51 lines
1.7 KiB
Diff
51 lines
1.7 KiB
Diff
From df8410cee20798b1d63c291c1bf106e3a52d59b1 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
|
Date: Thu, 16 May 2024 14:54:52 +0200
|
|
Subject: [PATCH] (CVE-2023-52356) Merge branch 'fix_622' into 'master'
|
|
|
|
TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of col/row (fixes #622)
|
|
|
|
Closes #622
|
|
|
|
See merge request libtiff/libtiff!546
|
|
|
|
(cherry picked from commit dfacff5a84d153d7febdfcbcb341b38c1f03b34e)
|
|
---
|
|
libtiff/tif_getimage.c | 16 ++++++++++++++++
|
|
1 file changed, 16 insertions(+)
|
|
|
|
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
|
|
index 00cd5510..4f32b3a4 100644
|
|
--- a/libtiff/tif_getimage.c
|
|
+++ b/libtiff/tif_getimage.c
|
|
@@ -2929,6 +2929,14 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 row, uint32 * raster, int stop_on_error)
|
|
|
|
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
|
|
|
|
+ if (row >= img.height)
|
|
+ {
|
|
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
|
|
+ "Invalid row passed to TIFFReadRGBAStrip().");
|
|
+ TIFFRGBAImageEnd(&img);
|
|
+ return (0);
|
|
+ }
|
|
+
|
|
img.row_offset = row;
|
|
img.col_offset = 0;
|
|
|
|
@@ -3004,6 +3012,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
|
|
return( 0 );
|
|
}
|
|
|
|
+ if (col >= img.width || row >= img.height)
|
|
+ {
|
|
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
|
|
+ "Invalid row/col passed to TIFFReadRGBATile().");
|
|
+ TIFFRGBAImageEnd(&img);
|
|
+ return (0);
|
|
+ }
|
|
+
|
|
/*
|
|
* The TIFFRGBAImageGet() function doesn't allow us to get off the
|
|
* edge of the image, even to fill an otherwise valid tile. So we
|