!49 Fix CVE-2020-24292 CVE-2020-24293 CVE-2020-24295 CVE-2021-33367 CVE-2021-40263 CVE-2021-40266 CVE-2023-47995 CVE-2023-47997

From: @wk333 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge

CVE-2020-24292.patch

@@ -0,0 +1,14 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24292.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginICO.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginICO.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginICO.cpp	2023-09-28 19:34:45.524031668 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginICO.cpp	2023-09-28 19:34:47.717009813 +0200
+@@ -301,6 +301,9 @@ LoadStandardIcon(FreeImageIO *io, fi_han
+ 	int width  = bmih.biWidth;
+ 	int height = bmih.biHeight / 2; // height == xor + and mask
+ 	unsigned bit_count = bmih.biBitCount;
++	if (bit_count != 1 && bit_count != 2 && bit_count != 4 && bit_count != 8 && bit_count != 16 && bit_count != 24 && bit_count != 32) {
++	  return NULL;
++	}
+ 	unsigned line   = CalculateLine(width, bit_count);
+ 	unsigned pitch  = CalculatePitch(line);
+ 

CVE-2020-24293.patch

@@ -0,0 +1,15 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24293.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.287014100 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.832008666 +0200
+@@ -780,6 +780,10 @@ int psdThumbnail::Read(FreeImageIO *io,
+ 		FreeImage_Unload(_dib);
+ 	}
+ 
++	if (_WidthBytes != _Width * _BitPerPixel / 8) {
++	  throw "Invalid PSD image";
++	}
++
+ 	if(_Format == 1) {
+ 		// kJpegRGB thumbnail image
+ 		_dib = FreeImage_LoadFromHandle(FIF_JPEG, io, handle);

CVE-2020-24295.patch

@@ -0,0 +1,22 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24295.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.936007630 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.940007590 +0200
+@@ -1466,6 +1466,7 @@ FIBITMAP* psdParser::ReadImageData(FreeI
+ 	const unsigned dstBpp =  (depth == 1) ? 1 : FreeImage_GetBPP(bitmap)/8;
+ 	const unsigned dstLineSize = FreeImage_GetPitch(bitmap);
+ 	BYTE* const dst_first_line = FreeImage_GetScanLine(bitmap, nHeight - 1);//<*** flipped
++	const unsigned dst_buffer_size = dstLineSize * nHeight;
+ 
+ 	BYTE* line_start = new BYTE[lineSize]; //< fileline cache
+ 
+@@ -1481,6 +1482,9 @@ FIBITMAP* psdParser::ReadImageData(FreeI
+ 				const unsigned channelOffset = GetChannelOffset(bitmap, c) * bytes;
+ 
+ 				BYTE* dst_line_start = dst_first_line + channelOffset;
++				if (channelOffset + lineSize > dst_buffer_size) {
++					throw "Invalid PSD image";
++				}
+ 				for(unsigned h = 0; h < nHeight; ++h, dst_line_start -= dstLineSize) {//<*** flipped
+ 					io->read_proc(line_start, lineSize, 1, handle);
+ 					ReadImageLine(dst_line_start, line_start, lineSize, dstBpp, bytes);

CVE-2021-33367.patch

@@ -0,0 +1,18 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-33367.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/Metadata/Exif.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp	2024-10-23 09:59:54.487770330 +0800
++++ freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp	2024-10-23 10:01:14.995770330 +0800
+@@ -720,7 +720,12 @@ jpeg_read_exif_dir(FIBITMAP *dib, const
+ 
+ 	const WORD entriesCount0th = ReadUint16(msb_order, ifd0th);
+ 	
+-	DWORD next_offset = ReadUint32(msb_order, DIR_ENTRY_ADDR(ifd0th, entriesCount0th));
++	const BYTE* de_addr = DIR_ENTRY_ADDR(ifd0th, entriesCount0th);
++	if(de_addr+4 >= (BYTE*)(dwLength + ifd0th - tiffp)) {
++		return TRUE; //< no thumbnail
++	}
++
++	DWORD next_offset = ReadUint32(msb_order, de_addr);
+ 	if((next_offset == 0) || (next_offset >= dwLength)) {
+ 		return TRUE; //< no thumbnail
+ 	}

CVE-2021-40263.patch

@@ -0,0 +1,16 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-40263.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:47.713009853 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:48.043006563 +0200
+@@ -2081,6 +2081,11 @@ Load(FreeImageIO *io, fi_handle handle,
+ 				uint32 tileRowSize = (uint32)TIFFTileRowSize(tif);
+ 				uint32 imageRowSize = (uint32)TIFFScanlineSize(tif);
+ 
++				if (width / tileWidth * tileRowSize * 8 > bitspersample * samplesperpixel * width) {
++				  free(tileBuffer);
++				  throw "Corrupted tiled TIFF file";
++				}
++
+ 
+ 				// In the tiff file the lines are saved from up to down 
+ 				// In a DIB the lines must be saved from down to up

CVE-2021-40266.patch

@@ -0,0 +1,15 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-40266.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:47.501011966 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:47.610010879 +0200
+@@ -357,6 +357,10 @@ static void
+ ReadPalette(TIFF *tiff, uint16 photometric, uint16 bitspersample, FIBITMAP *dib) {
+ 	RGBQUAD *pal = FreeImage_GetPalette(dib);
+ 
++	if (!pal) {
++	  return;
++	}
++
+ 	switch(photometric) {
+ 		case PHOTOMETRIC_MINISBLACK:	// bitmap and greyscale image types
+ 		case PHOTOMETRIC_MINISWHITE:

CVE-2023-47995.patch

@@ -0,0 +1,15 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47995.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginJPEG.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginJPEG.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginJPEG.cpp	2024-03-10 14:22:17.818579271 +0100
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginJPEG.cpp	2024-03-10 14:22:18.776573816 +0100
+@@ -1086,6 +1086,10 @@ Load(FreeImageIO *io, fi_handle handle,
+ 
+ 			jpeg_read_header(&cinfo, TRUE);
+ 
++			if (cinfo.image_width > JPEG_MAX_DIMENSION || cinfo.image_height > JPEG_MAX_DIMENSION) {
++				throw FI_MSG_ERROR_DIB_MEMORY;
++			}
++
+ 			// step 4: set parameters for decompression
+ 
+ 			unsigned int scale_denom = 1;		// fraction by which to scale image

CVE-2023-47997.patch

@@ -0,0 +1,17 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47997.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp	2024-03-10 14:22:18.669574426 +0100
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp	2024-03-10 14:22:18.673574403 +0100
+@@ -1435,6 +1435,12 @@ Load(FreeImageIO *io, fi_handle handle,
+ 				(int)bitspersample, (int)samplesperpixel, (int)photometric);
+ 			throw (char*)NULL;
+ 		}
++		if (planar_config == PLANARCONFIG_SEPARATE && bitspersample < 8) {
++			FreeImage_OutputMessageProc(s_format_id,
++				"Unable to handle this format: bitspersample = 8, TIFFTAG_PLANARCONFIG = PLANARCONFIG_SEPARATE"
++			);
++			throw (char*)NULL;
++		}
+ 
+ 		// ---------------------------------------------------------------------------------
+ 

freeimage.spec

@@ -4,9 +4,9 @@
 
 Name:    freeimage
 Version: 3.18.0
-Release: 11
+Release: 13
 Summary: FreeImage is a library project for developers who would like to support popular graphics image formats (PNG, JPEG, TIFF, BMP and others)
-License: GPLv2 or GPLv3 and FIPL
+License: GPLv2 or GPLv3 and FreeImage
 URL:	 https://freeimage.sourceforge.io/
 Source0: http://downloads.sourceforge.net/freeimage/FreeImage3180.zip
 
@@ -29,6 +29,15 @@ Patch10:        CVE-2020-21427-1-r1832-improved-BMP-plugin-when-working-with-mal
 Patch11:        CVE-2020-21428-r1877-improved-DDS-plugin-against-malicious-images.patch
 Patch12:        CVE-2020-21427-2-r1836-improved-BMP-plugin-when-working-with-malicious-images.patch
 Patch13:        CVE-2020-22524-r1848-improved-PFM-plugin-against-malicious-images.patch
+# https://src.fedoraproject.org/rpms/freeimage/tree/f39
+Patch14:        CVE-2020-24292.patch
+Patch15:        CVE-2020-24293.patch
+Patch16:        CVE-2020-24295.patch
+Patch17:        CVE-2021-33367.patch
+Patch18:        CVE-2021-40263.patch
+Patch19:        CVE-2021-40266.patch
+Patch20:        CVE-2023-47995.patch
+Patch21:        CVE-2023-47997.patch
 
 BuildRequires:  doxygen  gcc-c++ make jxrlib-devel libjpeg-devel libmng-devel libpng-devel libtiff-devel libwebp-devel LibRaw-devel OpenEXR-devel openjpeg2-devel
 
@@ -112,6 +121,13 @@ ldconfig -n %{buildroot}%{_libdir}
 
 
 %changelog
+* Wed Oct 23 2024 wangkai <13474090681@163.com> - 3.18.0-13
+- Fix CVE-2020-24292 CVE-2020-24293 CVE-2020-24295 CVE-2021-33367
+  CVE-2021-40263 CVE-2021-40266 CVE-2023-47995 CVE-2023-47997
+
+* Mon Aug 19 2024 xu_ping <707078654@qq.com> - 3.18.0-12
+- License compliance rectification.
+
 * Mon Dec 04 2023 wangkai <13474090681@163.com> - 3.18.0-11
 - Fix CVE-2020-21427,CVE-2020-21428,CVE-2020-22524