diff --git a/backport-0003-CVE-2023-6277.patch b/backport-0003-CVE-2023-6277.patch new file mode 100644 index 0000000..b0f8690 --- /dev/null +++ b/backport-0003-CVE-2023-6277.patch @@ -0,0 +1,194 @@ +From 38f5b5b9f95891d2616f1df70ebcfb53690cb67c Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Wed, 29 Nov 2023 18:10:25 +0800 +Subject: [PATCH] backport patch for fix CVE-2023-6277 issue + +--- + libtiff/tif_dirread.c | 129 +++++++++++++++++++++--------------------- + 1 file changed, 66 insertions(+), 63 deletions(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index a98ea1f..b38060f 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -1308,19 +1308,22 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry, + datasize = (*count) * typesize; + assert((tmsize_t)datasize > 0); + +- /* Before allocating a huge amount of memory for corrupted files, check if +- * size of requested memory is not greater than file size. +- */ +- uint64_t filesize = TIFFGetFileSize(tif); +- if (datasize > filesize) +- { +- TIFFWarningExtR(tif, "ReadDirEntryArray", +- "Requested memory size for tag %d (0x%x) %" PRIu32 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated, tag not read", +- direntry->tdir_tag, direntry->tdir_tag, datasize, +- filesize); +- return (TIFFReadDirEntryErrAlloc); ++ if (datasize > 100 * 1024 * 1024) ++ { ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. ++ */ ++ const uint64_t filesize = TIFFGetFileSize(tif); ++ if (datasize > filesize) ++ { ++ TIFFWarningExtR(tif, "ReadDirEntryArray", ++ "Requested memory size for tag %d (0x%x) %" PRIu32 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated, tag not read", ++ direntry->tdir_tag, direntry->tdir_tag, datasize, ++ filesize); ++ return (TIFFReadDirEntryErrAlloc); ++ } + } + + if (isMapped(tif) && datasize > (uint64_t)tif->tif_size) +@@ -5281,18 +5284,22 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, + if (!_TIFFFillStrilesInternal(tif, 0)) + return -1; + +- /* Before allocating a huge amount of memory for corrupted files, check if +- * size of requested memory is not greater than file size. */ +- uint64_t filesize = TIFFGetFileSize(tif); +- uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); +- if (allocsize > filesize) +- { +- TIFFWarningExtR(tif, module, +- "Requested memory size for StripByteCounts of %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated", +- allocsize, filesize); +- return -1; ++ const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); ++ uint64_t filesize = 0; ++ if (allocsize > 100 * 1024 * 1024) ++ { ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR( ++ tif, module, ++ "Requested memory size for StripByteCounts of %" PRIu64 ++ " is greater than filesize %" PRIu64 ". Memory not allocated", ++ allocsize, filesize); ++ return -1; ++ } + } + + if (td->td_stripbytecount_p) +@@ -5341,6 +5348,8 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir, + return -1; + space += datasize; + } ++ if (filesize == 0) ++ filesize = TIFFGetFileSize(tif); + if (filesize < space) + /* we should perhaps return in error ? */ + space = filesize; +@@ -5834,20 +5843,6 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, + dircount16 = (uint16_t)dircount64; + dirsize = 20; + } +- /* Before allocating a huge amount of memory for corrupted files, check +- * if size of requested memory is not greater than file size. */ +- uint64_t filesize = TIFFGetFileSize(tif); +- uint64_t allocsize = (uint64_t)dircount16 * dirsize; +- if (allocsize > filesize) +- { +- TIFFWarningExtR( +- tif, module, +- "Requested memory size for TIFF directory of %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated, TIFF directory not read", +- allocsize, filesize); +- return 0; +- } + origdir = _TIFFCheckMalloc(tif, dircount16, dirsize, + "to read TIFF directory"); + if (origdir == NULL) +@@ -5971,7 +5966,7 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff, + TIFFWarningExtR( + tif, module, + "Requested memory size for TIFF directory of %" PRIu64 +- " is greather than filesize %" PRIu64 ++ " is greater than filesize %" PRIu64 + ". Memory not allocated, TIFF directory not read", + allocsize, filesize); + return 0; +@@ -7221,19 +7216,24 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips, + return (0); + } + +- /* Before allocating a huge amount of memory for corrupted files, check +- * if size of requested memory is not greater than file size. */ +- uint64_t filesize = TIFFGetFileSize(tif); +- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); +- if (allocsize > filesize) ++ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); ++ if (allocsize > 100 * 1024 * 1024) + { +- TIFFWarningExtR(tif, module, +- "Requested memory size for StripArray of %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated", +- allocsize, filesize); +- _TIFFfreeExt(tif, data); +- return (0); ++ /* Before allocating a huge amount of memory for corrupted files, ++ * check if size of requested memory is not greater than file size. ++ */ ++ const uint64_t filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR( ++ tif, module, ++ "Requested memory size for StripArray of %" PRIu64 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ _TIFFfreeExt(tif, data); ++ return (0); ++ } + } + resizeddata = (uint64_t *)_TIFFCheckMalloc( + tif, nstrips, sizeof(uint64_t), "for strip array"); +@@ -7338,17 +7338,20 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips, + * size of StripByteCount and StripOffset tags is not greater than + * file size. + */ +- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; +- uint64_t filesize = TIFFGetFileSize(tif); +- if (allocsize > filesize) +- { +- TIFFWarningExtR(tif, "allocChoppedUpStripArrays", +- "Requested memory size for StripByteCount and " +- "StripOffsets %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated", +- allocsize, filesize); +- return; ++ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; ++ if (allocsize > 100 * 1024 * 1024) ++ { ++ const uint64_t filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExtR(tif, "allocChoppedUpStripArrays", ++ "Requested memory size for StripByteCount and " ++ "StripOffsets %" PRIu64 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return; ++ } + } + + newcounts = +-- +2.27.0 diff --git a/libtiff.spec b/libtiff.spec index eb0940b..3237055 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,6 +1,6 @@ Name: libtiff Version: 4.5.1 -Release: 3 +Release: 4 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ @@ -11,6 +11,7 @@ Patch6001: backport-CVE-2023-38289.patch Patch6002: backport-CVE-2023-6228.patch Patch6003: backport-0001-CVE-2023-6277.patch Patch6004: backport-0002-CVE-2023-6277.patch +Patch6005: backport-0003-CVE-2023-6277.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -130,6 +131,9 @@ find doc -name 'Makefile*' | xargs rm %exclude %{_mandir}/man1/* %changelog +* Wed Nov 29 2023 liningjie - 4.5.1-4 +- backport patch for fix CVE-2023-6277 issue + * Sat Nov 25 2023 liningjie - 4.5.1-3 - fix CVE-2023-6277