321421fc81
Backported upstream patch to fix buffer underflow crash in
TIFFReadRGBAImageOriented() when handling images with fewer raster
rows than requested. The patch adds verification logic to check
raster dimensions against image dimensions and adjusts accordingly.
Manual conflict resolution was required for libtiff 4.0.9
compatibility, replacing TIFFWarningExtR() with TIFFWarningExt()
to match the function signature available in this version.
CVE: CVE-2025-9900
Upstream fix: d1c0719e00.patch
Resolves: RHEL-112533
This commit was backported by Jotnar, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Jotnar
52 lines
1.9 KiB
Diff
52 lines
1.9 KiB
Diff
From 3e164d0fa9c48dbdc76620442ffbb02de9e5724e Mon Sep 17 00:00:00 2001
|
|
From: Su Laus <sulau@freenet.de>
|
|
Date: Wed, 11 Jun 2025 19:45:19 +0000
|
|
Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
|
|
rows at TIFFReadRGBAImageOriented()
|
|
|
|
---
|
|
libtiff/tif_getimage.c | 20 +++++++++++++++++---
|
|
1 file changed, 17 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
|
index 4f32b3a..70a0362 100644
|
|
--- a/libtiff/tif_getimage.c
|
|
+++ b/libtiff/tif_getimage.c
|
|
@@ -511,6 +511,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
|
|
"No \"put\" routine setupl; probably can not handle image format");
|
|
return (0);
|
|
}
|
|
+ /* Verify raster width and height against image width and height. */
|
|
+ if (h > img->height)
|
|
+ {
|
|
+ /* Adapt parameters to read only available lines and put image at
|
|
+ * the bottom of the raster. */
|
|
+ raster += (size_t)(h - img->height) * w;
|
|
+ h = img->height;
|
|
+ }
|
|
+ if (w > img->width)
|
|
+ {
|
|
+ TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif),
|
|
+ "Raster width of %d shall not be larger than image "
|
|
+ "width of %d -> raster width adapted for reading",
|
|
+ w, img->width);
|
|
+ w = img->width;
|
|
+ }
|
|
return (*img->get)(img, raster, w, h);
|
|
}
|
|
|
|
@@ -529,9 +545,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
|
|
|
|
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
|
|
img.req_orientation = (uint16)orientation;
|
|
- /* XXX verify rwidth and rheight against width and height */
|
|
- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
|
|
- rwidth, img.height);
|
|
+ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
|
|
TIFFRGBAImageEnd(&img);
|
|
} else {
|
|
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
|
|
--
|
|
2.47.3
|
|
|