
+ for (col = 0; col < width; col += 8 / bps)
|
||||||
|
{
|
||||||
|
*src = ~(*src);
|
||||||
|
src++;
|
@ -0,0 +1,27 @@
|
|||||||
|
From b94f6754796d32e204b874b3660a125973815933 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
|
Date: Sun, 6 Feb 2022 13:08:38 +0100
|
||||||
|
Subject: [PATCH] (CVE-2022-0561) TIFFFetchStripThing(): avoid calling memcpy()
|
||||||
|
with a null source pointer and size of zero (fixes #362)
|
||||||
|
|
||||||
|
(cherry picked from commit eecb0712f4c3a5b449f70c57988260a667ddbdef)
|
||||||
|
---
|
||||||
|
libtiff/tif_dirread.c | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||||||
|
index 80aaf8d1..1e6f1c2f 100644
|
||||||
|
--- a/libtiff/tif_dirread.c
|
||||||
|
+++ b/libtiff/tif_dirread.c
|
||||||
|
@@ -5633,8 +5633,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
|
||||||
|
_TIFFfree(data);
|
||||||
|
return(0);
|
||||||
|
}
|
||||||
|
- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
|
||||||
|
- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
|
||||||
|
+ if( dir->tdir_count )
|
||||||
|
+ _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
|
||||||
|
+ _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
|
||||||
|
_TIFFfree(data);
|
||||||
|
data=resizeddata;
|
||||||
|
}
|
@ -0,0 +1,25 @@
|
|||||||
|
From b7426cc131d837de8d139b8007f66f9db59c4f6a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
|
Date: Sat, 5 Feb 2022 20:36:41 +0100
|
||||||
|
Subject: [PATCH] (CVE-2022-0562) TIFFReadDirectory(): avoid calling memcpy()
|
||||||
|
with a null source pointer and size of zero (fixes #362)
|
||||||
|
|
||||||
|
(cherry picked from commit 561599c99f987dc32ae110370cfdd7df7975586b)
|
||||||
|
---
|
||||||
|
libtiff/tif_dirread.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||||||
|
index 1e6f1c2f..d68aecc5 100644
|
||||||
|
--- a/libtiff/tif_dirread.c
|
||||||
|
+++ b/libtiff/tif_dirread.c
|
||||||
|
@@ -4083,7 +4083,8 @@ TIFFReadDirectory(TIFF* tif)
|
||||||
|
goto bad;
|
||||||
|
}
|
||||||
|
|
||||||
|
- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
|
||||||
|
+ if (old_extrasamples > 0)
|
||||||
|
+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
|
||||||
|
_TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
|
||||||
|
_TIFFfree(new_sampleinfo);
|
||||||
|
}
|
@ -0,0 +1,36 @@
|
|||||||
|
From 377a37d06f8ea753cba404cd6954b988ca861ad3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: 4ugustus <wangdw.augustus@qq.com>
|
||||||
|
Date: Tue, 25 Jan 2022 16:25:28 +0000
|
||||||
|
Subject: [PATCH] (CVE-2022-22844) tiffset: fix global-buffer-overflow for
|
||||||
|
ASCII tags where count is required (fixes #355)
|
||||||
|
|
||||||
|
(cherry picked from commit 03047a26952a82daaa0792957ce211e0aa51bc64)
|
||||||
|
---
|
||||||
|
tools/tiffset.c | 12 +++++++++++-
|
||||||
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffset.c b/tools/tiffset.c
|
||||||
|
index 894c9f1f..e4b0d49f 100644
|
||||||
|
--- a/tools/tiffset.c
|
||||||
|
+++ b/tools/tiffset.c
|
||||||
|
@@ -134,9 +134,19 @@ main(int argc, char* argv[])
|
||||||
|
|
||||||
|
arg_index++;
|
||||||
|
if (TIFFFieldDataType(fip) == TIFF_ASCII) {
|
||||||
|
- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
|
||||||
|
+ if(TIFFFieldPassCount( fip )) {
|
||||||
|
+ size_t len;
|
||||||
|
+ len = strlen(argv[arg_index]) + 1;
|
||||||
|
+ if (len > ((uint16)(~0)) || TIFFSetField(tiff, TIFFFieldTag(fip),
|
||||||
|
+ (uint16)len, argv[arg_index]) != 1)
|
||||||
|
fprintf( stderr, "Failed to set %s=%s\n",
|
||||||
|
TIFFFieldName(fip), argv[arg_index] );
|
||||||
|
+ } else {
|
||||||
|
+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
|
||||||
|
+ argv[arg_index]) != 1)
|
||||||
|
+ fprintf( stderr, "Failed to set %s=%s\n",
|
||||||
|
+ TIFFFieldName(fip), argv[arg_index] );
|
||||||
|
+ }
|
||||||
|
} else if (TIFFFieldWriteCount(fip) > 0
|
||||||
|
|| TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
|
||||||
|
int ret = 1;
|
@ -0,0 +1,33 @@
|
|||||||
|
From 2d598cd7523cba7ee8441fac96bfe422ec277efc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
|
Date: Thu, 24 Feb 2022 22:26:02 +0100
|
||||||
|
Subject: [PATCH] (CVE-2022-0865) tif_jbig.c: fix crash when reading a file
|
||||||
|
with multiple IFD in memory-mapped mode and when bit reversal is needed
|
||||||
|
(fixes #385)
|
||||||
|
|
||||||
|
(cherry picked from commit a1c933dabd0e1c54a412f3f84ae0aa58115c6067)
|
||||||
|
---
|
||||||
|
libtiff/tif_jbig.c | 10 ++++++++++
|
||||||
|
1 file changed, 10 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
|
||||||
|
index 8136c77b..698428f0 100644
|
||||||
|
--- a/libtiff/tif_jbig.c
|
||||||
|
+++ b/libtiff/tif_jbig.c
|
||||||
|
@@ -210,6 +210,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
|
||||||
|
*/
|
||||||
|
tif->tif_flags |= TIFF_NOBITREV;
|
||||||
|
tif->tif_flags &= ~TIFF_MAPPED;
|
||||||
|
+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
|
||||||
|
+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
|
||||||
|
+ * value to be consistent with the state of a non-memory mapped file.
|
||||||
|
+ */
|
||||||
|
+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
|
||||||
|
+ tif->tif_rawdata = NULL;
|
||||||
|
+ tif->tif_rawdatasize = 0;
|
||||||
|
+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
|
||||||
|
+ tif->tif_flags |= TIFF_MYBUFFER;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* Setup the function pointers for encode, decode, and cleanup. */
|
||||||
|
tif->tif_setupdecode = JBIGSetupDecode;
|
@ -0,0 +1,198 @@
|
|||||||
|
From 465c2d93e2a2d20ac4844ad0d98b35f00e8063fb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Su Laus <sulau@freenet.de>
|
||||||
|
Date: Tue, 8 Mar 2022 17:02:44 +0000
|
||||||
|
Subject: [PATCH] (CVE-2022-0891) tiffcrop: fix issue #380 and #382 heap buffer
|
||||||
|
overflow in extractImageSection
|
||||||
|
|
||||||
|
(cherry picked from commit 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c)
|
||||||
|
---
|
||||||
|
tools/tiffcrop.c | 84 ++++++++++++++++++------------------------------
|
||||||
|
1 file changed, 32 insertions(+), 52 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||||
|
index a6129148..83cf80ad 100644
|
||||||
|
--- a/tools/tiffcrop.c
|
||||||
|
+++ b/tools/tiffcrop.c
|
||||||
|
@@ -6668,10 +6668,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
uint32 img_length;
|
||||||
|
#endif
|
||||||
|
- uint32 j, shift1, shift2, trailing_bits;
|
||||||
|
+ uint32 j, shift1, trailing_bits;
|
||||||
|
uint32 row, first_row, last_row, first_col, last_col;
|
||||||
|
uint32 src_offset, dst_offset, row_offset, col_offset;
|
||||||
|
- uint32 offset1, offset2, full_bytes;
|
||||||
|
+ uint32 offset1, full_bytes;
|
||||||
|
uint32 sect_width;
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
uint32 sect_length;
|
||||||
|
@@ -6681,7 +6681,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
int k;
|
||||||
|
unsigned char bitset;
|
||||||
|
- static char *bitarray = NULL;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
img_width = image->width;
|
||||||
|
@@ -6699,17 +6698,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
dst_offset = 0;
|
||||||
|
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
- if (bitarray == NULL)
|
||||||
|
- {
|
||||||
|
- if ((bitarray = (char *)malloc(img_width)) == NULL)
|
||||||
|
- {
|
||||||
|
- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
|
||||||
|
- return (-1);
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
+ char bitarray[39];
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- /* rows, columns, width, length are expressed in pixels */
|
||||||
|
+ /* rows, columns, width, length are expressed in pixels
|
||||||
|
+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
|
||||||
|
+ * last_col shall be also extracted. */
|
||||||
|
first_row = section->y1;
|
||||||
|
last_row = section->y2;
|
||||||
|
first_col = section->x1;
|
||||||
|
@@ -6719,9 +6713,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
sect_length = last_row - first_row + 1;
|
||||||
|
#endif
|
||||||
|
- img_rowsize = ((img_width * bps + 7) / 8) * spp;
|
||||||
|
+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
|
||||||
|
+ * samples rather than separate planes so the same logic works to extract regions
|
||||||
|
+ * regardless of the way the data are organized in the input file.
|
||||||
|
+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
|
||||||
|
+ */
|
||||||
|
+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
|
||||||
|
full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
|
||||||
|
- trailing_bits = (sect_width * bps) % 8;
|
||||||
|
+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
|
||||||
|
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",
|
||||||
|
@@ -6734,10 +6733,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
|
||||||
|
if ((bps % 8) == 0)
|
||||||
|
{
|
||||||
|
- col_offset = first_col * spp * bps / 8;
|
||||||
|
+ col_offset = (first_col * spp * bps) / 8;
|
||||||
|
for (row = first_row; row <= last_row; row++)
|
||||||
|
{
|
||||||
|
- /* row_offset = row * img_width * spp * bps / 8; */
|
||||||
|
row_offset = row * img_rowsize;
|
||||||
|
src_offset = row_offset + col_offset;
|
||||||
|
|
||||||
|
@@ -6750,14 +6748,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{ /* bps != 8 */
|
||||||
|
- shift1 = spp * ((first_col * bps) % 8);
|
||||||
|
- shift2 = spp * ((last_col * bps) % 8);
|
||||||
|
+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
|
||||||
|
for (row = first_row; row <= last_row; row++)
|
||||||
|
{
|
||||||
|
/* pull out the first byte */
|
||||||
|
row_offset = row * img_rowsize;
|
||||||
|
- offset1 = row_offset + (first_col * bps / 8);
|
||||||
|
- offset2 = row_offset + (last_col * bps / 8);
|
||||||
|
+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
|
||||||
|
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
for (j = 0, k = 7; j < 8; j++, k--)
|
||||||
|
@@ -6769,12 +6765,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
sprintf(&bitarray[9], " ");
|
||||||
|
for (j = 10, k = 7; j < 18; j++, k--)
|
||||||
|
{
|
||||||
|
- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
|
||||||
|
+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
|
||||||
|
sprintf(&bitarray[j], (bitset) ? "1" : "0");
|
||||||
|
}
|
||||||
|
bitarray[18] = '\0';
|
||||||
|
- TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Shift2: %d\n",
|
||||||
|
- row, offset1, shift1, offset2, shift2);
|
||||||
|
+ TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Trailing_bits: %d\n",
|
||||||
|
+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
bytebuff1 = bytebuff2 = 0;
|
||||||
|
@@ -6798,11 +6794,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
|
||||||
|
if (trailing_bits != 0)
|
||||||
|
{
|
||||||
|
- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
|
||||||
|
+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
|
||||||
|
+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
|
||||||
|
sect_buff[dst_offset] = bytebuff2;
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n",
|
||||||
|
- offset2, dst_offset);
|
||||||
|
+ offset1 + full_bytes, dst_offset);
|
||||||
|
for (j = 30, k = 7; j < 38; j++, k--)
|
||||||
|
{
|
||||||
|
bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
|
||||||
|
@@ -6821,8 +6818,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
#endif
|
||||||
|
for (j = 0; j <= full_bytes; j++)
|
||||||
|
{
|
||||||
|
+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
|
||||||
|
+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
|
||||||
|
bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
|
||||||
|
- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
|
||||||
|
+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
|
||||||
|
sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
|
||||||
|
}
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
@@ -6838,35 +6837,16 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
#endif
|
||||||
|
dst_offset += full_bytes;
|
||||||
|
|
||||||
|
+ /* Copy the trailing_bits for the last byte in the destination buffer.
|
||||||
|
+ Could come from one ore two bytes of the source buffer. */
|
||||||
|
if (trailing_bits != 0)
|
||||||
|
{
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
- TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset);
|
||||||
|
-#endif
|
||||||
|
- if (shift2 > shift1)
|
||||||
|
- {
|
||||||
|
- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
|
||||||
|
- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
|
||||||
|
- sect_buff[dst_offset] = bytebuff2;
|
||||||
|
-#ifdef DEVELMODE
|
||||||
|
- TIFFError ("", " Shift2 > Shift1\n");
|
||||||
|
+ TIFFError("", " Trailing bits %4d src offset: %8d, Dst offset: %8d\n", trailing_bits, offset1 + full_bytes, dst_offset);
|
||||||
|
#endif
|
||||||
|
- }
|
||||||
|
- else
|
||||||
|
- {
|
||||||
|
- if (shift2 < shift1)
|
||||||
|
- {
|
||||||
|
- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
|
||||||
|
- sect_buff[dst_offset] &= bytebuff2;
|
||||||
|
-#ifdef DEVELMODE
|
||||||
|
- TIFFError ("", " Shift2 < Shift1\n");
|
||||||
|
-#endif
|
||||||
|
- }
|
||||||
|
-#ifdef DEVELMODE
|
||||||
|
- else
|
||||||
|
- TIFFError ("", " Shift2 == Shift1\n");
|
||||||
|
-#endif
|
||||||
|
- }
|
||||||
|
+ /* More than necessary bits are already copied into last destination buffer,
|
||||||
|
+ * only masking of last byte in destination buffer is necessary.*/
|
||||||
|
+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
|
||||||
|
}
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
sprintf(&bitarray[28], " ");
|
||||||
|
@@ -7020,7 +7000,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
|
||||||
|
width = sections[i].x2 - sections[i].x1 + 1;
|
||||||
|
length = sections[i].y2 - sections[i].y1 + 1;
|
||||||
|
sectsize = (uint32)
|
||||||
|
- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
|
||||||
|
+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
|
||||||
|
/* allocate a buffer if we don't have one already */
|
||||||
|
if (createImageSection(sectsize, sect_buff_ptr))
|
||||||
|
{
|
@ -0,0 +1,51 @@
|
|||||||
|
From 0bbe164e12be733a1b7e0fe9939ea3461ed7fff2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: 4ugustus <wangdw.augustus@qq.com>
|
||||||
|
Date: Thu, 10 Mar 2022 08:48:00 +0000
|
||||||
|
Subject: [PATCH] (CVE-2022-0924) fix heap buffer overflow in tiffcp (#278)
|
||||||
|
|
||||||
|
(cherry picked from commit 88d79a45a31c74cba98c697892fed5f7db8b963a)
|
||||||
|
---
|
||||||
|
tools/tiffcp.c | 17 ++++++++++++++++-
|
||||||
|
1 file changed, 16 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
||||||
|
index 96f14728..d5f1d248 100644
|
||||||
|
--- a/tools/tiffcp.c
|
||||||
|
+++ b/tools/tiffcp.c
|
||||||
|
@@ -1506,12 +1506,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
|
||||||
|
tdata_t obuf;
|
||||||
|
tstrip_t strip = 0;
|
||||||
|
tsample_t s;
|
||||||
|
+ uint16 bps = 0, bytes_per_sample;
|
||||||
|
|
||||||
|
obuf = _TIFFmalloc(stripsize);
|
||||||
|
if (obuf == NULL)
|
||||||
|
return (0);
|
||||||
|
_TIFFmemset(obuf, 0, stripsize);
|
||||||
|
(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
|
||||||
|
+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
|
||||||
|
+ if( bps == 0 )
|
||||||
|
+ {
|
||||||
|
+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
|
||||||
|
+ _TIFFfree(obuf);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ if( (bps % 8) != 0 )
|
||||||
|
+ {
|
||||||
|
+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
|
||||||
|
+ _TIFFfree(obuf);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ bytes_per_sample = bps/8;
|
||||||
|
for (s = 0; s < spp; s++) {
|
||||||
|
uint32 row;
|
||||||
|
for (row = 0; row < imagelength; row += rowsperstrip) {
|
||||||
|
@@ -1521,7 +1536,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
|
||||||
|
|
||||||
|
cpContigBufToSeparateBuf(
|
||||||
|
obuf, (uint8*) buf + row*rowsize + s,
|
||||||
|
- nrows, imagewidth, 0, 0, spp, 1);
|
||||||
|
+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
|
||||||
|
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
|
||||||
|
TIFFError(TIFFFileName(out),
|
||||||
|
"Error, can't write strip %u",
|
30
SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
Normal file
30
SOURCES/0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
From fb2bd72a49496d10c4860102b7c26b9bc8adff70 Mon Sep 17 00:00:00 2001
|
||||||
|
From: 4ugustus <wangdw.augustus@qq.com>
|
||||||
|
Date: Tue, 8 Mar 2022 16:22:04 +0000
|
||||||
|
Subject: [PATCH] (CVE-2022-0909) fix the FPE in tiffcrop (#393)
|
||||||
|
|
||||||
|
(cherry picked from commit 32ea0722ee68f503b7a3f9b2d557acb293fc8cde)
|
||||||
|
---
|
||||||
|
libtiff/tif_dir.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
||||||
|
index c36a5f3f..f126f2aa 100644
|
||||||
|
--- a/libtiff/tif_dir.c
|
||||||
|
+++ b/libtiff/tif_dir.c
|
||||||
|
@@ -320,13 +320,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
|
||||||
|
break;
|
||||||
|
case TIFFTAG_XRESOLUTION:
|
||||||
|
dblval = va_arg(ap, double);
|
||||||
|
- if( dblval < 0 )
|
||||||
|
+ if( dblval != dblval || dblval < 0 )
|
||||||
|
goto badvaluedouble;
|
||||||
|
td->td_xresolution = TIFFClampDoubleToFloat( dblval );
|
||||||
|
break;
|
||||||
|
case TIFFTAG_YRESOLUTION:
|
||||||
|
dblval = va_arg(ap, double);
|
||||||
|
- if( dblval < 0 )
|
||||||
|
+ if( dblval != dblval || dblval < 0 )
|
||||||
|
goto badvaluedouble;
|
||||||
|
td->td_yresolution = TIFFClampDoubleToFloat( dblval );
|
||||||
|
break;
|
@ -0,0 +1,27 @@
|
|||||||
|
From e1ee7d9aa1936d5d2f8c7e1a453ad669ed6b38dd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
|
Date: Thu, 17 Feb 2022 15:28:43 +0100
|
||||||
|
Subject: [PATCH] (CVE-2022-0908) TIFFFetchNormalTag(): avoid calling memcpy()
|
||||||
|
with a null source pointer and size of zero (fixes #383)
|
||||||
|
|
||||||
|
(cherry picked from commit a95b799f65064e4ba2e2dfc206808f86faf93e85)
|
||||||
|
---
|
||||||
|
libtiff/tif_dirread.c | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||||||
|
index d68aecc5..b72e6a3b 100644
|
||||||
|
--- a/libtiff/tif_dirread.c
|
||||||
|
+++ b/libtiff/tif_dirread.c
|
||||||
|
@@ -4972,7 +4972,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
|
||||||
|
_TIFFfree(data);
|
||||||
|
return(0);
|
||||||
|
}
|
||||||
|
- _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
|
||||||
|
+ if (dp->tdir_count > 0 )
|
||||||
|
+ {
|
||||||
|
+ _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
|
||||||
|
+ }
|
||||||
|
o[(uint32)dp->tdir_count]=0;
|
||||||
|
if (data!=0)
|
||||||
|
_TIFFfree(data);
|
@ -0,0 +1,55 @@
|
|||||||
|
From b43def1519d18fecb6f23778e045838e30e027cc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Su_Laus <sulau@freenet.de>
|
||||||
|
Date: Sat, 2 Apr 2022 22:33:31 +0200
|
||||||
|
Subject: [PATCH] (CVE-2022-1355) tiffcp: avoid buffer overflow in "mode"
|
||||||
|
string (fixes #400)
|
||||||
|
|
||||||
|
(cherry picked from commit fb1db384959698edd6caeea84e28253d272a0f96)
|
||||||
|
---
|
||||||
|
tools/tiffcp.c | 25 ++++++++++++++++++++-----
|
||||||
|
1 file changed, 20 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
||||||
|
index d5f1d248..fb98bd57 100644
|
||||||
|
--- a/tools/tiffcp.c
|
||||||
|
+++ b/tools/tiffcp.c
|
||||||
|
@@ -249,19 +249,34 @@ main(int argc, char* argv[])
|
||||||
|
deftilewidth = atoi(optarg);
|
||||||
|
break;
|
||||||
|
case 'B':
|
||||||
|
- *mp++ = 'b'; *mp = '\0';
|
||||||
|
+ if (strlen(mode) < (sizeof(mode) - 1))
|
||||||
|
+ {
|
||||||
|
+ *mp++ = 'b'; *mp = '\0';
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case 'L':
|
||||||
|
- *mp++ = 'l'; *mp = '\0';
|
||||||
|
+ if (strlen(mode) < (sizeof(mode) - 1))
|
||||||
|
+ {
|
||||||
|
+ *mp++ = 'l'; *mp = '\0';
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case 'M':
|
||||||
|
- *mp++ = 'm'; *mp = '\0';
|
||||||
|
+ if (strlen(mode) < (sizeof(mode) - 1))
|
||||||
|
+ {
|
||||||
|
+ *mp++ = 'm'; *mp = '\0';
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case 'C':
|
||||||
|
- *mp++ = 'c'; *mp = '\0';
|
||||||
|
+ if (strlen(mode) < (sizeof(mode) - 1))
|
||||||
|
+ {
|
||||||
|
+ *mp++ = 'c'; *mp = '\0';
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case '8':
|
||||||
|
- *mp++ = '8'; *mp = '\0';
|
||||||
|
+ if (strlen(mode) < (sizeof(mode)-1))
|
||||||
|
+ {
|
||||||
|
+ *mp++ = '8'; *mp = '\0';
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case 'x':
|
||||||
|
pageInSeq = 1;
|
161
SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch
Normal file
161
SOURCES/0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch
Normal file
@ -0,0 +1,161 @@
|
|||||||
|
From 9ed8c91366c9f6a3c9068aee6c5a7a0fe1c5c9c8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Bernard <miniupnp@free.fr>
|
||||||
|
Date: Tue, 12 Feb 2019 16:04:28 +0100
|
||||||
|
Subject: [PATCH] move _TIFFClampDoubleToFloat() to tif_aux.c
|
||||||
|
|
||||||
|
the same function was declared in tif_dir.c and tif_dirwrite.c
|
||||||
|
|
||||||
|
see http://bugzilla.maptools.org/show_bug.cgi?id=2842
|
||||||
|
|
||||||
|
(cherry picked from commit 8420a31e8ca5181ca36580cfeeca28661b348262)
|
||||||
|
---
|
||||||
|
libtiff/tif_aux.c | 10 ++++++++++
|
||||||
|
libtiff/tif_dir.c | 20 +++++---------------
|
||||||
|
libtiff/tif_dirwrite.c | 12 +-----------
|
||||||
|
libtiff/tiffiop.h | 2 ++
|
||||||
|
4 files changed, 18 insertions(+), 26 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
|
||||||
|
index 38a98b67..2071d19c 100644
|
||||||
|
--- a/libtiff/tif_aux.c
|
||||||
|
+++ b/libtiff/tif_aux.c
|
||||||
|
@@ -32,6 +32,7 @@
|
||||||
|
#include "tiffiop.h"
|
||||||
|
#include "tif_predict.h"
|
||||||
|
#include <math.h>
|
||||||
|
+#include <float.h>
|
||||||
|
|
||||||
|
uint32
|
||||||
|
_TIFFMultiply32(TIFF* tif, uint32 first, uint32 second, const char* where)
|
||||||
|
@@ -398,6 +399,15 @@ _TIFFUInt64ToDouble(uint64 ui64)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+float _TIFFClampDoubleToFloat( double val )
|
||||||
|
+{
|
||||||
|
+ if( val > FLT_MAX )
|
||||||
|
+ return FLT_MAX;
|
||||||
|
+ if( val < -FLT_MAX )
|
||||||
|
+ return -FLT_MAX;
|
||||||
|
+ return (float)val;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int _TIFFSeekOK(TIFF* tif, toff_t off)
|
||||||
|
{
|
||||||
|
/* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
|
||||||
|
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
||||||
|
index f126f2aa..ad550c65 100644
|
||||||
|
--- a/libtiff/tif_dir.c
|
||||||
|
+++ b/libtiff/tif_dir.c
|
||||||
|
@@ -31,7 +31,6 @@
|
||||||
|
* (and also some miscellaneous stuff)
|
||||||
|
*/
|
||||||
|
#include "tiffiop.h"
|
||||||
|
-#include <float.h>
|
||||||
|
|
||||||
|
/*
|
||||||
|
* These are used in the backwards compatibility code...
|
||||||
|
@@ -155,15 +154,6 @@ bad:
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static float TIFFClampDoubleToFloat( double val )
|
||||||
|
-{
|
||||||
|
- if( val > FLT_MAX )
|
||||||
|
- return FLT_MAX;
|
||||||
|
- if( val < -FLT_MAX )
|
||||||
|
- return -FLT_MAX;
|
||||||
|
- return (float)val;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
static int
|
||||||
|
_TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
|
||||||
|
{
|
||||||
|
@@ -322,13 +312,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
|
||||||
|
dblval = va_arg(ap, double);
|
||||||
|
if( dblval != dblval || dblval < 0 )
|
||||||
|
goto badvaluedouble;
|
||||||
|
- td->td_xresolution = TIFFClampDoubleToFloat( dblval );
|
||||||
|
+ td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
|
||||||
|
break;
|
||||||
|
case TIFFTAG_YRESOLUTION:
|
||||||
|
dblval = va_arg(ap, double);
|
||||||
|
if( dblval != dblval || dblval < 0 )
|
||||||
|
goto badvaluedouble;
|
||||||
|
- td->td_yresolution = TIFFClampDoubleToFloat( dblval );
|
||||||
|
+ td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
|
||||||
|
break;
|
||||||
|
case TIFFTAG_PLANARCONFIG:
|
||||||
|
v = (uint16) va_arg(ap, uint16_vap);
|
||||||
|
@@ -337,10 +327,10 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
|
||||||
|
td->td_planarconfig = (uint16) v;
|
||||||
|
break;
|
||||||
|
case TIFFTAG_XPOSITION:
|
||||||
|
- td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
|
||||||
|
+ td->td_xposition = _TIFFClampDoubleToFloat( va_arg(ap, double) );
|
||||||
|
break;
|
||||||
|
case TIFFTAG_YPOSITION:
|
||||||
|
- td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) );
|
||||||
|
+ td->td_yposition = _TIFFClampDoubleToFloat( va_arg(ap, double) );
|
||||||
|
break;
|
||||||
|
case TIFFTAG_RESOLUTIONUNIT:
|
||||||
|
v = (uint16) va_arg(ap, uint16_vap);
|
||||||
|
@@ -686,7 +676,7 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
|
||||||
|
case TIFF_SRATIONAL:
|
||||||
|
case TIFF_FLOAT:
|
||||||
|
{
|
||||||
|
- float v2 = TIFFClampDoubleToFloat(va_arg(ap, double));
|
||||||
|
+ float v2 = _TIFFClampDoubleToFloat(va_arg(ap, double));
|
||||||
|
_TIFFmemcpy(val, &v2, tv_size);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
|
||||||
|
index 5d0a6699..03a9f296 100644
|
||||||
|
--- a/libtiff/tif_dirwrite.c
|
||||||
|
+++ b/libtiff/tif_dirwrite.c
|
||||||
|
@@ -30,7 +30,6 @@
|
||||||
|
* Directory Write Support Routines.
|
||||||
|
*/
|
||||||
|
#include "tiffiop.h"
|
||||||
|
-#include <float.h>
|
||||||
|
|
||||||
|
#ifdef HAVE_IEEEFP
|
||||||
|
#define TIFFCvtNativeToIEEEFloat(tif, n, fp)
|
||||||
|
@@ -948,15 +947,6 @@ bad:
|
||||||
|
return(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static float TIFFClampDoubleToFloat( double val )
|
||||||
|
-{
|
||||||
|
- if( val > FLT_MAX )
|
||||||
|
- return FLT_MAX;
|
||||||
|
- if( val < -FLT_MAX )
|
||||||
|
- return -FLT_MAX;
|
||||||
|
- return (float)val;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
static int8 TIFFClampDoubleToInt8( double val )
|
||||||
|
{
|
||||||
|
if( val > 127 )
|
||||||
|
@@ -1031,7 +1021,7 @@ TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* di
|
||||||
|
if (tif->tif_dir.td_bitspersample<=32)
|
||||||
|
{
|
||||||
|
for (i = 0; i < count; ++i)
|
||||||
|
- ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]);
|
||||||
|
+ ((float*)conv)[i] = _TIFFClampDoubleToFloat(value[i]);
|
||||||
|
ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
|
||||||
|
index d4b86314..05ba735b 100644
|
||||||
|
--- a/libtiff/tiffiop.h
|
||||||
|
+++ b/libtiff/tiffiop.h
|
||||||
|
@@ -377,6 +377,8 @@ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
|
||||||
|
extern double _TIFFUInt64ToDouble(uint64);
|
||||||
|
extern float _TIFFUInt64ToFloat(uint64);
|
||||||
|
|
||||||
|
+extern float _TIFFClampDoubleToFloat(double);
|
||||||
|
+
|
||||||
|
extern tmsize_t
|
||||||
|
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
|
||||||
|
void **buf, tmsize_t bufsizetoalloc,
|
@ -0,0 +1,179 @@
|
|||||||
|
From fddff26550de7a5ea9735649a74aa3829e461ae5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: 4ugustus <wangdw.augustus@qq.com>
|
||||||
|
Date: Sat, 11 Jun 2022 09:31:43 +0000
|
||||||
|
Subject: [PATCH] (CVE-2022-2056 CVE-2022-2057 CVE-2022-2058) fix the FPE in
|
||||||
|
tiffcrop (#415, #427, and #428)
|
||||||
|
|
||||||
|
(cherry picked from commit dd1bcc7abb26094e93636e85520f0d8f81ab0fab)
|
||||||
|
---
|
||||||
|
libtiff/tif_aux.c | 9 +++++++
|
||||||
|
libtiff/tiffiop.h | 1 +
|
||||||
|
tools/tiffcrop.c | 62 ++++++++++++++++++++++++++---------------------
|
||||||
|
3 files changed, 44 insertions(+), 28 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
|
||||||
|
index 2071d19c..4d1869b4 100644
|
||||||
|
--- a/libtiff/tif_aux.c
|
||||||
|
+++ b/libtiff/tif_aux.c
|
||||||
|
@@ -408,6 +408,15 @@ float _TIFFClampDoubleToFloat( double val )
|
||||||
|
return (float)val;
|
||||||
|
}
|
||||||
|
|
||||||
|
+uint32 _TIFFClampDoubleToUInt32(double val)
|
||||||
|
+{
|
||||||
|
+ if( val < 0 )
|
||||||
|
+ return 0;
|
||||||
|
+ if( val > 0xFFFFFFFFU || val != val )
|
||||||
|
+ return 0xFFFFFFFFU;
|
||||||
|
+ return (uint32)val;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int _TIFFSeekOK(TIFF* tif, toff_t off)
|
||||||
|
{
|
||||||
|
/* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
|
||||||
|
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
|
||||||
|
index 05ba735b..5b106e03 100644
|
||||||
|
--- a/libtiff/tiffiop.h
|
||||||
|
+++ b/libtiff/tiffiop.h
|
||||||
|
@@ -378,6 +378,7 @@ extern double _TIFFUInt64ToDouble(uint64);
|
||||||
|
extern float _TIFFUInt64ToFloat(uint64);
|
||||||
|
|
||||||
|
extern float _TIFFClampDoubleToFloat(double);
|
||||||
|
+extern uint32 _TIFFClampDoubleToUInt32(double);
|
||||||
|
|
||||||
|
extern tmsize_t
|
||||||
|
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
|
||||||
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||||
|
index 83cf80ad..ea0b98be 100644
|
||||||
|
--- a/tools/tiffcrop.c
|
||||||
|
+++ b/tools/tiffcrop.c
|
||||||
|
@@ -5140,17 +5140,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
|
||||||
|
{
|
||||||
|
if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
|
||||||
|
{
|
||||||
|
- x1 = (uint32) (crop->corners[i].X1 * scale * xres);
|
||||||
|
- x2 = (uint32) (crop->corners[i].X2 * scale * xres);
|
||||||
|
- y1 = (uint32) (crop->corners[i].Y1 * scale * yres);
|
||||||
|
- y2 = (uint32) (crop->corners[i].Y2 * scale * yres);
|
||||||
|
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
|
||||||
|
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
|
||||||
|
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
|
||||||
|
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
- x1 = (uint32) (crop->corners[i].X1);
|
||||||
|
- x2 = (uint32) (crop->corners[i].X2);
|
||||||
|
- y1 = (uint32) (crop->corners[i].Y1);
|
||||||
|
- y2 = (uint32) (crop->corners[i].Y2);
|
||||||
|
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
|
||||||
|
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
|
||||||
|
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
|
||||||
|
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
|
||||||
|
}
|
||||||
|
if (x1 < 1)
|
||||||
|
crop->regionlist[i].x1 = 0;
|
||||||
|
@@ -5213,17 +5213,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
|
||||||
|
{
|
||||||
|
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
|
||||||
|
{ /* User has specified pixels as reference unit */
|
||||||
|
- tmargin = (uint32)(crop->margins[0]);
|
||||||
|
- lmargin = (uint32)(crop->margins[1]);
|
||||||
|
- bmargin = (uint32)(crop->margins[2]);
|
||||||
|
- rmargin = (uint32)(crop->margins[3]);
|
||||||
|
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
|
||||||
|
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
|
||||||
|
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
|
||||||
|
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{ /* inches or centimeters specified */
|
||||||
|
- tmargin = (uint32)(crop->margins[0] * scale * yres);
|
||||||
|
- lmargin = (uint32)(crop->margins[1] * scale * xres);
|
||||||
|
- bmargin = (uint32)(crop->margins[2] * scale * yres);
|
||||||
|
- rmargin = (uint32)(crop->margins[3] * scale * xres);
|
||||||
|
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
|
||||||
|
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
|
||||||
|
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
|
||||||
|
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((lmargin + rmargin) > image->width)
|
||||||
|
@@ -5253,24 +5253,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
|
||||||
|
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
|
||||||
|
{
|
||||||
|
if (crop->crop_mode & CROP_WIDTH)
|
||||||
|
- width = (uint32)crop->width;
|
||||||
|
+ width = _TIFFClampDoubleToUInt32(crop->width);
|
||||||
|
else
|
||||||
|
width = image->width - lmargin - rmargin;
|
||||||
|
|
||||||
|
if (crop->crop_mode & CROP_LENGTH)
|
||||||
|
- length = (uint32)crop->length;
|
||||||
|
+ length = _TIFFClampDoubleToUInt32(crop->length);
|
||||||
|
else
|
||||||
|
length = image->length - tmargin - bmargin;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
if (crop->crop_mode & CROP_WIDTH)
|
||||||
|
- width = (uint32)(crop->width * scale * image->xres);
|
||||||
|
+ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
|
||||||
|
else
|
||||||
|
width = image->width - lmargin - rmargin;
|
||||||
|
|
||||||
|
if (crop->crop_mode & CROP_LENGTH)
|
||||||
|
- length = (uint32)(crop->length * scale * image->yres);
|
||||||
|
+ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
|
||||||
|
else
|
||||||
|
length = image->length - tmargin - bmargin;
|
||||||
|
}
|
||||||
|
@@ -5669,13 +5669,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
|
||||||
|
{
|
||||||
|
if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
|
||||||
|
{ /* inches or centimeters specified */
|
||||||
|
- hmargin = (uint32)(page->hmargin * scale * page->hres * ((image->bps + 7)/ 8));
|
||||||
|
- vmargin = (uint32)(page->vmargin * scale * page->vres * ((image->bps + 7)/ 8));
|
||||||
|
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
|
||||||
|
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{ /* Otherwise user has specified pixels as reference unit */
|
||||||
|
- hmargin = (uint32)(page->hmargin * scale * ((image->bps + 7)/ 8));
|
||||||
|
- vmargin = (uint32)(page->vmargin * scale * ((image->bps + 7)/ 8));
|
||||||
|
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
|
||||||
|
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((hmargin * 2.0) > (pwidth * page->hres))
|
||||||
|
@@ -5713,13 +5713,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
|
||||||
|
{
|
||||||
|
if (page->mode & PAGE_MODE_PAPERSIZE )
|
||||||
|
{
|
||||||
|
- owidth = (uint32)((pwidth * page->hres) - (hmargin * 2));
|
||||||
|
- olength = (uint32)((plength * page->vres) - (vmargin * 2));
|
||||||
|
+ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
|
||||||
|
+ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
- owidth = (uint32)(iwidth - (hmargin * 2 * page->hres));
|
||||||
|
- olength = (uint32)(ilength - (vmargin * 2 * page->vres));
|
||||||
|
+ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
|
||||||
|
+ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -5728,6 +5728,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
|
||||||
|
if (olength > ilength)
|
||||||
|
olength = ilength;
|
||||||
|
|
||||||
|
+ if (owidth == 0 || olength == 0)
|
||||||
|
+ {
|
||||||
|
+ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
|
||||||
|
+ exit(EXIT_FAILURE);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Compute the number of pages required for Portrait or Landscape */
|
||||||
|
switch (page->orient)
|
||||||
|
{
|
@ -0,0 +1,161 @@
|
|||||||
|
From 5d214a07db3bb8dcea8354d8f1e52f9c46264acb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Su Laus <sulau@freenet.de>
|
||||||
|
Date: Wed, 9 Feb 2022 21:31:29 +0000
|
||||||
|
Subject: [PATCH] (CVE-2022-2867 CVE-2022-2868) tiffcrop.c: Fix issue #352
|
||||||
|
heap-buffer-overflow by correcting uint32_t underflow.
|
||||||
|
|
||||||
|
(cherry picked from commit 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c)
|
||||||
|
---
|
||||||
|
tools/tiffcrop.c | 81 +++++++++++++++++++++++++++++++-----------------
|
||||||
|
1 file changed, 53 insertions(+), 28 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||||
|
index ea0b98be..5801b8f6 100644
|
||||||
|
--- a/tools/tiffcrop.c
|
||||||
|
+++ b/tools/tiffcrop.c
|
||||||
|
@@ -5152,29 +5152,45 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
|
||||||
|
y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
|
||||||
|
y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
|
||||||
|
}
|
||||||
|
- if (x1 < 1)
|
||||||
|
- crop->regionlist[i].x1 = 0;
|
||||||
|
- else
|
||||||
|
- crop->regionlist[i].x1 = (uint32) (x1 - 1);
|
||||||
|
+ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
|
||||||
|
+ * b) Corners are expected to be submitted as top-left to bottom-right.
|
||||||
|
+ * Therefore, check that and reorder input.
|
||||||
|
+ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
|
||||||
|
+ */
|
||||||
|
+ uint32 aux;
|
||||||
|
+ if (x1 > x2) {
|
||||||
|
+ aux = x1;
|
||||||
|
+ x1 = x2;
|
||||||
|
+ x2 = aux;
|
||||||
|
+ }
|
||||||
|
+ if (y1 > y2) {
|
||||||
|
+ aux = y1;
|
||||||
|
+ y1 = y2;
|
||||||
|
+ y2 = aux;
|
||||||
|
+ }
|
||||||
|
+ if (x1 > image->width - 1)
|
||||||
|
+ crop->regionlist[i].x1 = image->width - 1;
|
||||||
|
+ else if (x1 > 0)
|
||||||
|
+ crop->regionlist[i].x1 = (uint32)(x1 - 1);
|
||||||
|
|
||||||
|
if (x2 > image->width - 1)
|
||||||
|
crop->regionlist[i].x2 = image->width - 1;
|
||||||
|
- else
|
||||||
|
- crop->regionlist[i].x2 = (uint32) (x2 - 1);
|
||||||
|
- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
|
||||||
|
+ else if (x2 > 0)
|
||||||
|
+ crop->regionlist[i].x2 = (uint32)(x2 - 1);
|
||||||
|
|
||||||
|
- if (y1 < 1)
|
||||||
|
- crop->regionlist[i].y1 = 0;
|
||||||
|
- else
|
||||||
|
- crop->regionlist[i].y1 = (uint32) (y1 - 1);
|
||||||
|
+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
|
||||||
|
+
|
||||||
|
+ if (y1 > image->length - 1)
|
||||||
|
+ crop->regionlist[i].y1 = image->length - 1;
|
||||||
|
+ else if (y1 > 0)
|
||||||
|
+ crop->regionlist[i].y1 = (uint32)(y1 - 1);
|
||||||
|
|
||||||
|
if (y2 > image->length - 1)
|
||||||
|
crop->regionlist[i].y2 = image->length - 1;
|
||||||
|
- else
|
||||||
|
- crop->regionlist[i].y2 = (uint32) (y2 - 1);
|
||||||
|
-
|
||||||
|
- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
|
||||||
|
+ else if (y2 > 0)
|
||||||
|
+ crop->regionlist[i].y2 = (uint32)(y2 - 1);
|
||||||
|
|
||||||
|
+ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
|
||||||
|
if (zwidth > max_width)
|
||||||
|
max_width = zwidth;
|
||||||
|
if (zlength > max_length)
|
||||||
|
@@ -5204,7 +5220,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return (0);
|
||||||
|
- }
|
||||||
|
+ } /* crop_mode == CROP_REGIONS */
|
||||||
|
|
||||||
|
/* Convert crop margins into offsets into image
|
||||||
|
* Margins are expressed as pixel rows and columns, not bytes
|
||||||
|
@@ -5240,7 +5256,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
|
||||||
|
bmargin = (uint32) 0;
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
- }
|
||||||
|
+ } /* crop_mode == CROP_MARGINS */
|
||||||
|
else
|
||||||
|
{ /* no margins requested */
|
||||||
|
tmargin = (uint32) 0;
|
||||||
|
@@ -5331,24 +5347,23 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
|
||||||
|
off->endx = endx;
|
||||||
|
off->endy = endy;
|
||||||
|
|
||||||
|
- crop_width = endx - startx + 1;
|
||||||
|
- crop_length = endy - starty + 1;
|
||||||
|
-
|
||||||
|
- if (crop_width <= 0)
|
||||||
|
+ if (endx + 1 <= startx)
|
||||||
|
{
|
||||||
|
TIFFError("computeInputPixelOffsets",
|
||||||
|
"Invalid left/right margins and /or image crop width requested");
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
+ crop_width = endx - startx + 1;
|
||||||
|
if (crop_width > image->width)
|
||||||
|
crop_width = image->width;
|
||||||
|
|
||||||
|
- if (crop_length <= 0)
|
||||||
|
+ if (endy + 1 <= starty)
|
||||||
|
{
|
||||||
|
TIFFError("computeInputPixelOffsets",
|
||||||
|
"Invalid top/bottom margins and /or image crop length requested");
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
+ crop_length = endy - starty + 1;
|
||||||
|
if (crop_length > image->length)
|
||||||
|
crop_length = image->length;
|
||||||
|
|
||||||
|
@@ -5448,10 +5463,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
|
||||||
|
else
|
||||||
|
crop->selections = crop->zones;
|
||||||
|
|
||||||
|
- for (i = 0; i < crop->zones; i++)
|
||||||
|
+ /* Initialize regions iterator i */
|
||||||
|
+ i = 0;
|
||||||
|
+ for (int j = 0; j < crop->zones; j++)
|
||||||
|
{
|
||||||
|
- seg = crop->zonelist[i].position;
|
||||||
|
- total = crop->zonelist[i].total;
|
||||||
|
+ seg = crop->zonelist[j].position;
|
||||||
|
+ total = crop->zonelist[j].total;
|
||||||
|
+
|
||||||
|
+ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
|
||||||
|
+ if (seg == 0 || total == 0 || seg > total) {
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
switch (crop->edge_ref)
|
||||||
|
{
|
||||||
|
@@ -5578,10 +5600,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
|
||||||
|
if (dump->outfile != NULL)
|
||||||
|
dump_info (dump->outfile, dump->format, "", "Zone %d, width: %4d, length: %4d, x1: %4d x2: %4d y1: %4d y2: %4d",
|
||||||
|
i + 1, (uint32)zwidth, (uint32)zlength,
|
||||||
|
- crop->regionlist[i].x1, crop->regionlist[i].x2,
|
||||||
|
- crop->regionlist[i].y1, crop->regionlist[i].y2);
|
||||||
|
+ crop->regionlist[i].x1, crop->regionlist[i].x2,
|
||||||
|
+ crop->regionlist[i].y1, crop->regionlist[i].y2);
|
||||||
|
+ /* increment regions iterator */
|
||||||
|
+ i++;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+ /* set number of generated regions out of given zones */
|
||||||
|
+ crop->selections = i;
|
||||||
|
return (0);
|
||||||
|
} /* end getCropOffsets */
|
||||||
|
|
@ -0,0 +1,92 @@
|
|||||||
|
From d26748dd8fb90b0af8c9344615f65d273dc66f93 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Su_Laus <sulau@freenet.de>
|
||||||
|
Date: Mon, 15 Aug 2022 22:11:03 +0200
|
||||||
|
Subject: [PATCH] =?UTF-8?q?(CVE-2022-2519=20CVE-2022-2520=20CVE-2022-2521?=
|
||||||
|
=?UTF-8?q?=20CVE-2022-2953)=20According=20to=20Richard=20Nolde=20https://?=
|
||||||
|
=?UTF-8?q?gitlab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the?=
|
||||||
|
=?UTF-8?q?=20tiffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutua?=
|
||||||
|
=?UTF-8?q?lly=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),?=
|
||||||
|
=?UTF-8?q?=20-Z=20and=20-z.?=
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
This is now checked and ends tiffcrop if those arguments are not mutually exclusive.
|
||||||
|
|
||||||
|
This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
|
||||||
|
|
||||||
|
(cherry picked from commit 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf)
|
||||||
|
---
|
||||||
|
tools/tiffcrop.c | 31 +++++++++++++++++++++++--------
|
||||||
|
1 file changed, 23 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||||
|
index 5801b8f6..27e6f81c 100644
|
||||||
|
--- a/tools/tiffcrop.c
|
||||||
|
+++ b/tools/tiffcrop.c
|
||||||
|
@@ -104,7 +104,10 @@
|
||||||
|
* includes annotations for image parameters and scanline info. Level
|
||||||
|
* selects which functions dump data, with higher numbers selecting
|
||||||
|
* lower level, scanline level routines. Debug reports a limited set
|
||||||
|
- * of messages to monitor progess without enabling dump logs.
|
||||||
|
+ * of messages to monitor progress without enabling dump logs.
|
||||||
|
+ *
|
||||||
|
+ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
|
||||||
|
+ * In no case should the options be applied to a given selection successively.
|
||||||
|
*/
|
||||||
|
|
||||||
|
static char tiffcrop_version_id[] = "2.4";
|
||||||
|
@@ -177,12 +180,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
|
||||||
|
#define ROTATECW_270 32
|
||||||
|
#define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
|
||||||
|
|
||||||
|
-#define CROP_NONE 0
|
||||||
|
-#define CROP_MARGINS 1
|
||||||
|
-#define CROP_WIDTH 2
|
||||||
|
-#define CROP_LENGTH 4
|
||||||
|
-#define CROP_ZONES 8
|
||||||
|
-#define CROP_REGIONS 16
|
||||||
|
+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
|
||||||
|
+#define CROP_MARGINS 1 /* "-m" */
|
||||||
|
+#define CROP_WIDTH 2 /* "-X" */
|
||||||
|
+#define CROP_LENGTH 4 /* "-Y" */
|
||||||
|
+#define CROP_ZONES 8 /* "-Z" */
|
||||||
|
+#define CROP_REGIONS 16 /* "-z" */
|
||||||
|
#define CROP_ROTATE 32
|
||||||
|
#define CROP_MIRROR 64
|
||||||
|
#define CROP_INVERT 128
|
||||||
|
@@ -320,7 +323,7 @@ struct crop_mask {
|
||||||
|
#define PAGE_MODE_RESOLUTION 1
|
||||||
|
#define PAGE_MODE_PAPERSIZE 2
|
||||||
|
#define PAGE_MODE_MARGINS 4
|
||||||
|
-#define PAGE_MODE_ROWSCOLS 8
|
||||||
|
+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
|
||||||
|
|
||||||
|
#define INVERT_DATA_ONLY 10
|
||||||
|
#define INVERT_DATA_AND_TAG 11
|
||||||
|
@@ -751,6 +754,8 @@ static char* usage_info[] = {
|
||||||
|
" The four debug/dump options are independent, though it makes little sense to",
|
||||||
|
" specify a dump file without specifying a detail level.",
|
||||||
|
" ",
|
||||||
|
+"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive."
|
||||||
|
+" ",
|
||||||
|
NULL
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -2099,6 +2104,16 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
|
||||||
|
/*NOTREACHED*/
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
|
||||||
|
+ char XY, Z, R, S;
|
||||||
|
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
|
||||||
|
+ Z = (crop_data->crop_mode & CROP_ZONES);
|
||||||
|
+ R = (crop_data->crop_mode & CROP_REGIONS);
|
||||||
|
+ S = (page->mode & PAGE_MODE_ROWSCOLS);
|
||||||
|
+ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
|
||||||
|
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
|
||||||
|
+ exit(EXIT_FAILURE);
|
||||||
|
+ }
|
||||||
|
} /* end process_command_opts */
|
||||||
|
|
||||||
|
/* Start a new output file if one has not been previously opened or
|
@ -0,0 +1,32 @@
|
|||||||
|
From 3635844b59578eb572372e7546548ea84c967ba1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Su_Laus <sulau@freenet.de>
|
||||||
|
Date: Sat, 20 Aug 2022 23:35:26 +0200
|
||||||
|
Subject: [PATCH] (CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953)
|
||||||
|
tiffcrop -S option: Make decision simpler.
|
||||||
|
|
||||||
|
(cherry picked from commit bad48e90b410df32172006c7876da449ba62cdba)
|
||||||
|
---
|
||||||
|
tools/tiffcrop.c | 10 +++++-----
|
||||||
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||||
|
index 27e6f81c..ff118496 100644
|
||||||
|
--- a/tools/tiffcrop.c
|
||||||
|
+++ b/tools/tiffcrop.c
|
||||||
|
@@ -2106,11 +2106,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
|
||||||
|
}
|
||||||
|
/*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
|
||||||
|
char XY, Z, R, S;
|
||||||
|
- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
|
||||||
|
- Z = (crop_data->crop_mode & CROP_ZONES);
|
||||||
|
- R = (crop_data->crop_mode & CROP_REGIONS);
|
||||||
|
- S = (page->mode & PAGE_MODE_ROWSCOLS);
|
||||||
|
- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
|
||||||
|
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
|
||||||
|
+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
|
||||||
|
+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
|
||||||
|
+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
|
||||||
|
+ if (XY + Z + R + S > 1) {
|
||||||
|
TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
@ -0,0 +1,97 @@
|
|||||||
|
From 84f9ede8075774dd9a10080a9eea9016229adbaa Mon Sep 17 00:00:00 2001
|
||||||
|
From: Su_Laus <sulau@freenet.de>
|
||||||
|
Date: Thu, 25 Aug 2022 16:11:41 +0200
|
||||||
|
Subject: [PATCH] (CVE-2022-3597 CVE-2022-3626 CVE-2022-3627) tiffcrop: disable
|
||||||
|
incompatibility of -Z, -X, -Y, -z options with any PAGE_MODE_x option (fixes
|
||||||
|
#411 and #413)
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S.
|
||||||
|
|
||||||
|
Code analysis:
|
||||||
|
|
||||||
|
With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[].
|
||||||
|
In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) .
|
||||||
|
|
||||||
|
Execution of the else-clause often leads to buffer-overflows.
|
||||||
|
|
||||||
|
Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows.
|
||||||
|
|
||||||
|
The MR solves issues #411 and #413.
|
||||||
|
|
||||||
|
(cherry picked from commit 4746f16253b784287bc8a5003990c1c3b9a03a62)
|
||||||
|
---
|
||||||
|
tools/tiffcrop.c | 27 +++++++++++++++++++++++----
|
||||||
|
1 file changed, 23 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||||
|
index ff118496..848b2b49 100644
|
||||||
|
--- a/tools/tiffcrop.c
|
||||||
|
+++ b/tools/tiffcrop.c
|
||||||
|
@@ -106,9 +106,11 @@
|
||||||
|
* lower level, scanline level routines. Debug reports a limited set
|
||||||
|
* of messages to monitor progress without enabling dump logs.
|
||||||
|
*
|
||||||
|
- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
|
||||||
|
+ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
|
||||||
|
* In no case should the options be applied to a given selection successively.
|
||||||
|
- */
|
||||||
|
+ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
|
||||||
|
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
|
||||||
|
+ */
|
||||||
|
|
||||||
|
static char tiffcrop_version_id[] = "2.4";
|
||||||
|
static char tiffcrop_rev_date[] = "12-13-2010";
|
||||||
|
@@ -754,7 +756,11 @@ static char* usage_info[] = {
|
||||||
|
" The four debug/dump options are independent, though it makes little sense to",
|
||||||
|
" specify a dump file without specifying a detail level.",
|
||||||
|
" ",
|
||||||
|
-"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive."
|
||||||
|
+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.",
|
||||||
|
+" In no case should the options be applied to a given selection successively.",
|
||||||
|
+" ",
|
||||||
|
+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options",
|
||||||
|
+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.",
|
||||||
|
" ",
|
||||||
|
NULL
|
||||||
|
};
|
||||||
|
@@ -2111,9 +2117,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
|
||||||
|
R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
|
||||||
|
S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
|
||||||
|
if (XY + Z + R + S > 1) {
|
||||||
|
- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
|
||||||
|
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
|
||||||
|
exit(EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ /* Check for not allowed combination:
|
||||||
|
+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
|
||||||
|
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
|
||||||
|
+. */
|
||||||
|
+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
|
||||||
|
+ TIFFError("tiffcrop input error",
|
||||||
|
+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
|
||||||
|
+ exit(EXIT_FAILURE);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
} /* end process_command_opts */
|
||||||
|
|
||||||
|
/* Start a new output file if one has not been previously opened or
|
||||||
|
@@ -2381,6 +2398,7 @@ main(int argc, char* argv[])
|
||||||
|
exit (-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */
|
||||||
|
if (crop.selections > 0)
|
||||||
|
{
|
||||||
|
if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
|
||||||
|
@@ -2397,6 +2415,7 @@ main(int argc, char* argv[])
|
||||||
|
exit (-1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ /* Format and write selected image parts to output file(s). */
|
||||||
|
if (page.mode == PAGE_MODE_NONE)
|
||||||
|
{ /* Whole image or sections not based on output page size */
|
||||||
|
if (crop.selections > 0)
|
@ -0,0 +1,37 @@
|
|||||||
|
From a28b2e1b23fc936989dc4bbc857e9a8a851c5ff0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
|
Date: Tue, 8 Nov 2022 15:16:58 +0100
|
||||||
|
Subject: [PATCH] (CVE-2022-3970) TIFFReadRGBATileExt(): fix (unsigned) integer
|
||||||
|
overflow on strips/tiles > 2 GB
|
||||||
|
|
||||||
|
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
|
||||||
|
|
||||||
|
(cherry picked from commit 227500897dfb07fb7d27f7aa570050e62617e3be)
|
||||||
|
---
|
||||||
|
libtiff/tif_getimage.c | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||||
|
index b1f7cc95..00cd5510 100644
|
||||||
|
--- a/libtiff/tif_getimage.c
|
||||||
|
+++ b/libtiff/tif_getimage.c
|
||||||
|
@@ -3044,15 +3044,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
|
||||||
|
return( ok );
|
||||||
|
|
||||||
|
for( i_row = 0; i_row < read_ysize; i_row++ ) {
|
||||||
|
- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
|
||||||
|
- raster + (read_ysize - i_row - 1) * read_xsize,
|
||||||
|
+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
|
||||||
|
+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
|
||||||
|
read_xsize * sizeof(uint32) );
|
||||||
|
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
|
||||||
|
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
|
||||||
|
0, sizeof(uint32) * (tile_xsize - read_xsize) );
|
||||||
|
}
|
||||||
|
|
||||||
|
for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
|
||||||
|
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
|
||||||
|
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
|
||||||
|
0, sizeof(uint32) * tile_xsize );
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,24 @@
|
|||||||
|
From 72bbfc1ecd58f7732946719a0aeb2070f056bb6f Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
||||||
|
Date: Tue, 16 May 2023 13:04:55 +0200
|
||||||
|
Subject: [PATCH] (CVE-2022-48281) tiffcrop: Correct simple copy paste error.
|
||||||
|
Fix #488.
|
||||||
|
|
||||||
|
(cherry picked from commit d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5)
|
||||||
|
---
|
||||||
|
tools/tiffcrop.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||||
|
index 848b2b49..7f738d91 100644
|
||||||
|
--- a/tools/tiffcrop.c
|
||||||
|
+++ b/tools/tiffcrop.c
|
||||||
|
@@ -7537,7 +7537,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
||||||
|
crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
|
||||||
|
else
|
||||||
|
{
|
||||||
|
- prev_cropsize = seg_buffs[0].size;
|
||||||
|
+ prev_cropsize = seg_buffs[i].size;
|
||||||
|
if (prev_cropsize < cropsize)
|
||||||
|
{
|
||||||
|
next_buff = _TIFFrealloc(crop_buff, cropsize);
|
@ -0,0 +1,128 @@
|
|||||||
|
From 73b3f582caa08a976d647537346790b182bbcc10 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
|
Date: Sun, 5 Feb 2023 15:53:16 +0000
|
||||||
|
Subject: [PATCH] (CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803
|
||||||
|
CVE-2023-0804) tiffcrop: added check for assumption on composite images
|
||||||
|
(fixes #496)
|
||||||
|
|
||||||
|
Closes #501, #500, #498, #497 et #496
|
||||||
|
|
||||||
|
See merge request libtiff/libtiff!466
|
||||||
|
|
||||||
|
(cherry picked from commit 33aee1275d9d1384791d2206776eb8152d397f00)
|
||||||
|
---
|
||||||
|
tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 66 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||||
|
index 7f738d91..77923cf3 100644
|
||||||
|
--- a/tools/tiffcrop.c
|
||||||
|
+++ b/tools/tiffcrop.c
|
||||||
|
@@ -5235,18 +5235,40 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
|
||||||
|
|
||||||
|
crop->regionlist[i].buffsize = buffsize;
|
||||||
|
crop->bufftotal += buffsize;
|
||||||
|
+
|
||||||
|
+ /* For composite images with more than one region, the
|
||||||
|
+ * combined_length or combined_width always needs to be equal,
|
||||||
|
+ * respectively.
|
||||||
|
+ * Otherwise, even the first section/region copy
|
||||||
|
+ * action might cause buffer overrun. */
|
||||||
|
if (crop->img_mode == COMPOSITE_IMAGES)
|
||||||
|
{
|
||||||
|
switch (crop->edge_ref)
|
||||||
|
{
|
||||||
|
case EDGE_LEFT:
|
||||||
|
case EDGE_RIGHT:
|
||||||
|
+ if (i > 0 && zlength != crop->combined_length)
|
||||||
|
+ {
|
||||||
|
+ TIFFError(
|
||||||
|
+ "computeInputPixelOffsets",
|
||||||
|
+ "Only equal length regions can be combined for "
|
||||||
|
+ "-E left or right");
|
||||||
|
+ return (-1);
|
||||||
|
+ }
|
||||||
|
crop->combined_length = zlength;
|
||||||
|
crop->combined_width += zwidth;
|
||||||
|
break;
|
||||||
|
case EDGE_BOTTOM:
|
||||||
|
case EDGE_TOP: /* width from left, length from top */
|
||||||
|
default:
|
||||||
|
+ if (i > 0 && zwidth != crop->combined_width)
|
||||||
|
+ {
|
||||||
|
+ TIFFError("computeInputPixelOffsets",
|
||||||
|
+ "Only equal width regions can be "
|
||||||
|
+ "combined for -E "
|
||||||
|
+ "top or bottom");
|
||||||
|
+ return (-1);
|
||||||
|
+ }
|
||||||
|
crop->combined_width = zwidth;
|
||||||
|
crop->combined_length += zlength;
|
||||||
|
break;
|
||||||
|
@@ -6390,6 +6412,46 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
|
||||||
|
crop->combined_width = 0;
|
||||||
|
crop->combined_length = 0;
|
||||||
|
|
||||||
|
+ /* If there is more than one region, check beforehand whether all the width
|
||||||
|
+ * and length values of the regions are the same, respectively. */
|
||||||
|
+ switch (crop->edge_ref)
|
||||||
|
+ {
|
||||||
|
+ default:
|
||||||
|
+ case EDGE_TOP:
|
||||||
|
+ case EDGE_BOTTOM:
|
||||||
|
+ for (i = 1; i < crop->selections; i++)
|
||||||
|
+ {
|
||||||
|
+ uint32_t crop_width0 =
|
||||||
|
+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
|
||||||
|
+ uint32_t crop_width1 =
|
||||||
|
+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
|
||||||
|
+ if (crop_width0 != crop_width1)
|
||||||
|
+ {
|
||||||
|
+ TIFFError("extractCompositeRegions",
|
||||||
|
+ "Only equal width regions can be combined for -E "
|
||||||
|
+ "top or bottom");
|
||||||
|
+ return (1);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ case EDGE_LEFT:
|
||||||
|
+ case EDGE_RIGHT:
|
||||||
|
+ for (i = 1; i < crop->selections; i++)
|
||||||
|
+ {
|
||||||
|
+ uint32_t crop_length0 =
|
||||||
|
+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
|
||||||
|
+ uint32_t crop_length1 =
|
||||||
|
+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
|
||||||
|
+ if (crop_length0 != crop_length1)
|
||||||
|
+ {
|
||||||
|
+ TIFFError("extractCompositeRegions",
|
||||||
|
+ "Only equal length regions can be combined for "
|
||||||
|
+ "-E left or right");
|
||||||
|
+ return (1);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
for (i = 0; i < crop->selections; i++)
|
||||||
|
{
|
||||||
|
/* rows, columns, width, length are expressed in pixels */
|
||||||
|
@@ -6414,7 +6476,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
|
||||||
|
default:
|
||||||
|
case EDGE_TOP:
|
||||||
|
case EDGE_BOTTOM:
|
||||||
|
- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
|
||||||
|
+ if ((crop->selections > i + 1) &&
|
||||||
|
+ (crop_width != crop->regionlist[i + 1].width))
|
||||||
|
{
|
||||||
|
TIFFError ("extractCompositeRegions",
|
||||||
|
"Only equal width regions can be combined for -E top or bottom");
|
||||||
|
@@ -6495,7 +6558,8 @@ extractCompositeRegions(struct image_data *image, struct crop_mask *crop,
|
||||||
|
break;
|
||||||
|
case EDGE_LEFT: /* splice the pieces of each row together, side by side */
|
||||||
|
case EDGE_RIGHT:
|
||||||
|
- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
|
||||||
|
+ if ((crop->selections > i + 1) &&
|
||||||
|
+ (crop_length != crop->regionlist[i + 1].length))
|
||||||
|
{
|
||||||
|
TIFFError ("extractCompositeRegions",
|
||||||
|
"Only equal length regions can be combined for -E left or right");
|
@ -0,0 +1,260 @@
|
|||||||
|
From 01de2299ed1cf3137235ef8a6657905ef04fc65c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Su_Laus <sulau@freenet.de>
|
||||||
|
Date: Tue, 30 Aug 2022 16:56:48 +0200
|
||||||
|
Subject: [PATCH] (CVE-2022-3599) Revised handling of TIFFTAG_INKNAMES and
|
||||||
|
related TIFFTAG_NUMBEROFINKS value
|
||||||
|
|
||||||
|
In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
|
||||||
|
|
||||||
|
Behaviour for writing:
|
||||||
|
`NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
|
||||||
|
`NumberOfInks` is automatically set when `InkNames` is set.
|
||||||
|
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
|
||||||
|
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
|
||||||
|
|
||||||
|
Behaviour for reading:
|
||||||
|
When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
|
||||||
|
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
|
||||||
|
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
|
||||||
|
|
||||||
|
This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
|
||||||
|
|
||||||
|
This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
|
||||||
|
|
||||||
|
It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
|
||||||
|
|
||||||
|
(cherry picked from commit f00484b9519df933723deb38fff943dc291a793d)
|
||||||
|
---
|
||||||
|
libtiff/tif_dir.c | 118 ++++++++++++++++++++++++-----------------
|
||||||
|
libtiff/tif_dir.h | 2 +
|
||||||
|
libtiff/tif_dirinfo.c | 2 +-
|
||||||
|
libtiff/tif_dirwrite.c | 5 ++
|
||||||
|
libtiff/tif_print.c | 4 ++
|
||||||
|
5 files changed, 82 insertions(+), 49 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
|
||||||
|
index ad550c65..cb329fd8 100644
|
||||||
|
--- a/libtiff/tif_dir.c
|
||||||
|
+++ b/libtiff/tif_dir.c
|
||||||
|
@@ -125,32 +125,30 @@ setExtraSamples(TIFFDirectory* td, va_list ap, uint32* v)
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
|
||||||
|
+ * Count ink names separated by \0. Returns
|
||||||
|
* zero if the ink names are not as expected.
|
||||||
|
*/
|
||||||
|
-static uint32
|
||||||
|
-checkInkNamesString(TIFF* tif, uint32 slen, const char* s)
|
||||||
|
+static uint16
|
||||||
|
+countInkNamesString(TIFF *tif, uint32 slen, const char *s)
|
||||||
|
{
|
||||||
|
- TIFFDirectory* td = &tif->tif_dir;
|
||||||
|
- uint16 i = td->td_samplesperpixel;
|
||||||
|
+ uint16 i = 0;
|
||||||
|
+ const char *ep = s + slen;
|
||||||
|
+ const char *cp = s;
|
||||||
|
|
||||||
|
if (slen > 0) {
|
||||||
|
- const char* ep = s+slen;
|
||||||
|
- const char* cp = s;
|
||||||
|
- for (; i > 0; i--) {
|
||||||
|
+ do {
|
||||||
|
for (; cp < ep && *cp != '\0'; cp++) {}
|
||||||
|
if (cp >= ep)
|
||||||
|
goto bad;
|
||||||
|
cp++; /* skip \0 */
|
||||||
|
- }
|
||||||
|
- return ((uint32)(cp-s));
|
||||||
|
+ i++;
|
||||||
|
+ } while (cp < ep);
|
||||||
|
+ return (i);
|
||||||
|
}
|
||||||
|
bad:
|
||||||
|
TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
|
||||||
|
- "%s: Invalid InkNames value; expecting %d names, found %d",
|
||||||
|
- tif->tif_name,
|
||||||
|
- td->td_samplesperpixel,
|
||||||
|
- td->td_samplesperpixel-i);
|
||||||
|
+ "%s: Invalid InkNames value; no NUL at given buffer end location %d, after %d ink",
|
||||||
|
+ tif->tif_name, slen, i);
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -452,13 +450,61 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
|
||||||
|
_TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
|
||||||
|
break;
|
||||||
|
case TIFFTAG_INKNAMES:
|
||||||
|
- v = (uint16) va_arg(ap, uint16_vap);
|
||||||
|
- s = va_arg(ap, char*);
|
||||||
|
- v = checkInkNamesString(tif, v, s);
|
||||||
|
- status = v > 0;
|
||||||
|
- if( v > 0 ) {
|
||||||
|
- _TIFFsetNString(&td->td_inknames, s, v);
|
||||||
|
- td->td_inknameslen = v;
|
||||||
|
+ {
|
||||||
|
+ v = (uint16) va_arg(ap, uint16_vap);
|
||||||
|
+ s = va_arg(ap, char*);
|
||||||
|
+ uint16 ninksinstring;
|
||||||
|
+ ninksinstring = countInkNamesString(tif, v, s);
|
||||||
|
+ status = ninksinstring > 0;
|
||||||
|
+ if(ninksinstring > 0 ) {
|
||||||
|
+ _TIFFsetNString(&td->td_inknames, s, v);
|
||||||
|
+ td->td_inknameslen = v;
|
||||||
|
+ /* Set NumberOfInks to the value ninksinstring */
|
||||||
|
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
|
||||||
|
+ {
|
||||||
|
+ if (td->td_numberofinks != ninksinstring) {
|
||||||
|
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||||
|
+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the number of inks %d.\n -> NumberOfInks value adapted to %d",
|
||||||
|
+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
|
||||||
|
+ td->td_numberofinks = ninksinstring;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ td->td_numberofinks = ninksinstring;
|
||||||
|
+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
|
||||||
|
+ }
|
||||||
|
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
|
||||||
|
+ {
|
||||||
|
+ if (td->td_numberofinks != td->td_samplesperpixel) {
|
||||||
|
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||||
|
+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d",
|
||||||
|
+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ case TIFFTAG_NUMBEROFINKS:
|
||||||
|
+ v = (uint16)va_arg(ap, uint16_vap);
|
||||||
|
+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
|
||||||
|
+ if (TIFFFieldSet(tif, FIELD_INKNAMES))
|
||||||
|
+ {
|
||||||
|
+ if (v != td->td_numberofinks) {
|
||||||
|
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||||
|
+ "Error %s; Tag %s:\n It is not possible to set the value %d for NumberOfInks\n which is different from the number of inks in the InkNames tag (%d)",
|
||||||
|
+ tif->tif_name, fip->field_name, v, td->td_numberofinks);
|
||||||
|
+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
|
||||||
|
+ status = 0;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ td->td_numberofinks = (uint16)v;
|
||||||
|
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
|
||||||
|
+ {
|
||||||
|
+ if (td->td_numberofinks != td->td_samplesperpixel) {
|
||||||
|
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||||
|
+ "Warning %s; Tag %s:\n Value %d of NumberOfInks is different from the SamplesPerPixel value %d",
|
||||||
|
+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case TIFFTAG_PERSAMPLE:
|
||||||
|
@@ -854,33 +900,6 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
|
||||||
|
if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
- if( tag == TIFFTAG_NUMBEROFINKS )
|
||||||
|
- {
|
||||||
|
- int i;
|
||||||
|
- for (i = 0; i < td->td_customValueCount; i++) {
|
||||||
|
- uint16 val;
|
||||||
|
- TIFFTagValue *tv = td->td_customValues + i;
|
||||||
|
- if (tv->info->field_tag != tag)
|
||||||
|
- continue;
|
||||||
|
- if( tv->value == NULL )
|
||||||
|
- return 0;
|
||||||
|
- val = *(uint16 *)tv->value;
|
||||||
|
- /* Truncate to SamplesPerPixel, since the */
|
||||||
|
- /* setting code for INKNAMES assume that there are SamplesPerPixel */
|
||||||
|
- /* inknames. */
|
||||||
|
- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
|
||||||
|
- if( val > td->td_samplesperpixel )
|
||||||
|
- {
|
||||||
|
- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
|
||||||
|
- "Truncating NumberOfInks from %u to %u",
|
||||||
|
- val, td->td_samplesperpixel);
|
||||||
|
- val = td->td_samplesperpixel;
|
||||||
|
- }
|
||||||
|
- *va_arg(ap, uint16*) = val;
|
||||||
|
- return 1;
|
||||||
|
- }
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
|
||||||
|
/*
|
||||||
|
* We want to force the custom code to be used for custom
|
||||||
|
@@ -1068,6 +1087,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap)
|
||||||
|
case TIFFTAG_INKNAMES:
|
||||||
|
*va_arg(ap, char**) = td->td_inknames;
|
||||||
|
break;
|
||||||
|
+ case TIFFTAG_NUMBEROFINKS:
|
||||||
|
+ *va_arg(ap, uint16 *) = td->td_numberofinks;
|
||||||
|
+ break;
|
||||||
|
default:
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
|
||||||
|
index 5a380767..b5881b02 100644
|
||||||
|
--- a/libtiff/tif_dir.h
|
||||||
|
+++ b/libtiff/tif_dir.h
|
||||||
|
@@ -113,6 +113,7 @@ typedef struct {
|
||||||
|
/* CMYK parameters */
|
||||||
|
int td_inknameslen;
|
||||||
|
char* td_inknames;
|
||||||
|
+ uint16 td_numberofinks; /* number of inks in InkNames string */
|
||||||
|
|
||||||
|
int td_customValueCount;
|
||||||
|
TIFFTagValue *td_customValues;
|
||||||
|
@@ -168,6 +169,7 @@ typedef struct {
|
||||||
|
#define FIELD_TRANSFERFUNCTION 44
|
||||||
|
#define FIELD_INKNAMES 46
|
||||||
|
#define FIELD_SUBIFD 49
|
||||||
|
+#define FIELD_NUMBEROFINKS 50
|
||||||
|
/* FIELD_CUSTOM (see tiffio.h) 65 */
|
||||||
|
/* end of support for well-known tags; codec-private tags follow */
|
||||||
|
#define FIELD_CODEC 66 /* base of codec-private tags */
|
||||||
|
diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
|
||||||
|
index 4904f540..8bbc8323 100644
|
||||||
|
--- a/libtiff/tif_dirinfo.c
|
||||||
|
+++ b/libtiff/tif_dirinfo.c
|
||||||
|
@@ -106,7 +106,7 @@ tiffFields[] = {
|
||||||
|
{ TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
|
||||||
|
{ TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
|
||||||
|
{ TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
|
||||||
|
- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
|
||||||
|
+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
|
||||||
|
{ TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
|
||||||
|
{ TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
|
||||||
|
{ TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
|
||||||
|
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
|
||||||
|
index 03a9f296..994fa57a 100644
|
||||||
|
--- a/libtiff/tif_dirwrite.c
|
||||||
|
+++ b/libtiff/tif_dirwrite.c
|
||||||
|
@@ -634,6 +634,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
|
||||||
|
if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
|
||||||
|
goto bad;
|
||||||
|
}
|
||||||
|
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
|
||||||
|
+ {
|
||||||
|
+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
|
||||||
|
+ goto bad;
|
||||||
|
+ }
|
||||||
|
if (TIFFFieldSet(tif,FIELD_SUBIFD))
|
||||||
|
{
|
||||||
|
if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
|
||||||
|
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
|
||||||
|
index b9b53a0f..9caba038 100644
|
||||||
|
--- a/libtiff/tif_print.c
|
||||||
|
+++ b/libtiff/tif_print.c
|
||||||
|
@@ -404,6 +404,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
|
||||||
|
}
|
||||||
|
fputs("\n", fd);
|
||||||
|
}
|
||||||
|
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
|
||||||
|
+ fprintf(fd, " NumberOfInks: %d\n",
|
||||||
|
+ td->td_numberofinks);
|
||||||
|
+ }
|
||||||
|
if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
|
||||||
|
fprintf(fd, " Thresholding: ");
|
||||||
|
switch (td->td_threshholding) {
|
@ -0,0 +1,37 @@
|
|||||||
|
From b7bc0d684cee380f7497cb095a115361dbabef71 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Even Rouault <even.rouault@mines-paris.org>
|
||||||
|
Date: Tue, 13 Mar 2018 14:39:30 +0000
|
||||||
|
Subject: [PATCH] (CVE-2018-15209) Merge branch
|
||||||
|
'avoid_memory_exhaustion_in_ChopUpSingleUncompressedStrip' into 'master'
|
||||||
|
|
||||||
|
ChopUpSingleUncompressedStrip: avoid memory exhaustion (CVE-2017-11613)
|
||||||
|
|
||||||
|
See merge request libtiff/libtiff!26
|
||||||
|
|
||||||
|
(cherry picked from commit 0a2e5e98b353a987ea69985d2283bba569a7e063)
|
||||||
|
---
|
||||||
|
libtiff/tif_dirread.c | 11 +++++++++++
|
||||||
|
1 file changed, 11 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||||||
|
index b72e6a3b..bc1ab083 100644
|
||||||
|
--- a/libtiff/tif_dirread.c
|
||||||
|
+++ b/libtiff/tif_dirread.c
|
||||||
|
@@ -5765,6 +5765,17 @@ ChopUpSingleUncompressedStrip(TIFF* tif)
|
||||||
|
if( nstrips == 0 )
|
||||||
|
return;
|
||||||
|
|
||||||
|
+ /* If we are going to allocate a lot of memory, make sure that the */
|
||||||
|
+ /* file is as big as needed */
|
||||||
|
+ if( tif->tif_mode == O_RDONLY &&
|
||||||
|
+ nstrips > 1000000 &&
|
||||||
|
+ (tif->tif_dir.td_stripoffset[0] >= TIFFGetFileSize(tif) ||
|
||||||
|
+ tif->tif_dir.td_stripbytecount[0] >
|
||||||
|
+ TIFFGetFileSize(tif) - tif->tif_dir.td_stripoffset[0]) )
|
||||||
|
+ {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|
||||||
|
"for chopped \"StripByteCounts\" array");
|
||||||
|
newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
|
@ -0,0 +1,172 @@
|
|||||||
|
From 83f6ae4cce52cd4feaebf2bc4fc2d5077a10677c Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
||||||
|
Date: Thu, 16 May 2024 14:43:44 +0200
|
||||||
|
Subject: [PATCH] (CVE-2023-25433) Merge branch
|
||||||
|
'tiffcrop_correctly_update_buffersize_after_rotate_fix#520' into 'master'
|
||||||
|
|
||||||
|
tiffcrop correctly update buffersize after rotateImage() fix#520
|
||||||
|
|
||||||
|
Closes #520
|
||||||
|
|
||||||
|
See merge request libtiff/libtiff!467
|
||||||
|
|
||||||
|
(cherry picked from commit 6366e8f776a0fa0dd476d37b108eecdf42b950f3)
|
||||||
|
---
|
||||||
|
tools/tiffcrop.c | 72 ++++++++++++++++++++++++++++++++++++++----------
|
||||||
|
1 file changed, 58 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||||
|
index 77923cf3..8b761874 100644
|
||||||
|
--- a/tools/tiffcrop.c
|
||||||
|
+++ b/tools/tiffcrop.c
|
||||||
|
@@ -529,7 +529,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
|
||||||
|
static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
|
||||||
|
uint32, uint32, uint8 *, uint8 *);
|
||||||
|
static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
|
||||||
|
- unsigned char **);
|
||||||
|
+ unsigned char **, tsize_t *);
|
||||||
|
static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
|
||||||
|
unsigned char *);
|
||||||
|
static int invertImage(uint16, uint16, uint16, uint32, uint32,
|
||||||
|
@@ -6358,7 +6358,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
|
||||||
|
+ if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr, NULL))
|
||||||
|
{
|
||||||
|
TIFFError ("correct_orientation", "Unable to rotate image");
|
||||||
|
return (-1);
|
||||||
|
@@ -7578,16 +7578,20 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
||||||
|
|
||||||
|
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
|
||||||
|
{
|
||||||
|
+ /* rotateImage() set up a new buffer and calculates its size
|
||||||
|
+ * individually. Therefore, seg_buffs size needs to be updated
|
||||||
|
+ * accordingly. */
|
||||||
|
+
|
||||||
|
+ tsize_t rot_buf_size = 0;
|
||||||
|
if (rotateImage(crop->rotation, image, &crop->combined_width,
|
||||||
|
- &crop->combined_length, &crop_buff))
|
||||||
|
+ &crop->combined_length, &crop_buff, &rot_buf_size))
|
||||||
|
{
|
||||||
|
TIFFError("processCropSelections",
|
||||||
|
"Failed to rotate composite regions by %d degrees", crop->rotation);
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
seg_buffs[0].buffer = crop_buff;
|
||||||
|
- seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
|
||||||
|
- * image->spp) * crop->combined_length;
|
||||||
|
+ seg_buffs[0].size = rot_buf_size;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else /* Separated Images */
|
||||||
|
@@ -7684,8 +7688,18 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
||||||
|
|
||||||
|
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
|
||||||
|
{
|
||||||
|
- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
|
||||||
|
- &crop->regionlist[i].length, &crop_buff))
|
||||||
|
+ /* rotateImage() changes image->width, ->length, ->xres and
|
||||||
|
+ * ->yres, what it schouldn't do here, when more than one
|
||||||
|
+ * section is processed. ToDo: Therefore rotateImage() and its
|
||||||
|
+ * usage has to be reworked (e.g. like mirrorImage()) !!
|
||||||
|
+ * Furthermore, rotateImage() set up a new buffer and calculates
|
||||||
|
+ * its size individually. Therefore, seg_buffs size needs to be
|
||||||
|
+ * updated accordingly. */
|
||||||
|
+ tsize_t rot_buf_size = 0;
|
||||||
|
+ if (rotateImage(
|
||||||
|
+ crop->rotation, image, &crop->regionlist[i].width,
|
||||||
|
+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
|
||||||
|
+
|
||||||
|
{
|
||||||
|
TIFFError("processCropSelections",
|
||||||
|
"Failed to rotate crop region by %d degrees", crop->rotation);
|
||||||
|
@@ -7696,8 +7710,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
|
||||||
|
crop->combined_width = total_width;
|
||||||
|
crop->combined_length = total_length;
|
||||||
|
seg_buffs[i].buffer = crop_buff;
|
||||||
|
- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
|
||||||
|
- * image->spp) * crop->regionlist[i].length;
|
||||||
|
+ seg_buffs[i].size = rot_buf_size;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -7813,7 +7826,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
|
||||||
|
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
|
||||||
|
{
|
||||||
|
if (rotateImage(crop->rotation, image, &crop->combined_width,
|
||||||
|
- &crop->combined_length, crop_buff_ptr))
|
||||||
|
+ &crop->combined_length, crop_buff_ptr, NULL))
|
||||||
|
{
|
||||||
|
TIFFError("createCroppedImage",
|
||||||
|
"Failed to rotate image or cropped selection by %d degrees", crop->rotation);
|
||||||
|
@@ -8476,13 +8489,14 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
|
||||||
|
/* Rotate an image by a multiple of 90 degrees clockwise */
|
||||||
|
static int
|
||||||
|
rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
|
||||||
|
- uint32 *img_length, unsigned char **ibuff_ptr)
|
||||||
|
+ uint32 *img_length, unsigned char **ibuff_ptr, tsize_t *rot_buf_size)
|
||||||
|
{
|
||||||
|
int shift_width;
|
||||||
|
uint32 bytes_per_pixel, bytes_per_sample;
|
||||||
|
uint32 row, rowsize, src_offset, dst_offset;
|
||||||
|
uint32 i, col, width, length;
|
||||||
|
- uint32 colsize, buffsize, col_offset, pix_offset;
|
||||||
|
+ uint32 colsize, col_offset, pix_offset;
|
||||||
|
+ tmsize_t buffsize;
|
||||||
|
unsigned char *ibuff;
|
||||||
|
unsigned char *src;
|
||||||
|
unsigned char *dst;
|
||||||
|
@@ -8495,12 +8509,40 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
|
||||||
|
spp = image->spp;
|
||||||
|
bps = image->bps;
|
||||||
|
|
||||||
|
+ if ((spp != 0 && bps != 0 &&
|
||||||
|
+ width > (uint32)((UINT32_MAX - 7) / spp / bps)) ||
|
||||||
|
+ (spp != 0 && bps != 0 &&
|
||||||
|
+ length > (uint32)((UINT32_MAX - 7) / spp / bps)))
|
||||||
|
+ {
|
||||||
|
+ TIFFError("rotateImage", "Integer overflow detected.");
|
||||||
|
+ return (-1);
|
||||||
|
+ }
|
||||||
|
rowsize = ((bps * spp * width) + 7) / 8;
|
||||||
|
colsize = ((bps * spp * length) + 7) / 8;
|
||||||
|
if ((colsize * width) > (rowsize * length))
|
||||||
|
- buffsize = (colsize + 1) * width;
|
||||||
|
+ {
|
||||||
|
+ if (((tmsize_t)colsize + 1) != 0 &&
|
||||||
|
+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - 3) /
|
||||||
|
+ ((tmsize_t)colsize + 1)))
|
||||||
|
+ {
|
||||||
|
+ TIFFError("rotateImage",
|
||||||
|
+ "Integer overflow when calculating buffer size.");
|
||||||
|
+ return (-1);
|
||||||
|
+ }
|
||||||
|
+ buffsize = ((tmsize_t)colsize + 1) * width;
|
||||||
|
+ }
|
||||||
|
else
|
||||||
|
- buffsize = (rowsize + 1) * length;
|
||||||
|
+ {
|
||||||
|
+ if (((tmsize_t)rowsize + 1) != 0 &&
|
||||||
|
+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - 3) /
|
||||||
|
+ ((tmsize_t)rowsize + 1)))
|
||||||
|
+ {
|
||||||
|
+ TIFFError("rotateImage",
|
||||||
|
+ "Integer overflow when calculating buffer size.");
|
||||||
|
+ return (-1);
|
||||||
|
+ }
|
||||||
|
+ buffsize = (rowsize + 1) * length;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
bytes_per_sample = (bps + 7) / 8;
|
||||||
|
bytes_per_pixel = ((bps * spp) + 7) / 8;
|
||||||
|
@@ -8526,6 +8568,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
_TIFFmemset(rbuff, '\0', buffsize);
|
||||||
|
+ if (rot_buf_size != NULL)
|
||||||
|
+ *rot_buf_size = buffsize;
|
||||||
|
|
||||||
|
ibuff = *ibuff_ptr;
|
||||||
|
switch (rotation)
|
@ -0,0 +1,50 @@
|
|||||||
|
From df8410cee20798b1d63c291c1bf106e3a52d59b1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
||||||
|
Date: Thu, 16 May 2024 14:54:52 +0200
|
||||||
|
Subject: [PATCH] (CVE-2023-52356) Merge branch 'fix_622' into 'master'
|
||||||
|
|
||||||
|
TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of col/row (fixes #622)
|
||||||
|
|
||||||
|
Closes #622
|
||||||
|
|
||||||
|
See merge request libtiff/libtiff!546
|
||||||
|
|
||||||
|
(cherry picked from commit dfacff5a84d153d7febdfcbcb341b38c1f03b34e)
|
||||||
|
---
|
||||||
|
libtiff/tif_getimage.c | 16 ++++++++++++++++
|
||||||
|
1 file changed, 16 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
||||||
|
index 00cd5510..4f32b3a4 100644
|
||||||
|
--- a/libtiff/tif_getimage.c
|
||||||
|
+++ b/libtiff/tif_getimage.c
|
||||||
|
@@ -2929,6 +2929,14 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 row, uint32 * raster, int stop_on_error)
|
||||||
|
|
||||||
|
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
|
||||||
|
|
||||||
|
+ if (row >= img.height)
|
||||||
|
+ {
|
||||||
|
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
|
||||||
|
+ "Invalid row passed to TIFFReadRGBAStrip().");
|
||||||
|
+ TIFFRGBAImageEnd(&img);
|
||||||
|
+ return (0);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
img.row_offset = row;
|
||||||
|
img.col_offset = 0;
|
||||||
|
|
||||||
|
@@ -3004,6 +3012,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (col >= img.width || row >= img.height)
|
||||||
|
+ {
|
||||||
|
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
|
||||||
|
+ "Invalid row/col passed to TIFFReadRGBATile().");
|
||||||
|
+ TIFFRGBAImageEnd(&img);
|
||||||
|
+ return (0);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* The TIFFRGBAImageGet() function doesn't allow us to get off the
|
||||||
|
* edge of the image, even to fill an otherwise valid tile. So we
|
@ -0,0 +1,30 @@
|
|||||||
|
From 32346d49db890969d7de19e8eebff00400280926 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Even Rouault <even.rouault@spatialys.com>
|
||||||
|
Date: Sat, 9 Sep 2023 15:11:42 +0000
|
||||||
|
Subject: [PATCH] (CVE-2023-6228) Merge branch
|
||||||
|
'fix_606_tiffcp_check_also_input_compression_codec' into 'master'
|
||||||
|
|
||||||
|
tiffcp: Fixes #606. Check also codec of input image, not only from output image.
|
||||||
|
|
||||||
|
Closes #606
|
||||||
|
|
||||||
|
See merge request libtiff/libtiff!533
|
||||||
|
|
||||||
|
(cherry picked from commit 668d2c1a52fa48658bbf69615924b42b5a059f9e)
|
||||||
|
---
|
||||||
|
tools/tiffcp.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
||||||
|
index fb98bd57..81ec6bbd 100644
|
||||||
|
--- a/tools/tiffcp.c
|
||||||
|
+++ b/tools/tiffcp.c
|
||||||
|
@@ -622,6 +622,8 @@ tiffcp(TIFF* in, TIFF* out)
|
||||||
|
else
|
||||||
|
CopyField(TIFFTAG_COMPRESSION, compression);
|
||||||
|
TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
|
||||||
|
+ if (!TIFFIsCODECConfigured(input_compression))
|
||||||
|
+ return FALSE;
|
||||||
|
TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
|
||||||
|
if (input_compression == COMPRESSION_JPEG) {
|
||||||
|
/* Force conversion to RGB */
|
46
SOURCES/libtiff-4.6.0-CVE-2024-7006.patch
Normal file
46
SOURCES/libtiff-4.6.0-CVE-2024-7006.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
diff -up tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 tiff-4.4.0/libtiff/tif_dirinfo.c
|
||||||
|
--- tiff-4.4.0/libtiff/tif_dirinfo.c.CVE-2024-7006 2024-08-16 00:35:35.339965778 +0200
|
||||||
|
+++ tiff-4.4.0/libtiff/tif_dirinfo.c 2024-08-16 00:54:58.255221954 +0200
|
||||||
|
@@ -824,7 +824,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint
|
||||||
|
fld = TIFFFindField(tif, tag, dt);
|
||||||
|
if (fld == NULL) {
|
||||||
|
fld = _TIFFCreateAnonField(tif, tag, dt);
|
||||||
|
- if (!_TIFFMergeFields(tif, fld, 1))
|
||||||
|
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up tiff-4.0.9/libtiff/tif_dirread.c~ tiff-4.0.9/libtiff/tif_dirread.c
|
||||||
|
--- tiff-4.0.9/libtiff/tif_dirread.c~ 2024-08-29 23:31:19.884308223 +0200
|
||||||
|
+++ tiff-4.0.9/libtiff/tif_dirread.c 2024-08-29 23:31:19.909308479 +0200
|
||||||
|
@@ -3667,11 +3667,10 @@ TIFFReadDirectory(TIFF* tif)
|
||||||
|
dp->tdir_tag,dp->tdir_tag);
|
||||||
|
/* the following knowingly leaks the
|
||||||
|
anonymous field structure */
|
||||||
|
- if (!_TIFFMergeFields(tif,
|
||||||
|
- _TIFFCreateAnonField(tif,
|
||||||
|
- dp->tdir_tag,
|
||||||
|
- (TIFFDataType) dp->tdir_type),
|
||||||
|
- 1)) {
|
||||||
|
+ const TIFFField *fld = _TIFFCreateAnonField(
|
||||||
|
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
|
||||||
|
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
|
||||||
|
+ {
|
||||||
|
TIFFWarningExt(tif->tif_clientdata,
|
||||||
|
module,
|
||||||
|
"Registering anonymous field with tag %d (0x%x) failed",
|
||||||
|
@@ -4392,10 +4391,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_
|
||||||
|
TIFFWarningExt(tif->tif_clientdata, module,
|
||||||
|
"Unknown field with tag %d (0x%x) encountered",
|
||||||
|
dp->tdir_tag, dp->tdir_tag);
|
||||||
|
- if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
|
||||||
|
- dp->tdir_tag,
|
||||||
|
- (TIFFDataType) dp->tdir_type),
|
||||||
|
- 1)) {
|
||||||
|
+ const TIFFField *fld = _TIFFCreateAnonField(
|
||||||
|
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
|
||||||
|
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
|
||||||
|
+ {
|
||||||
|
TIFFWarningExt(tif->tif_clientdata, module,
|
||||||
|
"Registering anonymous field with tag %d (0x%x) failed",
|
||||||
|
dp->tdir_tag, dp->tdir_tag);
|
@ -1,31 +0,0 @@
|
|||||||
Back off the minimum required automake version to 1.11. There isn't
|
|
||||||
anything in libtiff currently that actually requires 1.12, and changing
|
|
||||||
this allows the package to be built on pre-F18 machines for easier testing.
|
|
||||||
|
|
||||||
This patch can go away once we no longer care about testing on pre-F18.
|
|
||||||
|
|
||||||
|
|
||||||
diff -Naur tiff-4.0.3.orig/Makefile.am tiff-4.0.3/Makefile.am
|
|
||||||
--- tiff-4.0.3.orig/Makefile.am 2012-09-20 09:22:47.000000000 -0400
|
|
||||||
+++ tiff-4.0.3/Makefile.am 2012-10-30 11:33:30.312823564 -0400
|
|
||||||
@@ -25,7 +25,7 @@
|
|
||||||
|
|
||||||
docdir = $(LIBTIFF_DOCDIR)
|
|
||||||
|
|
||||||
-AUTOMAKE_OPTIONS = 1.12 dist-zip foreign
|
|
||||||
+AUTOMAKE_OPTIONS = 1.11 dist-zip foreign
|
|
||||||
ACLOCAL_AMFLAGS = -I m4
|
|
||||||
|
|
||||||
docfiles = \
|
|
||||||
diff -Naur tiff-4.0.3.orig/test/Makefile.am tiff-4.0.3/test/Makefile.am
|
|
||||||
--- tiff-4.0.3.orig/test/Makefile.am 2012-09-20 09:22:28.000000000 -0400
|
|
||||||
+++ tiff-4.0.3/test/Makefile.am 2012-10-30 11:33:17.109696812 -0400
|
|
||||||
@@ -23,7 +23,7 @@
|
|
||||||
|
|
||||||
# Process this file with automake to produce Makefile.in.
|
|
||||||
|
|
||||||
-AUTOMAKE_OPTIONS = 1.12 color-tests parallel-tests foreign
|
|
||||||
+AUTOMAKE_OPTIONS = 1.11 color-tests parallel-tests foreign
|
|
||||||
|
|
||||||
LIBTIFF = $(top_builddir)/libtiff/libtiff.la
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
diff --git a/tools/ppm2tiff.c b/tools/ppm2tiff.c
|
|
||||||
index 81ffa3d..a02e865 100644
|
|
||||||
--- a/tools/ppm2tiff.c
|
|
||||||
+++ b/tools/ppm2tiff.c
|
|
||||||
@@ -285,6 +285,8 @@ main(int argc, char* argv[])
|
|
||||||
if (TIFFWriteScanline(out, buf, row, 0) < 0)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
+ if (in != stdin)
|
|
||||||
+ fclose(in);
|
|
||||||
(void) TIFFClose(out);
|
|
||||||
if (buf)
|
|
||||||
_TIFFfree(buf);
|
|
||||||
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
|
|
||||||
index bd23c9e..a15a3ef 100644
|
|
||||||
--- a/tools/tiff2pdf.c
|
|
||||||
+++ b/tools/tiff2pdf.c
|
|
||||||
@@ -3020,6 +3020,7 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
|
|
||||||
"for t2p_readwrite_pdf_image_tile, %s",
|
|
||||||
(unsigned long) t2p->tiff_datasize,
|
|
||||||
TIFFFileName(input));
|
|
||||||
+ _TIFFfree(buffer);
|
|
||||||
t2p->t2p_error = T2P_ERR_ERROR;
|
|
||||||
return(0);
|
|
||||||
}
|
|
||||||
@@ -3747,11 +3748,11 @@ t2p_sample_rgbaa_to_rgb(tdata_t data, uint32 samplecount)
|
|
||||||
{
|
|
||||||
uint32 i;
|
|
||||||
|
|
||||||
- /* For the 3 first samples, there is overlapping between souce and
|
|
||||||
- destination, so use memmove().
|
|
||||||
- See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */
|
|
||||||
- for(i = 0; i < 3 && i < samplecount; i++)
|
|
||||||
- memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
|
|
||||||
+ /* For the 3 first samples, there is overlapping between souce and
|
|
||||||
+ destination, so use memmove().
|
|
||||||
+ See http://bugzilla.maptools.org/show_bug.cgi?id=2577 */
|
|
||||||
+ for(i = 0; i < 3 && i < samplecount; i++)
|
|
||||||
+ memmove((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
|
|
||||||
for(; i < samplecount; i++)
|
|
||||||
memcpy((uint8*)data + i * 3, (uint8*)data + i * 4, 3);
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
|||||||
diff --git a/html/man/Makefile.am b/html/man/Makefile.am
|
|
||||||
index 587296c..696005e 100644
|
|
||||||
--- a/html/man/Makefile.am
|
|
||||||
+++ b/html/man/Makefile.am
|
|
||||||
@@ -92,7 +92,6 @@ docfiles = \
|
|
||||||
tiffcrop.1.html \
|
|
||||||
tiffdither.1.html \
|
|
||||||
tiffdump.1.html \
|
|
||||||
- tiffgt.1.html \
|
|
||||||
tiffinfo.1.html \
|
|
||||||
tiffmedian.1.html \
|
|
||||||
tiffset.1.html \
|
|
@ -1,26 +1,63 @@
|
|||||||
Summary: Library of functions for manipulating TIFF format image files
|
Summary: Library of functions for manipulating TIFF format image files
|
||||||
Name: libtiff
|
Name: libtiff
|
||||||
Version: 4.0.9
|
Version: 4.0.9
|
||||||
Release: 15%{?dist}
|
Release: 33%{?dist}
|
||||||
License: libtiff
|
License: libtiff
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
URL: http://www.simplesystems.org/libtiff/
|
URL: http://www.simplesystems.org/libtiff/
|
||||||
|
|
||||||
Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
|
Source: ftp://ftp.simplesystems.org/pub/libtiff/tiff-%{version}.tar.gz
|
||||||
|
|
||||||
Patch0: libtiff-am-version.patch
|
|
||||||
Patch1: libtiff-make-check.patch
|
# Patches generated from https://gitlab.cee.redhat.com/mmuzila/libtiff/-/tree/rhel-8.7.0
|
||||||
Patch2: libtiff-CVE-2018-5784.patch
|
# Patches were generated by: git format-patch -N --no-signature ...
|
||||||
Patch3: libtiff-CVE-2018-7456.patch
|
Patch0001: 0001-Back-off-the-minimum-required-automake-version-to-1..patch
|
||||||
Patch4: libtiff-CVE-2017-9935.patch
|
Patch0002: 0002-Fix-Makefile.patch
|
||||||
Patch5: libtiff-CVE-2017-18013.patch
|
Patch0003: 0003-CVE-2018-5784-Fix-for-bug-2772.patch
|
||||||
Patch6: libtiff-CVE-2018-8905.patch
|
Patch0004: 0004-CVE-2018-7456-Fix-NULL-pointer-dereference-in-TIFFPr.patch
|
||||||
Patch7: libtiff-CVE-2018-10963.patch
|
Patch0005: 0005-CVE-2017-9935-tiff2pdf-Fix-CVE-2017-9935.patch
|
||||||
Patch8: libtiff-CVE-2018-17100.patch
|
Patch0006: 0006-CVE-2017-9935-tiff2pdf-Fix-apparent-incorrect-type-f.patch
|
||||||
Patch9: libtiff-coverity.patch
|
Patch0007: 0007-CVE-2017-18013-libtiff-tif_print.c-TIFFPrintDirector.patch
|
||||||
Patch10: libtiff-CVE-2018-18557.patch
|
Patch0008: 0008-CVE-2018-8905-LZWDecodeCompat-fix-potential-index-ou.patch
|
||||||
Patch11: libtiff-CVE-2018-18661.patch
|
Patch0009: 0009-CVE-2018-10963-TIFFWriteDirectorySec-avoid-assertion.patch
|
||||||
Patch12: libtiff-CVE-2018-12900.patch
|
Patch0010: 0010-CVE-2018-17100-avoid-potential-int32-overflows-in-mu.patch
|
||||||
|
Patch0011: 0011-CVE-2018-18557-JBIG-fix-potential-out-of-bounds-writ.patch
|
||||||
|
Patch0012: 0012-CVE-2018-18661-tiff2bw-avoid-null-pointer-dereferenc.patch
|
||||||
|
Patch0013: 0013-bz1602597-Fix-two-resource-leaks.patch
|
||||||
|
Patch0014: 0014-CVE-2018-12900-check-that-Tile-Width-Samples-Pixel-d.patch
|
||||||
|
Patch0015: 0015-CVE-2019-14973-Fix-integer-overflow-in-_TIFFCheckMal.patch
|
||||||
|
Patch0016: 0016-CVE-2019-17546-RGBA-interface-fix-integer-overflow-p.patch
|
||||||
|
Patch0017: 0017-CVE-2020-35521-CVE-2020-35522-enforce-configurable-m.patch
|
||||||
|
Patch0018: 0018-CVE-2020-35523-gtTileContig-check-Tile-width-for-ove.patch
|
||||||
|
Patch0019: 0019-CVE-2020-35524-tiff2pdf.c-properly-calculate-datasiz.patch
|
||||||
|
Patch0020: 0020-CVE-2020-19131-tiffcrop.c-fix-invertImage-for-bps-2-.patch
|
||||||
|
Patch0021: 0021-CVE-2022-0561-TIFFFetchStripThing-avoid-calling-memc.patch
|
||||||
|
Patch0022: 0022-CVE-2022-0562-TIFFReadDirectory-avoid-calling-memcpy.patch
|
||||||
|
Patch0023: 0023-CVE-2022-22844-tiffset-fix-global-buffer-overflow-fo.patch
|
||||||
|
Patch0024: 0024-CVE-2022-0865-tif_jbig.c-fix-crash-when-reading-a-fi.patch
|
||||||
|
Patch0025: 0025-CVE-2022-0891-tiffcrop-fix-issue-380-and-382-heap-bu.patch
|
||||||
|
Patch0026: 0026-CVE-2022-0924-fix-heap-buffer-overflow-in-tiffcp-278.patch
|
||||||
|
Patch0027: 0027-CVE-2022-0909-fix-the-FPE-in-tiffcrop-393.patch
|
||||||
|
Patch0028: 0028-CVE-2022-0908-TIFFFetchNormalTag-avoid-calling-memcp.patch
|
||||||
|
Patch0029: 0029-CVE-2022-1355-tiffcp-avoid-buffer-overflow-in-mode-s.patch
|
||||||
|
Patch0030: 0030-move-_TIFFClampDoubleToFloat-to-tif_aux.c.patch
|
||||||
|
Patch0031: 0031-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058-fix-the-FP.patch
|
||||||
|
Patch0032: 0032-CVE-2022-2867-CVE-2022-2868-tiffcrop.c-Fix-issue-352.patch
|
||||||
|
Patch0033: 0033-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch
|
||||||
|
Patch0034: 0034-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521-CVE-2022-2.patch
|
||||||
|
Patch0035: 0035-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627-tiffcrop-d.patch
|
||||||
|
Patch0036: 0036-CVE-2022-3970-TIFFReadRGBATileExt-fix-unsigned-integ.patch
|
||||||
|
Patch0037: 0037-CVE-2022-48281-tiffcrop-Correct-simple-copy-paste-er.patch
|
||||||
|
Patch0038: 0038-CVE-2023-0800-CVE-2023-0801-CVE-2023-0802-CVE-2023-0.patch
|
||||||
|
Patch0039: 0039-CVE-2022-3599-Revised-handling-of-TIFFTAG_INKNAMES-a.patch
|
||||||
|
Patch0040: 0040-CVE-2018-15209-Merge-branch-avoid_memory_exhaustion_.patch
|
||||||
|
Patch0041: 0041-CVE-2023-25433-Merge-branch-tiffcrop_correctly_updat.patch
|
||||||
|
Patch0042: 0042-CVE-2023-52356-Merge-branch-fix_622-into-master.patch
|
||||||
|
Patch0043: 0043-CVE-2023-6228-Merge-branch-fix_606_tiffcp_check_also.patch
|
||||||
|
|
||||||
|
# from upstream, for <=4.6.0, RHEL-52927
|
||||||
|
# https://gitlab.com/libtiff/libtiff/-/commit/3705f82b6483c7906cf08cd6b9dcdcd59c61d779
|
||||||
|
Patch44: libtiff-4.6.0-CVE-2024-7006.patch
|
||||||
|
|
||||||
BuildRequires: gcc, gcc-c++
|
BuildRequires: gcc, gcc-c++
|
||||||
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
|
BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
|
||||||
@ -70,21 +107,7 @@ This package contains command-line programs for manipulating TIFF format
|
|||||||
image files using the libtiff library.
|
image files using the libtiff library.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n tiff-%{version}
|
%autosetup -p1 -n tiff-%{version}
|
||||||
|
|
||||||
%patch0 -p1
|
|
||||||
%patch1 -p1
|
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
|
||||||
%patch4 -p1
|
|
||||||
%patch5 -p1
|
|
||||||
%patch6 -p1
|
|
||||||
%patch7 -p1
|
|
||||||
%patch8 -p1
|
|
||||||
%patch9 -p1
|
|
||||||
%patch10 -p1
|
|
||||||
%patch11 -p1
|
|
||||||
%patch12 -p1
|
|
||||||
|
|
||||||
# Use build system's libtool.m4, not the one in the package.
|
# Use build system's libtool.m4, not the one in the package.
|
||||||
rm -f libtool.m4
|
rm -f libtool.m4
|
||||||
@ -188,6 +211,73 @@ find html -name 'Makefile*' | xargs rm
|
|||||||
%{_mandir}/man1/*
|
%{_mandir}/man1/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 29 2024 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-33
|
||||||
|
- fix CVE-2024-7006 a null pointer dereference in tif_dirinfo (RHEL-52927)
|
||||||
|
|
||||||
|
* Thu May 16 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-32
|
||||||
|
- Fix CVE-2023-6228 CVE-2023-52356 CVE-2023-25433 CVE-2018-15209
|
||||||
|
- Resolves: RHEL-30682 RHEL-30520 RHEL-30474 RHEL-5406
|
||||||
|
|
||||||
|
* Fri Jan 05 2024 Matej Mužila <mmuzila@redhat.com> - 4.0.9-31
|
||||||
|
- Fix CVE-2022-3599 CVE-2022-4645
|
||||||
|
- Resolves: RHEL-5399
|
||||||
|
|
||||||
|
* Thu Sep 21 2023 Ondrej Sloup <osloup@redhat.com> - 4.0.9-30
|
||||||
|
- Bump specfile to retrigger gating
|
||||||
|
- Add tests folder for standard beakerlib
|
||||||
|
- Related: RHEL-4683 RHEL-4685 RHEL-4686 RHEL-4687 RHEL-4688
|
||||||
|
|
||||||
|
* Tue Aug 08 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-29
|
||||||
|
- Fix CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804
|
||||||
|
- Resolves: RHEL-4683 RHEL-4685 RHEL-4686 RHEL-4687 RHEL-4688
|
||||||
|
|
||||||
|
* Tue May 16 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-28
|
||||||
|
- Fix CVE-2022-48281
|
||||||
|
- Resolves: CVE-2022-48281
|
||||||
|
|
||||||
|
* Mon Jan 16 2023 Matej Mužila <mmuzila@redhat.com> - 4.0.9-27
|
||||||
|
- Fix various CVEs
|
||||||
|
- Resolves: CVE-2022-3627 CVE-2022-3970
|
||||||
|
|
||||||
|
* Mon Oct 24 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-26
|
||||||
|
- Fix various CVEs
|
||||||
|
- Resolves: CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2953
|
||||||
|
|
||||||
|
* Tue Sep 06 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-25
|
||||||
|
- Fix CVE-2022-2867 (#2118857)
|
||||||
|
- Fix CVE-2022-2868 (#2118882)
|
||||||
|
- Fix CVE-2022-2869 (#2118878)
|
||||||
|
|
||||||
|
* Mon Jul 18 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-24
|
||||||
|
- Fix CVE-2022-2056 CVE-2022-2057 CVE-2022-2058
|
||||||
|
- Resolves: #2103222
|
||||||
|
|
||||||
|
* Thu May 12 2022 Matej Mužila <mmuzila@redhat.com> - 4.0.9-23
|
||||||
|
- Fix various CVEs
|
||||||
|
- Resolves: CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 CVE-2022-0865
|
||||||
|
CVE-2022-0891 CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-1355
|
||||||
|
|
||||||
|
* Wed Sep 29 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-21
|
||||||
|
- Fix CVE-2020-19131 (#2006535)
|
||||||
|
|
||||||
|
* Thu Apr 29 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-20
|
||||||
|
- Rebuild for fixed binutils (#1954437)
|
||||||
|
|
||||||
|
* Fri Apr 09 2021 Nikola Forró <nforro@redhat.com> - 4.0.9-19
|
||||||
|
- Fix CVE-2020-35521 (#1945539)
|
||||||
|
- Fix CVE-2020-35522 (#1945555)
|
||||||
|
- Fix CVE-2020-35523 (#1945542)
|
||||||
|
- Fix CVE-2020-35524 (#1945546)
|
||||||
|
|
||||||
|
* Thu Feb 20 2020 Nikola Forró <nforro@redhat.com> - 4.0.9-18
|
||||||
|
- Fix CVE-2019-17546 (#1771372)
|
||||||
|
|
||||||
|
* Thu Nov 28 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-17
|
||||||
|
- Add upstream test suite and enable it in gating
|
||||||
|
|
||||||
|
* Wed Nov 27 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-16
|
||||||
|
- Fix CVE-2019-14973 (#1755705)
|
||||||
|
|
||||||
* Wed Jun 12 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-15
|
* Wed Jun 12 2019 Nikola Forró <nforro@redhat.com> - 4.0.9-15
|
||||||
- Fix DIVIDE_BY_ZERO in patch for CVE-2018-12900 (#1595579)
|
- Fix DIVIDE_BY_ZERO in patch for CVE-2018-12900 (#1595579)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user