fix CVE-2022-1354

2022-07-05 15:14:37 +08:00 · 2022-07-05 15:14:37 +08:00 · 3c1a6f6422
commit 3c1a6f6422
parent 374ff1c4e0
2 changed files with 212 additions and 1 deletions
--- a/backport-CVE-2022-1354.patch
+++ b/backport-CVE-2022-1354.patch
@ -0,0 +1,207 @@
 From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001
 From: Even Rouault <even.rouault@spatialys.com>
 Date: Sun, 5 Dec 2021 14:37:46 +0100
 Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319)
 to avoid having the size of the strip arrays inconsistent with the
 number of strips returned by TIFFNumberOfStrips(), which may cause
 out-ouf-bounds array read afterwards.
 One of the OJPEG hack that alters SamplesPerPixel may influence the
 number of strips. Hence compute tif_dir.td_nstrips only afterwards.
 Conflict:NA
 Reference:https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798
 ---
 libtiff/tif_dirread.c | 162 ++++++++++++++++++++++--------------------
 1 file changed, 83 insertions(+), 79 deletions(-)
 diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
 index a31109a..707b3e2 100644
 --- a/libtiff/tif_dirread.c
 +++ b/libtiff/tif_dirread.c
@@ -3794,50 +3794,6 @@ TIFFReadDirectory(TIFF* tif)
 		MissingRequired(tif,"ImageLength");
 		goto bad;
 	}
 -	/*
 -	 * Setup appropriate structures (by strip or by tile)
 -	 */
 -	if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
 -		tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);  
 -		tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
 -		tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
 -		tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
 -		tif->tif_flags &= ~TIFF_ISTILED;
 -	} else {
 -		tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
 -		tif->tif_flags |= TIFF_ISTILED;
 -	}
 -	if (!tif->tif_dir.td_nstrips) {
 -		TIFFErrorExt(tif->tif_clientdata, module,
 -		    "Cannot handle zero number of %s",
 -		    isTiled(tif) ? "tiles" : "strips");
 -		goto bad;
 -	}
 -	tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
 -	if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
 -		tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
 -	if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
 -#ifdef OJPEG_SUPPORT
 -		if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
 -		    (isTiled(tif)==0) &&
 -		    (tif->tif_dir.td_nstrips==1)) {
 -			/*
 -			 * XXX: OJPEG hack.
 -			 * If a) compression is OJPEG, b) it's not a tiled TIFF,
 -			 * and c) the number of strips is 1,
 -			 * then we tolerate the absence of stripoffsets tag,
 -			 * because, presumably, all required data is in the
 -			 * JpegInterchangeFormat stream.
 -			 */
 -			TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
 -		} else
 -#endif
 -        {
 -			MissingRequired(tif,
 -				isTiled(tif) ? "TileOffsets" : "StripOffsets");
 -			goto bad;
 -		}
 -	}
 	/*
 	 * Second pass: extract other information.
 	 */
@@ -4042,41 +3998,6 @@ TIFFReadDirectory(TIFF* tif)
 			} /* -- if (!dp->tdir_ignore) */
 		} /* -- for-loop -- */
 -        if( tif->tif_mode == O_RDWR &&
 -            tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
 -            tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
 -            tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
 -            tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
 -            tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
 -            tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
 -            tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
 -            tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
 -        {
 -            /* Directory typically created with TIFFDeferStrileArrayWriting() */
 -            TIFFSetupStrips(tif);
 -        }
 -        else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
 -        {
 -            if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
 -            {
 -                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
 -                                         tif->tif_dir.td_nstrips,
 -                                         &tif->tif_dir.td_stripoffset_p))
 -                {
 -                    goto bad;
 -                }
 -            }
 -            if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
 -            {
 -                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
 -                                         tif->tif_dir.td_nstrips,
 -                                         &tif->tif_dir.td_stripbytecount_p))
 -                {
 -                    goto bad;
 -                }
 -            }
 -        }
 -
 	/*
 	 * OJPEG hack:
 	 * - If a) compression is OJPEG, and b) photometric tag is missing,
@@ -4147,6 +4068,88 @@ TIFFReadDirectory(TIFF* tif)
 		}
 	}
 +	/*
 +	 * Setup appropriate structures (by strip or by tile)
 +	 * We do that only after the above OJPEG hack which alters SamplesPerPixel
 +	 * and thus influences the number of strips in the separate planarconfig.
 +	 */
 +	if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
 +		tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif); 
 +		tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
 +		tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
 +		tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
 +		tif->tif_flags &= ~TIFF_ISTILED;
 +	} else {
 +		tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
 +		tif->tif_flags |= TIFF_ISTILED;
 +	}
 +	if (!tif->tif_dir.td_nstrips) {
 +		TIFFErrorExt(tif->tif_clientdata, module,
 +		    "Cannot handle zero number of %s",
 +		    isTiled(tif) ? "tiles" : "strips");
 +		goto bad;
 +	}
 +	tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
 +	if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
 +		tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
 +	if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
 +#ifdef OJPEG_SUPPORT
 +		if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
 +		    (isTiled(tif)==0) &&
 +		    (tif->tif_dir.td_nstrips==1)) {
 +			/*
 +			 * XXX: OJPEG hack.
 +			 * If a) compression is OJPEG, b) it's not a tiled TIFF,
 +			 * and c) the number of strips is 1,
 +			 * then we tolerate the absence of stripoffsets tag,
 +			 * because, presumably, all required data is in the
 +			 * JpegInterchangeFormat stream.
 +			 */
 +			TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
 +		} else
 +#endif
 +        {
 +			MissingRequired(tif,
 +				isTiled(tif) ? "TileOffsets" : "StripOffsets");
 +			goto bad;
 +		}
 +	}
 +
 +        if( tif->tif_mode == O_RDWR &&
 +            tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
 +            tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
 +            tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
 +            tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
 +            tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
 +            tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
 +            tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
 +            tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
 +        {
 +            /* Directory typically created with TIFFDeferStrileArrayWriting() */
 +            TIFFSetupStrips(tif);
 +        }
 +        else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
 +        {
 +            if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
 +            {
 +                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
 +                                         tif->tif_dir.td_nstrips,
 +                                         &tif->tif_dir.td_stripoffset_p))
 +                {
 +                    goto bad;
 +                }
 +            }
 +            if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
 +            {
 +                if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
 +                                         tif->tif_dir.td_nstrips,
 +                                         &tif->tif_dir.td_stripbytecount_p))
 +                {
 +                    goto bad;
 +                }
 +            }
 +        }
 +
 	/*
 	 * Make sure all non-color channels are extrasamples.
 	 * If it's not the case, define them as such.
 -- 
 2.33.0
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.3.0
-Release:        15
+Release:        16
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@ -20,6 +20,7 @@ Patch6010:      backport-CVE-2022-0924.patch
 Patch6011:	backport-CVE-2022-1355.patch
 Patch6012:	backport-0001-CVE-2022-1622-CVE-2022-1623.patch
 Patch6013:	backport-0002-CVE-2022-1622-CVE-2022-1623.patch
 Patch6014:	backport-CVE-2022-1354.patch
 Patch9000:	fix-raw2tiff-floating-point-exception.patch
@ -143,6 +144,9 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html
 %changelog
 * Tue Jul 05 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 4.3.0-16
 - fix CVE-2022-1354
 * Tue Jun 14 2022 wuchaochao <cyanrose@yeah.net> - 4.3.0-15
 - fix CVE-2022-1622 and CVE-2022-1623