96 lines
3.3 KiB
Diff
96 lines
3.3 KiB
Diff
From c7c1a0e3537b692196c15ea764b789f601b15850 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Matej=20Mu=C5=BEila?= <mmuzila@redhat.com>
|
|
Date: Wed, 28 Jun 2023 14:05:50 +0200
|
|
Subject: [PATCH] (CVE-2023-26965) tiffcrop: Do not reuse input buffer for
|
|
subsequent images. Fix issue 527
|
|
|
|
Reuse of read_buff within loadImage() from previous image is quite unsafe,
|
|
because other functions (like rotateImage() etc.) reallocate that buffer with
|
|
different size without updating the local prev_readsize value.
|
|
|
|
Closes #527
|
|
|
|
(cherry picked from commit ec8ef90c1f573c9eb1f17d6a056aa0015f184acf)
|
|
---
|
|
tools/tiffcrop.c | 45 ++++++++++++++-------------------------------
|
|
1 file changed, 14 insertions(+), 31 deletions(-)
|
|
|
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
|
index c2688883..d9b91e4e 100644
|
|
--- a/tools/tiffcrop.c
|
|
+++ b/tools/tiffcrop.c
|
|
@@ -6103,9 +6103,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
|
|
uint32_t tw = 0, tl = 0; /* Tile width and length */
|
|
tmsize_t tile_rowsize = 0;
|
|
unsigned char *read_buff = NULL;
|
|
- unsigned char *new_buff = NULL;
|
|
int readunit = 0;
|
|
- static tmsize_t prev_readsize = 0;
|
|
|
|
TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
|
|
TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
|
|
@@ -6404,41 +6402,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
|
|
}
|
|
}
|
|
}
|
|
-
|
|
+
|
|
read_buff = *read_ptr;
|
|
- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
|
|
- /* outside buffer */
|
|
- if (!read_buff)
|
|
+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
|
|
+ * outside buffer */
|
|
+ /* Reuse of read_buff from previous image is quite unsafe, because other
|
|
+ * functions (like rotateImage() etc.) reallocate that buffer with different
|
|
+ * size without updating the local prev_readsize value. */
|
|
+ if (read_buff)
|
|
{
|
|
- if( buffsize > 0xFFFFFFFFU - 3 )
|
|
- {
|
|
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
|
|
- return (-1);
|
|
- }
|
|
- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
|
|
+ _TIFFfree(read_buff);
|
|
}
|
|
- else
|
|
+ if( buffsize > 0xFFFFFFFFU - 3 )
|
|
{
|
|
- if (prev_readsize < buffsize)
|
|
- {
|
|
- if( buffsize > 0xFFFFFFFFU - 3 )
|
|
- {
|
|
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
|
|
- return (-1);
|
|
- }
|
|
- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
|
|
- if (!new_buff)
|
|
- {
|
|
- free (read_buff);
|
|
- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
|
|
- }
|
|
- else
|
|
- read_buff = new_buff;
|
|
- }
|
|
+ TIFFError("loadImage", "Required read buffer size too large" );
|
|
+ return (-1);
|
|
}
|
|
+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
|
|
+
|
|
if (!read_buff)
|
|
{
|
|
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
|
|
+ TIFFError("loadImage", "Unable to allocate read buffer" );
|
|
return (-1);
|
|
}
|
|
|
|
@@ -6446,7 +6430,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
|
|
read_buff[buffsize+1] = 0;
|
|
read_buff[buffsize+2] = 0;
|
|
|
|
- prev_readsize = buffsize;
|
|
*read_ptr = read_buff;
|
|
|
|
/* N.B. The read functions used copy separate plane data into a buffer as interleaved
|