diff --git a/backport-0001-CVE-2022-1622-CVE-2022-1623.patch b/backport-0001-CVE-2022-1622-CVE-2022-1623.patch new file mode 100644 index 0000000..529766d --- /dev/null +++ b/backport-0001-CVE-2022-1622-CVE-2022-1623.patch @@ -0,0 +1,772 @@ +From 189d65779275132c86abd1e06cdab8a080645b32 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 10 Mar 2022 12:14:31 +0100 +Subject: [PATCH 1/3] tif_lzw.c: make LZW_CHECKEOS non-optional + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/318/diffs + +this is pre-patch for CVE-2022-1622 and CVE-2022-1623 +--- + libtiff/tif_lzw.c | 551 ++++++++++++++++++++++++++++++---------------- + 1 file changed, 356 insertions(+), 195 deletions(-) + +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c +index c06aec4..c28366b 100644 +--- a/libtiff/tif_lzw.c ++++ b/libtiff/tif_lzw.c +@@ -1,6 +1,7 @@ + /* + * Copyright (c) 1988-1997 Sam Leffler + * Copyright (c) 1991-1997 Silicon Graphics, Inc. ++ * Copyright (c) 2022 Even Rouault + * + * Permission to use, copy, modify, distribute, and sell this software and + * its documentation for any purpose is hereby granted without fee, provided +@@ -36,8 +37,13 @@ + */ + #include "tif_predict.h" + ++#include + #include + ++/* Select the plausible largest natural integer type for the architecture */ ++#define SIZEOF_WORDTYPE SIZEOF_SIZE_T ++typedef size_t WordType; ++ + /* + * NB: The 5.0 spec describes a different algorithm than Aldus + * implements. Specifically, Aldus does code length transitions +@@ -52,13 +58,6 @@ + * Future revisions to the TIFF spec are expected to "clarify this issue". + */ + #define LZW_COMPAT /* include backwards compatibility code */ +-/* +- * Each strip of data is supposed to be terminated by a CODE_EOI. +- * If the following #define is included, the decoder will also +- * check for end-of-strip w/o seeing this code. This makes the +- * library more robust, but also slower. +- */ +-#define LZW_CHECKEOS /* include checks for strips w/o EOI code */ + + #define MAXCODE(n) ((1L<<(n))-1) + /* +@@ -92,7 +91,7 @@ typedef struct { + unsigned short nbits; /* # of bits/code */ + unsigned short maxcode; /* maximum code for lzw_nbits */ + unsigned short free_ent; /* next free entry in hash table */ +- unsigned long nextdata; /* next bits of i/o */ ++ WordType nextdata; /* next bits of i/o */ + long nextbits; /* # of valid bits in lzw_nextdata */ + + int rw_mode; /* preserve rw_mode from init */ +@@ -119,8 +118,10 @@ typedef struct { + typedef struct code_ent { + struct code_ent *next; + unsigned short length; /* string len, including this token */ +- unsigned char value; /* data value */ ++ /* firstchar should be placed immediately before value in this structure */ + unsigned char firstchar; /* first token of string */ ++ unsigned char value; /* data value */ ++ bool repeated; + } code_t; + + typedef int (*decodeFunc)(TIFF*, uint8_t*, tmsize_t, uint16_t); +@@ -131,10 +132,8 @@ typedef struct { + /* Decoding specific data */ + long dec_nbitsmask; /* lzw_nbits 1 bits, right adjusted */ + long dec_restart; /* restart count */ +-#ifdef LZW_CHECKEOS + uint64_t dec_bitsleft; /* available bits in raw data */ + tmsize_t old_tif_rawcc; /* value of tif_rawcc at the end of the previous TIFLZWDecode() call */ +-#endif + decodeFunc dec_decode; /* regular or backwards compatible */ + code_t* dec_codep; /* current recognized code */ + code_t* dec_oldcodep; /* previously recognized code */ +@@ -167,26 +166,6 @@ static void cl_hash(LZWCodecState*); + * LZW Decoder. + */ + +-#ifdef LZW_CHECKEOS +-/* +- * This check shouldn't be necessary because each +- * strip is suppose to be terminated with CODE_EOI. +- */ +-#define NextCode(_tif, _sp, _bp, _code, _get) { \ +- if ((_sp)->dec_bitsleft < (uint64_t)nbits) { \ +- TIFFWarningExt(_tif->tif_clientdata, module, \ +- "LZWDecode: Strip %"PRIu32" not terminated with EOI code", \ +- _tif->tif_curstrip); \ +- _code = CODE_EOI; \ +- } else { \ +- _get(_sp,_bp,_code); \ +- (_sp)->dec_bitsleft -= nbits; \ +- } \ +-} +-#else +-#define NextCode(tif, sp, bp, code, get) get(sp, bp, code) +-#endif +- + static int + LZWFixupTags(TIFF* tif) + { +@@ -236,17 +215,17 @@ LZWSetupDecode(TIFF* tif) + */ + code = 255; + do { +- sp->dec_codetab[code].value = (unsigned char)code; + sp->dec_codetab[code].firstchar = (unsigned char)code; ++ sp->dec_codetab[code].value = (unsigned char)code; ++ sp->dec_codetab[code].repeated = true; + sp->dec_codetab[code].length = 1; + sp->dec_codetab[code].next = NULL; + } while (code--); + /* +- * Zero-out the unused entries +- */ +- /* Silence false positive */ +- /* coverity[overrun-buffer-arg] */ +- _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, ++ * Zero-out the unused entries */ ++ /* Silence false positive */ ++ /* coverity[overrun-buffer-arg] */ ++ memset(&sp->dec_codetab[CODE_CLEAR], 0, + (CODE_FIRST - CODE_CLEAR) * sizeof (code_t)); + } + return (1); +@@ -316,11 +295,9 @@ LZWPreDecode(TIFF* tif, uint16_t s) + + sp->dec_restart = 0; + sp->dec_nbitsmask = MAXCODE(BITS_MIN); +-#ifdef LZW_CHECKEOS + sp->dec_bitsleft = 0; +- sp->old_tif_rawcc = 0; +-#endif +- sp->dec_free_entp = sp->dec_codetab + CODE_FIRST; ++ sp->old_tif_rawcc = 0; ++ sp->dec_free_entp = sp->dec_codetab - 1 ; // + CODE_FIRST; + /* + * Zero entries that are not yet filled in. We do + * this to guard against bogus input data that causes +@@ -328,8 +305,7 @@ LZWPreDecode(TIFF* tif, uint16_t s) + * come up with a way to safely bounds-check input codes + * while decoding then you can remove this operation. + */ +- _TIFFmemset(sp->dec_free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); +- sp->dec_oldcodep = &sp->dec_codetab[-1]; ++ sp->dec_oldcodep = &sp->dec_codetab[0]; + sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1]; + return (1); + } +@@ -337,24 +313,77 @@ LZWPreDecode(TIFF* tif, uint16_t s) + /* + * Decode a "hunk of data". + */ +-#define GetNextCode(sp, bp, code) { \ +- nextdata = (nextdata<<8) | *(bp)++; \ +- nextbits += 8; \ +- if (nextbits < nbits) { \ +- nextdata = (nextdata<<8) | *(bp)++; \ +- nextbits += 8; \ +- } \ +- code = (hcode_t)((nextdata >> (nextbits-nbits)) & nbitsmask); \ +- nextbits -= nbits; \ +-} ++/* Get the next 32 or 64-bit from the input data */ ++ ++#ifdef WORDS_BIGENDIAN ++# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)) ++#elif SIZEOF_WORDTYPE == 8 ++# if defined(__GNUC__) && defined(__x86_64__) ++# define GetNextData(nextdata, bp) nextdata = __builtin_bswap64(*(uint64_t*)(bp)) ++# elif defined(_M_X64) ++# define GetNextData(nextdata, bp) nextdata = _byteswap_uint64(*(uint64_t*)(bp)) ++# elif defined(__GNUC__) ++# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \ ++ nextdata = __builtin_bswap64(nextdata) ++# else ++# define GetNextData(nextdata, bp) nextdata = (((uint64_t)bp[0]) << 56) | \ ++ (((uint64_t)bp[1]) << 48) | \ ++ (((uint64_t)bp[2]) << 40) | \ ++ (((uint64_t)bp[3]) << 32) | \ ++ (((uint64_t)bp[4]) << 24) | \ ++ (((uint64_t)bp[5]) << 16) | \ ++ (((uint64_t)bp[6]) << 8) | \ ++ (((uint64_t)bp[7])) ++# endif ++#elif SIZEOF_WORDTYPE == 4 ++# if defined(__GNUC__) && defined(__i386__) ++# define GetNextData(nextdata, bp) nextdata = __builtin_bswap32(*(uint32_t*)(bp)) ++# elif defined(_M_X86) ++# define GetNextData(nextdata, bp) nextdata = _byteswap_ulong(*(unsigned long*)(bp)) ++# elif defined(__GNUC__) ++# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \ ++ nextdata = __builtin_bswap32(nextdata) ++# else ++# define GetNextData(nextdata, bp) nextdata = (((uint32_t)bp[0]) << 24) | \ ++ (((uint32_t)bp[1]) << 16) | \ ++ (((uint32_t)bp[2]) << 8) | \ ++ (((uint32_t)bp[3])) ++# endif ++#else ++# error "Unhandled SIZEOF_WORDTYPE" ++#endif + +-static void +-codeLoop(TIFF* tif, const char* module) +-{ +- TIFFErrorExt(tif->tif_clientdata, module, +- "Bogus encoding, loop in the code table; scanline %"PRIu32, +- tif->tif_row); +-} ++#define GetNextCodeLZW() do { \ ++ nextbits -= nbits; \ ++ if (nextbits < 0) { \ ++ if (dec_bitsleft >= 8 * SIZEOF_WORDTYPE) { \ ++ unsigned codetmp = (unsigned)(nextdata << (-nextbits)); \ ++ GetNextData(nextdata, bp); \ ++ bp += SIZEOF_WORDTYPE; \ ++ nextbits += 8 * SIZEOF_WORDTYPE; \ ++ dec_bitsleft -= 8 * SIZEOF_WORDTYPE; \ ++ code = (WordType)((codetmp | (nextdata >> nextbits)) & nbitsmask); \ ++ break; \ ++ } \ ++ else {\ ++ if( dec_bitsleft < 8) { \ ++ goto no_eoi; \ ++ }\ ++ nextdata = (nextdata<<8) | *(bp)++; \ ++ nextbits += 8; \ ++ dec_bitsleft -= 8; \ ++ if( nextbits < 0 ) { \ ++ if( dec_bitsleft < 8) { \ ++ goto no_eoi; \ ++ }\ ++ nextdata = (nextdata<<8) | *(bp)++; \ ++ nextbits += 8; \ ++ dec_bitsleft -= 8; \ ++ } \ ++ } \ ++ } \ ++ code = (WordType)((nextdata >> nextbits) & nbitsmask); \ ++} while(0) + + static int + LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) +@@ -363,13 +392,10 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + LZWCodecState *sp = DecoderState(tif); + char *op = (char*) op0; + long occ = (long) occ0; +- char *tp; + unsigned char *bp; +- hcode_t code; +- int len; + long nbits, nextbits, nbitsmask; +- unsigned long nextdata; +- code_t *codep, *free_entp, *maxcodep, *oldcodep; ++ WordType nextdata; ++ code_t *free_entp, *maxcodep, *oldcodep; + + (void) s; + assert(sp != NULL); +@@ -386,7 +412,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + if (sp->dec_restart) { + long residue; + +- codep = sp->dec_codep; ++ code_t* codep = sp->dec_codep; + residue = codep->length - sp->dec_restart; + if (residue > occ) { + /* +@@ -400,7 +426,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + codep = codep->next; + } while (--residue > occ && codep); + if (codep) { +- tp = op + occ; ++ uint8_t* tp = op + occ; + do { + *--tp = codep->value; + codep = codep->next; +@@ -413,7 +439,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + */ + op += residue; + occ -= residue; +- tp = op; ++ uint8_t* tp = op; + do { + int t; + --tp; +@@ -425,9 +451,8 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + } + + bp = (unsigned char *)tif->tif_rawcp; +-#ifdef LZW_CHECKEOS + sp->dec_bitsleft += (((uint64_t)tif->tif_rawcc - sp->old_tif_rawcc) << 3); +-#endif ++ uint64_t dec_bitsleft = sp->dec_bitsleft; + nbits = sp->lzw_nbits; + nextdata = sp->lzw_nextdata; + nextbits = sp->lzw_nextbits; +@@ -435,128 +460,235 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + oldcodep = sp->dec_oldcodep; + free_entp = sp->dec_free_entp; + maxcodep = sp->dec_maxcodep; ++ code_t* const dec_codetab = sp->dec_codetab; ++ code_t* codep; ++ ++ if (occ == 0) { ++ goto after_loop; ++ } ++ ++begin: ++ { ++ WordType code; ++ GetNextCodeLZW(); ++ codep = dec_codetab + code; ++ if (code >= CODE_FIRST) ++ goto code_above_or_equal_to_258; ++ if (code < 256) ++ goto code_below_256; ++ if (code == CODE_EOI) ++ goto after_loop; ++ goto code_clear; ++ ++code_below_256: ++ { ++ if (codep > free_entp) ++ goto error_code; ++ free_entp->next = oldcodep; ++ free_entp->firstchar = oldcodep->firstchar; ++ free_entp->length = oldcodep->length+1; ++ free_entp->value = (uint8_t)code; ++ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - code)); ++ if (++free_entp > maxcodep) { ++ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */ ++ nbits = BITS_MAX; ++ nbitsmask = MAXCODE(nbits); ++ maxcodep = dec_codetab + nbitsmask-1; ++ if( free_entp >= &dec_codetab[CSIZE] ) ++ { ++ /* At that point, the next valid states are either EOI or a */ ++ /* CODE_CLEAR. If a regular code is read, at the next */ ++ /* attempt at registering a new entry, we will error out */ ++ /* due to setting free_entp before any valid code */ ++ free_entp = dec_codetab - 1; ++ } ++ } ++ oldcodep = codep; ++ *op++ = (uint8_t)code; ++ occ--; ++ if (occ == 0) ++ goto after_loop; ++ goto begin; ++ } + +- while (occ > 0) { +- NextCode(tif, sp, bp, code, GetNextCode); +- if (code == CODE_EOI) +- break; +- if (code == CODE_CLEAR) { +- do { +- free_entp = sp->dec_codetab + CODE_FIRST; +- _TIFFmemset(free_entp, 0, +- (CSIZE - CODE_FIRST) * sizeof (code_t)); +- nbits = BITS_MIN; +- nbitsmask = MAXCODE(BITS_MIN); +- maxcodep = sp->dec_codetab + nbitsmask-1; +- NextCode(tif, sp, bp, code, GetNextCode); +- } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */ +- if (code == CODE_EOI) +- break; +- if (code > CODE_CLEAR) { +- TIFFErrorExt(tif->tif_clientdata, tif->tif_name, +- "LZWDecode: Corrupted LZW table at scanline %"PRIu32, +- tif->tif_row); +- return (0); +- } +- *op++ = (char)code; +- occ--; +- oldcodep = sp->dec_codetab + code; +- continue; +- } +- codep = sp->dec_codetab + code; +- +- /* +- * Add the new entry to the code table. +- */ +- if (free_entp < &sp->dec_codetab[0] || +- free_entp >= &sp->dec_codetab[CSIZE]) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "Corrupted LZW table at scanline %"PRIu32, +- tif->tif_row); +- return (0); +- } ++code_above_or_equal_to_258: ++ { ++ /* ++ * Add the new entry to the code table. ++ */ ++ ++ if (codep >= free_entp) ++ { ++ if (codep != free_entp) ++ goto error_code; ++ free_entp->value = oldcodep->firstchar; ++ } ++ else ++ { ++ free_entp->value = codep->firstchar; ++ } ++ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - free_entp->value)); ++ free_entp->next = oldcodep; ++ ++ free_entp->firstchar = oldcodep->firstchar; ++ free_entp->length = oldcodep->length+1; ++ if (++free_entp > maxcodep) { ++ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */ ++ nbits = BITS_MAX; ++ nbitsmask = MAXCODE(nbits); ++ maxcodep = dec_codetab + nbitsmask-1; ++ if (free_entp >= &dec_codetab[CSIZE]) ++ { ++ /* At that point, the next valid states are either EOI or a */ ++ /* CODE_CLEAR. If a regular code is read, at the next */ ++ /* attempt at registering a new entry, we will error out */ ++ /* due to setting free_entp before any valid code */ ++ free_entp = dec_codetab - 1; ++ } ++ } ++ oldcodep = codep; ++ ++ /* ++ * Code maps to a string, copy string ++ * value to output (written in reverse). ++ */ ++ /* tiny bit faster on x86_64 to store in unsigned short than int */ ++ unsigned short len = codep->length; ++ ++ if (len < 3) /* equivalent to len == 2 given all other conditions */ ++ { ++ if (occ <= 2) ++ { ++ if (occ == 2) ++ { ++ memcpy(op, &(codep->firstchar), 2); ++ op += 2; ++ occ -= 2; ++ goto after_loop; ++ } ++ goto too_short_buffer; ++ } + +- free_entp->next = oldcodep; +- if (free_entp->next < &sp->dec_codetab[0] || +- free_entp->next >= &sp->dec_codetab[CSIZE]) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "Corrupted LZW table at scanline %"PRIu32, +- tif->tif_row); +- return (0); +- } +- free_entp->firstchar = free_entp->next->firstchar; +- free_entp->length = free_entp->next->length+1; +- free_entp->value = (codep < free_entp) ? +- codep->firstchar : free_entp->firstchar; +- if (++free_entp > maxcodep) { +- if (++nbits > BITS_MAX) /* should not happen */ +- nbits = BITS_MAX; +- nbitsmask = MAXCODE(nbits); +- maxcodep = sp->dec_codetab + nbitsmask-1; +- } +- oldcodep = codep; +- if (code >= 256) { +- /* +- * Code maps to a string, copy string +- * value to output (written in reverse). +- */ +- if(codep->length == 0) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "Wrong length of decoded string: " +- "data probably corrupted at scanline %"PRIu32, +- tif->tif_row); +- return (0); +- } +- if (codep->length > occ) { +- /* +- * String is too long for decode buffer, +- * locate portion that will fit, copy to +- * the decode buffer, and setup restart +- * logic for the next decoding call. +- */ +- sp->dec_codep = codep; +- do { +- codep = codep->next; +- } while (codep && codep->length > occ); +- if (codep) { +- sp->dec_restart = (long)occ; +- tp = op + occ; +- do { +- *--tp = codep->value; +- codep = codep->next; +- } while (--occ && codep); +- if (codep) +- codeLoop(tif, module); +- } +- break; +- } +- len = codep->length; +- tp = op + len; +- do { +- int t; +- --tp; +- t = codep->value; +- codep = codep->next; +- *tp = (char)t; +- } while (codep && tp > op); +- if (codep) { +- codeLoop(tif, module); +- break; +- } +- assert(occ >= len); +- op += len; +- occ -= len; +- } else { +- *op++ = (char)code; +- occ--; +- } +- } ++ memcpy(op, &(codep->firstchar), 2); ++ op += 2; ++ occ -= 2; ++ goto begin; /* we can save the comparison occ > 0 */ ++ } ++ ++ if (len == 3) ++ { ++ if (occ <= 3) ++ { ++ if (occ == 3) ++ { ++ op[0] = codep->firstchar; ++ op[1] = codep->next->value; ++ op[2] = codep->value; ++ op += 3; ++ occ -= 3; ++ goto after_loop; ++ } ++ goto too_short_buffer; ++ } ++ op[0] = codep->firstchar; ++ op[1] = codep->next->value; ++ op[2] = codep->value; ++ op += 3; ++ occ -= 3; ++ goto begin; /* we can save the comparison occ > 0 */ ++ } ++ ++ if (len > occ) ++ { ++ goto too_short_buffer; ++ } ++ ++ if (codep->repeated) ++ { ++ memset(op, codep->value, len); ++ op += len; ++ occ -= len; ++ if (occ == 0) ++ goto after_loop; ++ goto begin; ++ } ++ ++ uint8_t* tp = op + len; ++ ++ assert(len >= 4); ++ ++ *--tp = codep->value; ++ codep = codep->next; ++ *--tp = codep->value; ++ codep = codep->next; ++ *--tp = codep->value; ++ codep = codep->next; ++ *--tp = codep->value; ++ if (tp > op) ++ { ++ do { ++ codep = codep->next; ++ *--tp = codep->value; ++ } while (tp > op); ++ } ++ ++ assert(occ >= len); ++ op += len; ++ occ -= len; ++ if (occ == 0) ++ goto after_loop; ++ goto begin; ++ } + ++code_clear: ++ { ++ free_entp = dec_codetab + CODE_FIRST; ++ nbits = BITS_MIN; ++ nbitsmask = MAXCODE(BITS_MIN); ++ maxcodep = dec_codetab + nbitsmask-1; ++ do { ++ GetNextCodeLZW(); ++ } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */ ++ if (code == CODE_EOI) ++ goto after_loop; ++ if (code > CODE_EOI) { ++ goto error_code; ++ } ++ *op++ = (uint8_t)code; ++ occ--; ++ oldcodep = dec_codetab + code; ++ if (occ == 0) ++ goto after_loop; ++ goto begin; ++ } ++ } ++ ++too_short_buffer: ++ { ++ /* ++ * String is too long for decode buffer, ++ * locate portion that will fit, copy to ++ * the decode buffer, and setup restart ++ * logic for the next decoding call. ++ */ ++ sp->dec_codep = codep; ++ do { ++ codep = codep->next; ++ } while (codep->length > occ); ++ ++ sp->dec_restart = occ; ++ uint8_t* tp = op + occ; ++ do { ++ *--tp = codep->value; ++ codep = codep->next; ++ } while (--occ); ++ } ++ ++after_loop: + tif->tif_rawcc -= (tmsize_t)((uint8_t*) bp - tif->tif_rawcp ); + tif->tif_rawcp = (uint8_t*) bp; +-#ifdef LZW_CHECKEOS + sp->old_tif_rawcc = tif->tif_rawcc; +-#endif ++ sp->dec_bitsleft = dec_bitsleft; + sp->lzw_nbits = (unsigned short) nbits; + sp->lzw_nextdata = nextdata; + sp->lzw_nextbits = nextbits; +@@ -572,9 +704,35 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + return (0); + } + return (1); ++ ++no_eoi: ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "LZWDecode: Strip %"PRIu32" not terminated with EOI code", ++ tif->tif_curstrip); ++ return 0; ++error_code: ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Using code not yet in table"); ++ return 0; + } + + #ifdef LZW_COMPAT ++ ++/* ++ * This check shouldn't be necessary because each ++ * strip is suppose to be terminated with CODE_EOI. ++ */ ++#define NextCode(_tif, _sp, _bp, _code, _get, dec_bitsleft) { \ ++ if (dec_bitsleft < (uint64_t)nbits) { \ ++ TIFFWarningExt(_tif->tif_clientdata, module, \ ++ "LZWDecode: Strip %"PRIu32" not terminated with EOI code", \ ++ _tif->tif_curstrip); \ ++ _code = CODE_EOI; \ ++ } else { \ ++ _get(_sp,_bp,_code); \ ++ dec_bitsleft -= nbits; \ ++ } \ ++} ++ + /* + * Decode a "hunk of data" for old images. + */ +@@ -601,7 +759,8 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + unsigned char *bp; + int code, nbits; + int len; +- long nextbits, nextdata, nbitsmask; ++ long nextbits, nbitsmask; ++ WordType nextdata; + code_t *codep, *free_entp, *maxcodep, *oldcodep; + + (void) s; +@@ -653,9 +812,10 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + } + + bp = (unsigned char *)tif->tif_rawcp; +-#ifdef LZW_CHECKEOS ++ + sp->dec_bitsleft += (((uint64_t)tif->tif_rawcc - sp->old_tif_rawcc) << 3); +-#endif ++ uint64_t dec_bitsleft = sp->dec_bitsleft; ++ + nbits = sp->lzw_nbits; + nextdata = sp->lzw_nextdata; + nextbits = sp->lzw_nextbits; +@@ -665,7 +825,7 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + maxcodep = sp->dec_maxcodep; + + while (occ > 0) { +- NextCode(tif, sp, bp, code, GetNextCodeCompat); ++ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft); + if (code == CODE_EOI) + break; + if (code == CODE_CLEAR) { +@@ -676,7 +836,7 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask; +- NextCode(tif, sp, bp, code, GetNextCodeCompat); ++ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft); + } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */ + if (code == CODE_EOI) + break; +@@ -772,9 +932,10 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + + tif->tif_rawcc -= (tmsize_t)((uint8_t*) bp - tif->tif_rawcp ); + tif->tif_rawcp = (uint8_t*) bp; +-#ifdef LZW_CHECKEOS ++ + sp->old_tif_rawcc = tif->tif_rawcc; +-#endif ++ sp->dec_bitsleft = dec_bitsleft; ++ + sp->lzw_nbits = (unsigned short)nbits; + sp->lzw_nextdata = nextdata; + sp->lzw_nextbits = nextbits; +@@ -893,7 +1054,7 @@ LZWEncode(TIFF* tif, uint8_t* bp, tmsize_t cc, uint16_t s) + hcode_t ent; + long disp; + long incount, outcount, checkpoint; +- unsigned long nextdata; ++ WordType nextdata; + long nextbits; + int free_ent, maxcode, nbits; + uint8_t* op; +@@ -1057,7 +1218,7 @@ LZWPostEncode(TIFF* tif) + register LZWCodecState *sp = EncoderState(tif); + uint8_t* op = tif->tif_rawcp; + long nextbits = sp->lzw_nextbits; +- unsigned long nextdata = sp->lzw_nextdata; ++ WordType nextdata = sp->lzw_nextdata; + long outcount = sp->enc_outcount; + int nbits = sp->lzw_nbits; + +-- +2.27.0 + diff --git a/backport-0001-CVE-2022-22844.patch b/backport-0001-CVE-2022-22844.patch new file mode 100644 index 0000000..1cd1069 --- /dev/null +++ b/backport-0001-CVE-2022-22844.patch @@ -0,0 +1,42 @@ +From 49b81e99704bd199a24ccce65f974cc2d78cccc4 Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Tue, 4 Jan 2022 11:01:37 +0000 +Subject: [PATCH] fixing global-buffer-overflow in tiffset + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/commit/49b81e99704bd199a24ccce65f974cc2d78cccc4 + +--- + tools/tiffset.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/tools/tiffset.c b/tools/tiffset.c +index 8c9e23c..b7badd9 100644 +--- a/tools/tiffset.c ++++ b/tools/tiffset.c +@@ -146,9 +146,19 @@ main(int argc, char* argv[]) + + arg_index++; + if (TIFFFieldDataType(fip) == TIFF_ASCII) { +- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) +- fprintf( stderr, "Failed to set %s=%s\n", +- TIFFFieldName(fip), argv[arg_index] ); ++ if(TIFFFieldPassCount( fip )) { ++ size_t len; ++ len = (uint32_t)(strlen(argv[arg_index] + 1)); ++ if (TIFFSetField(tiff, TIFFFieldTag(fip), ++ (uint16_t)len, argv[arg_index]) != 1) ++ fprintf( stderr, "Failed to set %s=%s", ++ TIFFFieldName(fip), argv[arg_index] ); ++ } else { ++ if (TIFFSetField(tiff, TIFFFieldTag(fip), ++ argv[arg_index]) != 1) ++ fprintf( stderr, "Failed to set %s=%s", ++ TIFFFieldName(fip), argv[arg_index] ); ++ } + } else if (TIFFFieldWriteCount(fip) > 0 + || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { + int ret = 1; +-- +2.33.0 + diff --git a/backport-0001-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch b/backport-0001-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch new file mode 100644 index 0000000..98f46e1 --- /dev/null +++ b/backport-0001-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch @@ -0,0 +1,607 @@ +From e319508023580e2f70e6e626f745b5b2a1707313 Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Tue, 10 May 2022 20:03:17 +0000 +Subject: [PATCH] tiffcrop: Fix issue #330 and some more from 320 to 349 + +--- + tools/tiffcrop.c | 282 +++++++++++++++++++++++++++++++++++------------ + 1 file changed, 210 insertions(+), 72 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 77cf6ed1..791ec5e7 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -63,20 +63,24 @@ + * units when sectioning image into columns x rows + * using the -S cols:rows option. + * -X # Horizontal dimension of region to extract expressed in current +- * units ++ * units, relative to the specified origin reference 'edge' left (default for X) or right. + * -Y # Vertical dimension of region to extract expressed in current +- * units ++ * units, relative to the specified origin reference 'edge' top (default for Y) or bottom. + * -O orient Orientation for output image, portrait, landscape, auto + * -P page Page size for output image segments, eg letter, legal, tabloid, + * etc. + * -S cols:rows Divide the image into equal sized segments using cols across + * and rows down +- * -E t|l|r|b Edge to use as origin ++ * -E t|l|r|b Edge to use as origin (i.e. 'side' of the image not 'corner') ++ * top = width from left, zones from top to bottom (default) ++ * bottom = width from left, zones from bottom to top ++ * left = zones from left to right, length from top ++ * right = zones from right to left, length from top + * -m #,#,#,# Margins from edges for selection: top, left, bottom, right + * (commas separated) + * -Z #:#,#:# Zones of the image designated as zone X of Y, + * eg 1:3 would be first of three equal portions measured +- * from reference edge ++ * from reference edge (i.e. 'side' not corner) + * -N odd|even|#,#-#,#|last + * Select sequences and/or ranges of images within file + * to process. The words odd or even may be used to specify +@@ -103,10 +107,13 @@ + * selects which functions dump data, with higher numbers selecting + * lower level, scanline level routines. Debug reports a limited set + * of messages to monitor progress without enabling dump logs. ++ * ++ * Note: The (-X|-Y), -Z and -z options are mutually exclusive. ++ * In no case should the options be applied to a given selection successively. + */ + +-static char tiffcrop_version_id[] = "2.4.1"; +-static char tiffcrop_rev_date[] = "03-03-2010"; ++static char tiffcrop_version_id[] = "2.5"; ++static char tiffcrop_rev_date[] = "02-09-2022"; + + #include "tif_config.h" + #include "libport.h" +@@ -774,6 +781,9 @@ static const char usage_info[] = + " The four debug/dump options are independent, though it makes little sense to\n" + " specify a dump file without specifying a detail level.\n" + "\n" ++"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n" ++" In no case should the options be applied to a given selection successively.\n" ++"\n" + ; + + /* This function could be modified to pass starting sample offset +@@ -2121,6 +2131,15 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + /*NOTREACHED*/ + } + } ++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/ ++ char XY, Z, R; ++ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); ++ Z = (crop_data->crop_mode & CROP_ZONES); ++ R = (crop_data->crop_mode & CROP_REGIONS); ++ if ((XY && Z) || (XY && R) || (Z && R)) { ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit"); ++ exit(EXIT_FAILURE); ++ } + } /* end process_command_opts */ + + /* Start a new output file if one has not been previously opened or +@@ -2746,7 +2765,7 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols, + tsample_t count, uint32_t start, uint32_t end) + { + int i, bytes_per_sample, sindex; +- uint32_t col, dst_rowsize, bit_offset; ++ uint32_t col, dst_rowsize, bit_offset, numcols; + uint32_t src_byte /*, src_bit */; + uint8_t *src = in; + uint8_t *dst = out; +@@ -2757,6 +2776,10 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamplesBytes", +@@ -2769,6 +2792,9 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + dst_rowsize = (bps * (end - start) * count) / 8; + +@@ -2812,7 +2838,7 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols, + tsample_t count, uint32_t start, uint32_t end) + { + int ready_bits = 0, sindex = 0; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint8_t maskbits = 0, matchbits = 0; + uint8_t buff1 = 0, buff2 = 0; + uint8_t *src = in; +@@ -2824,6 +2850,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamples8bits", +@@ -2836,7 +2866,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } +- ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } ++ + ready_bits = 0; + maskbits = (uint8_t)-1 >> (8 - bps); + buff1 = buff2 = 0; +@@ -2889,7 +2922,7 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols, + tsample_t count, uint32_t start, uint32_t end) + { + int ready_bits = 0, sindex = 0; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint16_t maskbits = 0, matchbits = 0; + uint16_t buff1 = 0, buff2 = 0; + uint8_t bytebuff = 0; +@@ -2902,6 +2935,10 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamples16bits", +@@ -2914,6 +2951,9 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + ready_bits = 0; + maskbits = (uint16_t)-1 >> (16 - bps); +@@ -2978,7 +3018,7 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols, + tsample_t count, uint32_t start, uint32_t end) + { + int ready_bits = 0, sindex = 0; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint32_t maskbits = 0, matchbits = 0; + uint32_t buff1 = 0, buff2 = 0; + uint8_t bytebuff1 = 0, bytebuff2 = 0; +@@ -2991,6 +3031,10 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamples24bits", +@@ -3003,6 +3047,9 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + ready_bits = 0; + maskbits = (uint32_t)-1 >> (32 - bps); +@@ -3087,7 +3134,7 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, + tsample_t count, uint32_t start, uint32_t end) + { + int ready_bits = 0, sindex = 0 /*, shift_width = 0 */; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint32_t longbuff1 = 0, longbuff2 = 0; + uint64_t maskbits = 0, matchbits = 0; + uint64_t buff1 = 0, buff2 = 0, buff3 = 0; +@@ -3102,6 +3149,10 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, + } + + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamples32bits", +@@ -3114,6 +3165,9 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + /* shift_width = ((bps + 7) / 8) + 1; */ + ready_bits = 0; +@@ -3193,7 +3247,7 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols, + int shift) + { + int ready_bits = 0, sindex = 0; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint8_t maskbits = 0, matchbits = 0; + uint8_t buff1 = 0, buff2 = 0; + uint8_t *src = in; +@@ -3205,6 +3259,10 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamplesShifted8bits", +@@ -3217,6 +3275,9 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + ready_bits = shift; + maskbits = (uint8_t)-1 >> (8 - bps); +@@ -3273,7 +3334,7 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols, + int shift) + { + int ready_bits = 0, sindex = 0; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint16_t maskbits = 0, matchbits = 0; + uint16_t buff1 = 0, buff2 = 0; + uint8_t bytebuff = 0; +@@ -3286,6 +3347,10 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamplesShifted16bits", +@@ -3298,6 +3363,9 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + ready_bits = shift; + maskbits = (uint16_t)-1 >> (16 - bps); +@@ -3363,7 +3431,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols, + int shift) + { + int ready_bits = 0, sindex = 0; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint32_t maskbits = 0, matchbits = 0; + uint32_t buff1 = 0, buff2 = 0; + uint8_t bytebuff1 = 0, bytebuff2 = 0; +@@ -3376,6 +3444,16 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ /*--- Remark, which is true for all those functions extractCongigSamplesXXX() -- ++ * The mitigation of the start/end test does not allways make sense, because the function is often called with e.g.: ++ * start = 31; end = 32; cols = 32 to extract the last column in a 32x32 sample image. ++ * If then, a worng parameter (e.g. cols = 10) is provided, the mitigated settings would be start=0; end=1. ++ * Therefore, an error message and no copy action might be the better reaction to wrong parameter configurations. ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamplesShifted24bits", +@@ -3388,6 +3466,9 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + ready_bits = shift; + maskbits = (uint32_t)-1 >> (32 - bps); +@@ -3449,7 +3530,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols, + buff2 = (buff2 << 8); + bytebuff2 = bytebuff1; + ready_bits -= 8; +- } ++ } + + return (0); + } /* end extractContigSamplesShifted24bits */ +@@ -3461,7 +3542,7 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, + int shift) + { + int ready_bits = 0, sindex = 0 /*, shift_width = 0 */; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint32_t longbuff1 = 0, longbuff2 = 0; + uint64_t maskbits = 0, matchbits = 0; + uint64_t buff1 = 0, buff2 = 0, buff3 = 0; +@@ -3476,6 +3557,10 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, + } + + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamplesShifted32bits", +@@ -3488,6 +3573,9 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + /* shift_width = ((bps + 7) / 8) + 1; */ + ready_bits = shift; +@@ -5429,7 +5517,7 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + { + struct offset offsets; + int i; +- int32_t test; ++ uint32_t uaux; + uint32_t seg, total, need_buff = 0; + uint32_t buffsize; + uint32_t zwidth, zlength; +@@ -5510,8 +5598,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + seg = crop->zonelist[j].position; + total = crop->zonelist[j].total; + +- /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ ++ /* check for not allowed zone cases like 0:0; 4:3; or negative ones etc. and skip that input */ ++ if (crop->zonelist[j].position < 0 || crop->zonelist[j].total < 0) { ++ TIFFError("getCropOffsets", "Negative crop zone values %d:%d are not allowed, thus skipped.", crop->zonelist[j].position, crop->zonelist[j].total); ++ continue; ++ } + if (seg == 0 || total == 0 || seg > total) { ++ TIFFError("getCropOffsets", "Crop zone %d:%d is out of specification, thus skipped.", seg, total); + continue; + } + +@@ -5524,17 +5617,23 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + + crop->regionlist[i].x1 = offsets.startx + + (uint32_t)(offsets.crop_width * 1.0 * (seg - 1) / total); +- test = (int32_t)offsets.startx + +- (int32_t)(offsets.crop_width * 1.0 * seg / total); +- if (test < 1 ) +- crop->regionlist[i].x2 = 0; +- else +- { +- if (test > (int32_t)(image->width - 1)) ++ /* FAULT: IMHO in the old code here, the calculation of x2 was based on wrong assumtions. The whole image was assumed and 'endy' and 'starty' are not respected anymore!*/ ++ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */ ++ if (crop->regionlist[i].x1 > offsets.endx) { ++ crop->regionlist[i].x1 = offsets.endx; ++ } else if (crop->regionlist[i].x1 >= image->width) { ++ crop->regionlist[i].x1 = image->width - 1; ++ } ++ ++ crop->regionlist[i].x2 = offsets.startx + (uint32_t)(offsets.crop_width * 1.0 * seg / total); ++ if (crop->regionlist[i].x2 > 0) crop->regionlist[i].x2 = crop->regionlist[i].x2 - 1; ++ if (crop->regionlist[i].x2 < crop->regionlist[i].x1) { ++ crop->regionlist[i].x2 = crop->regionlist[i].x1; ++ } else if (crop->regionlist[i].x2 > offsets.endx) { ++ crop->regionlist[i].x2 = offsets.endx; ++ } else if (crop->regionlist[i].x2 >= image->width) { + crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = test - 1; +- } ++ } + zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; + + /* This is passed to extractCropZone or extractCompositeZones */ +@@ -5549,22 +5648,27 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + crop->regionlist[i].x1 = offsets.startx; + crop->regionlist[i].x2 = offsets.endx; + +- test = offsets.endy - (uint32_t)(offsets.crop_length * 1.0 * seg / total); +- if (test < 1 ) +- crop->regionlist[i].y1 = 0; +- else +- crop->regionlist[i].y1 = test + 1; ++ /* FAULT: IMHO in the old code here, the calculation of y1/y2 was based on wrong assumtions. The whole image was assumed and 'endy' and 'starty' are not respected anymore!*/ ++ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */ ++ uaux = (uint32_t)(offsets.crop_length * 1.0 * seg / total); ++ if (uaux <= offsets.endy + 1) { ++ crop->regionlist[i].y1 = offsets.endy - uaux + 1; ++ } else { ++ crop->regionlist[i].y1 = 0; ++ } ++ if (crop->regionlist[i].y1 < offsets.starty) { ++ crop->regionlist[i].y1 = offsets.starty; ++ } + +- test = offsets.endy - (offsets.crop_length * 1.0 * (seg - 1) / total); +- if (test < 1 ) +- crop->regionlist[i].y2 = 0; +- else +- { +- if (test > (int32_t)(image->length - 1)) +- crop->regionlist[i].y2 = image->length - 1; +- else +- crop->regionlist[i].y2 = test; +- } ++ uaux = (uint32_t)(offsets.crop_length * 1.0 * (seg - 1) / total); ++ if (uaux <= offsets.endy) { ++ crop->regionlist[i].y2 = offsets.endy - uaux; ++ } else { ++ crop->regionlist[i].y2 = 0; ++ } ++ if (crop->regionlist[i].y2 < offsets.starty) { ++ crop->regionlist[i].y2 = offsets.starty; ++ } + zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + + /* This is passed to extractCropZone or extractCompositeZones */ +@@ -5575,32 +5679,42 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + crop->combined_width = (uint32_t)zwidth; + break; + case EDGE_RIGHT: /* zones from right to left, length from top */ +- zlength = offsets.crop_length; +- crop->regionlist[i].y1 = offsets.starty; +- crop->regionlist[i].y2 = offsets.endy; +- +- crop->regionlist[i].x1 = offsets.startx + +- (uint32_t)(offsets.crop_width * (total - seg) * 1.0 / total); +- test = offsets.startx + +- (offsets.crop_width * (total - seg + 1) * 1.0 / total); +- if (test < 1 ) +- crop->regionlist[i].x2 = 0; +- else +- { +- if (test > (int32_t)(image->width - 1)) +- crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = test - 1; +- } +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ zlength = offsets.crop_length; ++ crop->regionlist[i].y1 = offsets.starty; ++ crop->regionlist[i].y2 = offsets.endy; ++ ++ crop->regionlist[i].x1 = offsets.startx + ++ (uint32_t)(offsets.crop_width * (total - seg) * 1.0 / total); ++ /* FAULT: IMHO from here on, the calculation of y2 are based on wrong assumtions. The whole image is assumed and 'endy' and 'starty' are not respected anymore!*/ ++ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */ ++ uaux = (uint32_t)(offsets.crop_width * 1.0 * seg / total); ++ if (uaux <= offsets.endx + 1) { ++ crop->regionlist[i].x1 = offsets.endx - uaux + 1; ++ } else { ++ crop->regionlist[i].x1 = 0; ++ } ++ if (crop->regionlist[i].x1 < offsets.startx) { ++ crop->regionlist[i].x1 = offsets.startx; ++ } + +- /* This is passed to extractCropZone or extractCompositeZones */ +- crop->combined_length = (uint32_t)zlength; +- if (crop->exp_mode == COMPOSITE_IMAGES) +- crop->combined_width += (uint32_t)zwidth; +- else +- crop->combined_width = (uint32_t)zwidth; +- break; ++ uaux = (uint32_t)(offsets.crop_width * 1.0 * (seg - 1) / total); ++ if (uaux <= offsets.endx) { ++ crop->regionlist[i].x2 = offsets.endx - uaux; ++ } else { ++ crop->regionlist[i].x2 = 0; ++ } ++ if (crop->regionlist[i].x2 < offsets.startx) { ++ crop->regionlist[i].x2 = offsets.startx; ++ } ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ ++ /* This is passed to extractCropZone or extractCompositeZones */ ++ crop->combined_length = (uint32_t)zlength; ++ if (crop->exp_mode == COMPOSITE_IMAGES) ++ crop->combined_width += (uint32_t)zwidth; ++ else ++ crop->combined_width = (uint32_t)zwidth; ++ break; + case EDGE_TOP: /* width from left, zones from top to bottom */ + default: + zwidth = offsets.crop_width; +@@ -5608,6 +5722,14 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + crop->regionlist[i].x2 = offsets.endx; + + crop->regionlist[i].y1 = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * (seg - 1) / total); ++ if (crop->regionlist[i].y1 > offsets.endy) { ++ crop->regionlist[i].y1 = offsets.endy; ++ } else if (crop->regionlist[i].y1 >= image->length) { ++ crop->regionlist[i].y1 = image->length - 1; ++ } ++ ++ /* FAULT: IMHO from here on, the calculation of y2 are based on wrong assumtions. The whole image is assumed and 'endy' and 'starty' are not respected anymore!*/ ++ /* OLD Code: + test = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * seg / total); + if (test < 1 ) + crop->regionlist[i].y2 = 0; +@@ -5618,6 +5740,18 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + else + crop->regionlist[i].y2 = test - 1; + } ++ */ ++ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */ ++ crop->regionlist[i].y2 = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * seg / total); ++ if (crop->regionlist[i].y2 > 0)crop->regionlist[i].y2 = crop->regionlist[i].y2 - 1; ++ if (crop->regionlist[i].y2 < crop->regionlist[i].y1) { ++ crop->regionlist[i].y2 = crop->regionlist[i].y1; ++ } else if (crop->regionlist[i].y2 > offsets.endy) { ++ crop->regionlist[i].y2 = offsets.endy; ++ } else if (crop->regionlist[i].y2 >= image->length) { ++ crop->regionlist[i].y2 = image->length - 1; ++ } ++ + zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + + /* This is passed to extractCropZone or extractCompositeZones */ +@@ -7551,7 +7685,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + total_width = total_length = 0; + for (i = 0; i < crop->selections; i++) + { +- cropsize = crop->bufftotal; ++ ++ cropsize = crop->bufftotal; + crop_buff = seg_buffs[i].buffer; + if (!crop_buff) + crop_buff = (unsigned char *)limitMalloc(cropsize); +@@ -7640,6 +7775,9 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { ++ /* rotateImage() changes image->width, ->length, ->xres and ->yres, what it schouldn't do here, when more than one section is processed. ++ * ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !! ++ */ + if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, + &crop->regionlist[i].length, &crop_buff)) + { +@@ -7655,8 +7793,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8) + * image->spp) * crop->regionlist[i].length; + } +- } +- } ++ } /* for crop->selections loop */ ++ } /* Separated Images (else case) */ + return (0); + } /* end processCropSelections */ + +-- +GitLab diff --git a/backport-0001-CVE-2022-3570-CVE-2022-3598.patch b/backport-0001-CVE-2022-3570-CVE-2022-3598.patch new file mode 100644 index 0000000..5842711 --- /dev/null +++ b/backport-0001-CVE-2022-3570-CVE-2022-3598.patch @@ -0,0 +1,49 @@ +From fc3e3a202d65e4b0f42a63c8001324b2a7fae88b Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 27 Sep 2021 18:42:22 +0200 +Subject: [PATCH] tiffcrop.c: remove useless 'set but not read' variables + +--- + tools/tiffcrop.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index b85c2ce7..0da31577 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -1177,7 +1177,6 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, + tstrip_t strip = 0; + tsize_t stripsize = TIFFStripSize(out); + tsize_t rowstripsize, scanlinesize = TIFFScanlineSize(out); +- tsize_t total_bytes = 0; + tdata_t obuf; + + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); +@@ -1215,7 +1214,6 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, + + stripsize = TIFFVStripSize(out, nrows); + src = buf + (row * rowsize); +- total_bytes += stripsize; + memset (obuf, '\0', rowstripsize); + if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump)) + { +@@ -2710,7 +2708,7 @@ static void dump_info(FILE *dumpfile, int format, char *prefix, char *msg, ...) + static int dump_buffer (FILE* dumpfile, int format, uint32_t rows, uint32_t width, + uint32_t row, unsigned char *buff) + { +- int j, k; ++ int k; + uint32_t i; + unsigned char * dump_ptr; + +@@ -2728,7 +2726,7 @@ static int dump_buffer (FILE* dumpfile, int format, uint32_t rows, uint32_t widt + "Row %4"PRIu32", %"PRIu32" bytes at offset %"PRIu32, + row + i + 1u, width, row * width); + +- for (j = 0, k = width; k >= 10; j += 10, k -= 10, dump_ptr += 10) ++ for (k = width; k >= 10; k -= 10, dump_ptr += 10) + dump_data (dumpfile, format, "", dump_ptr, 10); + if (k > 0) + dump_data (dumpfile, format, "", dump_ptr, k); +-- +GitLab diff --git a/backport-0002-CVE-2022-1622-CVE-2022-1623.patch b/backport-0002-CVE-2022-1622-CVE-2022-1623.patch new file mode 100644 index 0000000..bad52c4 --- /dev/null +++ b/backport-0002-CVE-2022-1622-CVE-2022-1623.patch @@ -0,0 +1,56 @@ +From b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Fri, 22 Apr 2022 18:58:52 +0200 +Subject: [PATCH] tif_lzw.c: fix potential out-of-bounds error when trying to + read in the same tile/strip after an error has occured (fixes #410) + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a +--- + libtiff/tif_lzw.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c +index c28366b..1f255d9 100644 +--- a/libtiff/tif_lzw.c ++++ b/libtiff/tif_lzw.c +@@ -140,6 +140,7 @@ typedef struct { + code_t* dec_free_entp; /* next free entry */ + code_t* dec_maxcodep; /* max available entry */ + code_t* dec_codetab; /* kept separate for small machines */ ++ int read_error; /* whether a read error has occured, and which should cause further reads in the same strip/tile to be aborted */ + + /* Encoding specific data */ + int enc_oldcode; /* last code encountered */ +@@ -307,6 +308,7 @@ LZWPreDecode(TIFF* tif, uint16_t s) + */ + sp->dec_oldcodep = &sp->dec_codetab[0]; + sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1]; ++ sp->read_error = 0; + return (1); + } + +@@ -399,7 +401,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + + (void) s; + assert(sp != NULL); +- assert(sp->dec_codetab != NULL); ++ assert(sp->dec_codetab != NULL); ++ ++ if (sp->read_error) { ++ return 0; ++ } + + /* + Fail if value does not fit in long. +@@ -711,6 +717,7 @@ no_eoi: + tif->tif_curstrip); + return 0; + error_code: ++ sp->read_error = 1; + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Using code not yet in table"); + return 0; + } +-- +2.27.0 + diff --git a/backport-0002-CVE-2022-22844.patch b/backport-0002-CVE-2022-22844.patch new file mode 100644 index 0000000..015de92 --- /dev/null +++ b/backport-0002-CVE-2022-22844.patch @@ -0,0 +1,39 @@ +From 0cf67888e32e36b45828dd467920684c93f2b22d Mon Sep 17 00:00:00 2001 +From: Timothy Lyanguzov +Date: Tue, 25 Jan 2022 04:27:28 +0000 +Subject: [PATCH] Apply 4 suggestion(s) to 1 file(s) + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/commit/0cf67888e32e36b45828dd467920684c93f2b22d + +--- + tools/tiffset.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/tiffset.c b/tools/tiffset.c +index b7badd9..b8b52c0 100644 +--- a/tools/tiffset.c ++++ b/tools/tiffset.c +@@ -148,15 +148,15 @@ main(int argc, char* argv[]) + if (TIFFFieldDataType(fip) == TIFF_ASCII) { + if(TIFFFieldPassCount( fip )) { + size_t len; +- len = (uint32_t)(strlen(argv[arg_index] + 1)); +- if (TIFFSetField(tiff, TIFFFieldTag(fip), ++ len = strlen(argv[arg_index] + 1); ++ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), + (uint16_t)len, argv[arg_index]) != 1) +- fprintf( stderr, "Failed to set %s=%s", ++ fprintf( stderr, "Failed to set %s=%s\n", + TIFFFieldName(fip), argv[arg_index] ); + } else { + if (TIFFSetField(tiff, TIFFFieldTag(fip), + argv[arg_index]) != 1) +- fprintf( stderr, "Failed to set %s=%s", ++ fprintf( stderr, "Failed to set %s=%s\n", + TIFFFieldName(fip), argv[arg_index] ); + } + } else if (TIFFFieldWriteCount(fip) > 0 +-- +2.33.0 + diff --git a/backport-0002-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch b/backport-0002-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch new file mode 100644 index 0000000..a967734 --- /dev/null +++ b/backport-0002-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch @@ -0,0 +1,131 @@ +From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Mon, 15 Aug 2022 22:11:03 +0200 +Subject: [PATCH 1/2] =?UTF-8?q?According=20to=20Richard=20Nolde=20https://?= + =?UTF-8?q?gitlab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the?= + =?UTF-8?q?=20tiffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutua?= + =?UTF-8?q?lly=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),?= + =?UTF-8?q?=20-Z=20and=20-z.?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is now checked and ends tiffcrop if those arguments are not mutually exclusive. + +This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424 +--- + tools/tiffcrop.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 90286a5e..c3b758ec 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -108,12 +108,12 @@ + * lower level, scanline level routines. Debug reports a limited set + * of messages to monitor progress without enabling dump logs. + * +- * Note: The (-X|-Y), -Z and -z options are mutually exclusive. ++ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. + * In no case should the options be applied to a given selection successively. + */ + +-static char tiffcrop_version_id[] = "2.5"; +-static char tiffcrop_rev_date[] = "02-09-2022"; ++static char tiffcrop_version_id[] = "2.5.1"; ++static char tiffcrop_rev_date[] = "15-08-2022"; + + #include "tif_config.h" + #include "libport.h" +@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022"; + #define ROTATECW_270 32 + #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270) + +-#define CROP_NONE 0 +-#define CROP_MARGINS 1 +-#define CROP_WIDTH 2 +-#define CROP_LENGTH 4 +-#define CROP_ZONES 8 +-#define CROP_REGIONS 16 ++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */ ++#define CROP_MARGINS 1 /* "-m" */ ++#define CROP_WIDTH 2 /* "-X" */ ++#define CROP_LENGTH 4 /* "-Y" */ ++#define CROP_ZONES 8 /* "-Z" */ ++#define CROP_REGIONS 16 /* "-z" */ + #define CROP_ROTATE 32 + #define CROP_MIRROR 64 + #define CROP_INVERT 128 +@@ -316,7 +316,7 @@ struct crop_mask { + #define PAGE_MODE_RESOLUTION 1 + #define PAGE_MODE_PAPERSIZE 2 + #define PAGE_MODE_MARGINS 4 +-#define PAGE_MODE_ROWSCOLS 8 ++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */ + + #define INVERT_DATA_ONLY 10 + #define INVERT_DATA_AND_TAG 11 +@@ -781,7 +781,7 @@ static const char usage_info[] = + " The four debug/dump options are independent, though it makes little sense to\n" + " specify a dump file without specifying a detail level.\n" + "\n" +-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n" ++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n" + " In no case should the options be applied to a given selection successively.\n" + "\n" + ; +@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + /*NOTREACHED*/ + } + } +- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/ +- char XY, Z, R; ++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ ++ char XY, Z, R, S; + XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); + Z = (crop_data->crop_mode & CROP_ZONES); + R = (crop_data->crop_mode & CROP_REGIONS); +- if ((XY && Z) || (XY && R) || (Z && R)) { +- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit"); ++ S = (page->mode & PAGE_MODE_ROWSCOLS); ++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); + exit(EXIT_FAILURE); + } + } /* end process_command_opts */ +-- +GitLab + + +From bad48e90b410df32172006c7876da449ba62cdba Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 20 Aug 2022 23:35:26 +0200 +Subject: [PATCH 2/2] tiffcrop -S option: Make decision simpler. + +--- + tools/tiffcrop.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index c3b758ec..8fd856dc 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + } + /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ + char XY, Z, R, S; +- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); +- Z = (crop_data->crop_mode & CROP_ZONES); +- R = (crop_data->crop_mode & CROP_REGIONS); +- S = (page->mode & PAGE_MODE_ROWSCOLS); +- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { ++ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0; ++ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0; ++ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; ++ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; ++ if (XY + Z + R + S > 1) { + TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); + exit(EXIT_FAILURE); + } +-- +GitLab diff --git a/backport-0002-CVE-2022-3570-CVE-2022-3598.patch b/backport-0002-CVE-2022-3570-CVE-2022-3598.patch new file mode 100644 index 0000000..2d9fc59 --- /dev/null +++ b/backport-0002-CVE-2022-3570-CVE-2022-3598.patch @@ -0,0 +1,34 @@ +From aac006e5796437f1729b1284fbfa506b2b730aff Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Sat, 19 Feb 2022 16:08:15 +0000 +Subject: [PATCH] tiffcrop: buffsize check formula in loadImage() amended + (fixes #273,#275) + +--- + tools/tiffcrop.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index e4a08ca9..f2e5474a 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -6153,9 +6153,15 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFError("loadImage", "Integer overflow detected."); + exit(EXIT_FAILURE); + } +- if (buffsize < (uint32_t) (((length * width * spp * bps) + 7) / 8)) ++ /* The buffsize_check and the possible adaptation of buffsize ++ * has to account also for padding of each line to a byte boundary. ++ * This is assumed by mirrorImage() and rotateImage(). ++ * Otherwise buffer-overflow might occur there. ++ */ ++ buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8); ++ if (buffsize < buffsize_check) + { +- buffsize = ((length * width * spp * bps) + 7) / 8; ++ buffsize = buffsize_check; + #ifdef DEBUG2 + TIFFError("loadImage", + "Stripsize %"PRIu32" is too small, using imagelength * width * spp * bps / 8 = %"PRIu32, +-- +GitLab diff --git a/backport-0003-CVE-2022-22844.patch b/backport-0003-CVE-2022-22844.patch new file mode 100644 index 0000000..bb5b5c3 --- /dev/null +++ b/backport-0003-CVE-2022-22844.patch @@ -0,0 +1,28 @@ +From 0a827a985f891d6df481a6f581c723640fad7874 Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Tue, 25 Jan 2022 04:30:38 +0000 +Subject: [PATCH] fix a small typo in strlen + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/commit/0a827a985f891d6df481a6f581c723640fad7874 + +--- + tools/tiffset.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/tiffset.c b/tools/tiffset.c +index b8b52c0..e7a88c0 100644 +--- a/tools/tiffset.c ++++ b/tools/tiffset.c +@@ -148,7 +148,7 @@ main(int argc, char* argv[]) + if (TIFFFieldDataType(fip) == TIFF_ASCII) { + if(TIFFFieldPassCount( fip )) { + size_t len; +- len = strlen(argv[arg_index] + 1); ++ len = strlen(argv[arg_index]) + 1; + if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), + (uint16_t)len, argv[arg_index]) != 1) + fprintf( stderr, "Failed to set %s=%s\n", +-- +2.33.0 + diff --git a/backport-0003-CVE-2022-3570-CVE-2022-3598.patch b/backport-0003-CVE-2022-3570-CVE-2022-3598.patch new file mode 100644 index 0000000..2791a04 --- /dev/null +++ b/backport-0003-CVE-2022-3570-CVE-2022-3598.patch @@ -0,0 +1,659 @@ +From afd7086090dafd3949afd172822cbcec4ed17d56 Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Thu, 13 Oct 2022 14:33:27 +0000 +Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271, + #381, #386, #388, #389, #435) + +--- + tools/tiffcrop.c | 209 ++++++++++++++++++++++++++--------------------- + 1 file changed, 118 insertions(+), 91 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 41a2ea36..deab5feb 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -114,8 +114,8 @@ + * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. + */ + +-static char tiffcrop_version_id[] = "2.5.3"; +-static char tiffcrop_rev_date[] = "26-08-2022"; ++static char tiffcrop_version_id[] = "2.5.4"; ++static char tiffcrop_rev_date[] = "27-08-2022"; + + #include "tif_config.h" + #include "libport.h" +@@ -212,6 +212,10 @@ static char tiffcrop_rev_date[] = "26-08-2022"; + + #define TIFF_DIR_MAX 65534 + ++/* Some conversion subroutines require image buffers, which are at least 3 bytes ++ * larger than the necessary size for the image itself. */ ++#define NUM_BUFF_OVERSIZE_BYTES 3 ++ + /* Offsets into buffer for margins and fixed width and length segments */ + struct offset { + uint32_t tmargin; +@@ -233,7 +237,7 @@ struct offset { + */ + + struct buffinfo { +- uint32_t size; /* size of this buffer */ ++ size_t size; /* size of this buffer */ + unsigned char *buffer; /* address of the allocated buffer */ + }; + +@@ -810,8 +814,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, + uint32_t dst_rowsize, shift_width; + uint32_t bytes_per_sample, bytes_per_pixel; + uint32_t trailing_bits, prev_trailing_bits; +- uint32_t tile_rowsize = TIFFTileRowSize(in); +- uint32_t src_offset, dst_offset; ++ tmsize_t tile_rowsize = TIFFTileRowSize(in); ++ tmsize_t src_offset, dst_offset; + uint32_t row_offset, col_offset; + uint8_t *bufp = (uint8_t*) buf; + unsigned char *src = NULL; +@@ -861,7 +865,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, + TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); + exit(EXIT_FAILURE); + } +- tilebuf = limitMalloc(tile_buffsize + 3); ++ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); + if (tilebuf == 0) + return 0; + tilebuf[tile_buffsize] = 0; +@@ -1024,7 +1028,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf, + for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++) + { + srcbuffs[sample] = NULL; +- tbuff = (unsigned char *)limitMalloc(tilesize + 8); ++ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES); + if (!tbuff) + { + TIFFError ("readSeparateTilesIntoBuffer", +@@ -1217,7 +1221,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, + } + rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); + +- obuf = limitMalloc (rowstripsize); ++ /* Add 3 padding bytes for extractContigSamples32bits */ ++ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES); + if (obuf == NULL) + return 1; + +@@ -1229,7 +1234,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, + + stripsize = TIFFVStripSize(out, nrows); + src = buf + (row * rowsize); +- memset (obuf, '\0', rowstripsize); ++ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES); + if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump)) + { + _TIFFfree(obuf); +@@ -1237,10 +1242,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, + } + if ((dump->outfile != NULL) && (dump->level == 1)) + { +- dump_info(dump->outfile, dump->format,"", ++ if (scanlinesize > 0x0ffffffffULL) { ++ dump_info(dump->infile, dump->format, "loadImage", ++ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", ++ scanlinesize); ++ } ++ dump_info(dump->outfile, dump->format,"", + "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d", +- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf); +- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf); ++ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf); ++ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf); + } + + if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) +@@ -1267,7 +1277,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng + uint32_t tl, tw; + uint32_t row, col, nrow, ncol; + uint32_t src_rowsize, col_offset; +- uint32_t tile_rowsize = TIFFTileRowSize(out); ++ tmsize_t tile_rowsize = TIFFTileRowSize(out); + uint8_t* bufp = (uint8_t*) buf; + tsize_t tile_buffsize = 0; + tsize_t tilesize = TIFFTileSize(out); +@@ -1310,9 +1320,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng + } + src_rowsize = ((imagewidth * spp * bps) + 7U) / 8; + +- tilebuf = limitMalloc(tile_buffsize); ++ /* Add 3 padding bytes for extractContigSamples32bits */ ++ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); + if (tilebuf == 0) + return 1; ++ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); + for (row = 0; row < imagelength; row += tl) + { + nrow = (row + tl > imagelength) ? imagelength - row : tl; +@@ -1358,7 +1370,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele + uint32_t imagewidth, tsample_t spp, + struct dump_opts * dump) + { +- tdata_t obuf = limitMalloc(TIFFTileSize(out)); ++ /* Add 3 padding bytes for extractContigSamples32bits */ ++ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); + uint32_t tl, tw; + uint32_t row, col, nrow, ncol; + uint32_t src_rowsize, col_offset; +@@ -1368,6 +1381,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele + + if (obuf == NULL) + return 1; ++ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); + + if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || + !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || +@@ -1793,14 +1807,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + + *opt_offset = '\0'; + /* convert option to lowercase */ +- end = strlen (opt_ptr); ++ end = (unsigned int)strlen (opt_ptr); + for (i = 0; i < end; i++) + *(opt_ptr + i) = tolower((int) *(opt_ptr + i)); + /* Look for dump format specification */ + if (strncmp(opt_ptr, "for", 3) == 0) + { + /* convert value to lowercase */ +- end = strlen (opt_offset + 1); ++ end = (unsigned int)strlen (opt_offset + 1); + for (i = 1; i <= end; i++) + *(opt_offset + i) = tolower((int) *(opt_offset + i)); + /* check dump format value */ +@@ -2273,6 +2287,8 @@ main(int argc, char* argv[]) + size_t length; + char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */ + ++ assert(NUM_BUFF_OVERSIZE_BYTES >= 3); ++ + little_endian = *((unsigned char *)&little_endian) & '1'; + + initImageData(&image); +@@ -3227,13 +3243,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, + /* If we have a full buffer's worth, write it out */ + if (ready_bits >= 32) + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -3642,13 +3658,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, + } + else /* If we have a full buffer's worth, write it out */ + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -3825,10 +3841,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3 + static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) + { + uint8_t* bufp = buf; +- int32_t bytes_read = 0; ++ tmsize_t bytes_read = 0; + uint32_t strip, nstrips = TIFFNumberOfStrips(in); +- uint32_t stripsize = TIFFStripSize(in); +- uint32_t rows = 0; ++ tmsize_t stripsize = TIFFStripSize(in); ++ tmsize_t rows = 0; + uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); + tsize_t scanline_size = TIFFScanlineSize(in); + +@@ -3841,11 +3857,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) + bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1); + rows = bytes_read / scanline_size; + if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize)) +- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32, ++ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64, + strip + 1, bytes_read, stripsize); + + if (bytes_read < 0 && !ignore) { +- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows", ++ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows", + strip, rows); + return 0; + } +@@ -4310,13 +4326,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, + /* If we have a full buffer's worth, write it out */ + if (ready_bits >= 32) + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -4359,10 +4375,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, + "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", + row + 1, col + 1, src_byte, src_bit, dst - out); + +- dump_long (dumpfile, format, "Match bits ", matchbits); ++ dump_wide (dumpfile, format, "Match bits ", matchbits); + dump_data (dumpfile, format, "Src bits ", src, 4); +- dump_long (dumpfile, format, "Buff1 bits ", buff1); +- dump_long (dumpfile, format, "Buff2 bits ", buff2); ++ dump_wide (dumpfile, format, "Buff1 bits ", buff1); ++ dump_wide (dumpfile, format, "Buff2 bits ", buff2); + dump_byte (dumpfile, format, "Write bits1", bytebuff1); + dump_byte (dumpfile, format, "Write bits2", bytebuff2); + dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); +@@ -4835,13 +4851,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, + /* If we have a full buffer's worth, write it out */ + if (ready_bits >= 32) + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -4884,10 +4900,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, + "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", + row + 1, col + 1, src_byte, src_bit, dst - out); + +- dump_long (dumpfile, format, "Match bits ", matchbits); ++ dump_wide (dumpfile, format, "Match bits ", matchbits); + dump_data (dumpfile, format, "Src bits ", src, 4); +- dump_long (dumpfile, format, "Buff1 bits ", buff1); +- dump_long (dumpfile, format, "Buff2 bits ", buff2); ++ dump_wide (dumpfile, format, "Buff1 bits ", buff1); ++ dump_wide (dumpfile, format, "Buff2 bits ", buff2); + dump_byte (dumpfile, format, "Write bits1", bytebuff1); + dump_byte (dumpfile, format, "Write bits2", bytebuff2); + dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); +@@ -4910,7 +4926,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt + { + int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; + uint32_t j; +- int32_t bytes_read = 0; ++ tmsize_t bytes_read = 0; + uint16_t bps = 0, planar; + uint32_t nstrips; + uint32_t strips_per_sample; +@@ -4976,7 +4992,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + srcbuffs[s] = NULL; +- buff = limitMalloc(stripsize + 3); ++ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES); + if (!buff) + { + TIFFError ("readSeparateStripsIntoBuffer", +@@ -4999,7 +5015,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt + buff = srcbuffs[s]; + strip = (s * strips_per_sample) + j; + bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize); +- rows_this_strip = bytes_read / src_rowsize; ++ rows_this_strip = (uint32_t)(bytes_read / src_rowsize); + if (bytes_read < 0 && !ignore) + { + TIFFError(TIFFFileName(in), +@@ -6062,13 +6078,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + uint16_t input_compression = 0, input_photometric = 0; + uint16_t subsampling_horiz, subsampling_vert; + uint32_t width = 0, length = 0; +- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0; ++ tmsize_t stsize = 0, tlsize = 0, buffsize = 0; ++ tmsize_t scanlinesize = 0; + uint32_t tw = 0, tl = 0; /* Tile width and length */ +- uint32_t tile_rowsize = 0; ++ tmsize_t tile_rowsize = 0; + unsigned char *read_buff = NULL; + unsigned char *new_buff = NULL; + int readunit = 0; +- static uint32_t prev_readsize = 0; ++ static tmsize_t prev_readsize = 0; + + TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); + TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); +@@ -6325,6 +6342,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + /* The buffsize_check and the possible adaptation of buffsize + * has to account also for padding of each line to a byte boundary. + * This is assumed by mirrorImage() and rotateImage(). ++ * Furthermore, functions like extractContigSamplesShifted32bits() ++ * need a buffer, which is at least 3 bytes larger than the actual image. + * Otherwise buffer-overflow might occur there. + */ + buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8); +@@ -6376,7 +6395,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + return (-1); + } +- read_buff = (unsigned char *)limitMalloc(buffsize+3); ++ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + { +@@ -6387,11 +6406,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + return (-1); + } +- new_buff = _TIFFrealloc(read_buff, buffsize+3); ++ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); + if (!new_buff) + { + free (read_buff); +- read_buff = (unsigned char *)limitMalloc(buffsize+3); ++ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + read_buff = new_buff; +@@ -6464,8 +6483,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + dump_info (dump->infile, dump->format, "", + "Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp); + ++ if (scanlinesize > 0x0ffffffffULL) { ++ dump_info(dump->infile, dump->format, "loadImage", ++ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", ++ scanlinesize); ++ } + for (i = 0; i < length; i++) +- dump_buffer(dump->infile, dump->format, 1, scanlinesize, ++ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize, + i, read_buff + (i * scanlinesize)); + } + return (0); +@@ -7485,13 +7509,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image, + if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { + TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); + if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { +- int inknameslen = strlen(inknames) + 1; ++ int inknameslen = (int)strlen(inknames) + 1; + const char* cp = inknames; + while (ninks > 1) { + cp = strchr(cp, '\0'); + if (cp) { + cp++; +- inknameslen += (strlen(cp) + 1); ++ inknameslen += ((int)strlen(cp) + 1); + } + ninks--; + } +@@ -7554,23 +7578,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + + if (!sect_buff) + { +- sect_buff = (unsigned char *)limitMalloc(sectsize); ++ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); + if (!sect_buff) + { + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); + return (-1); + } +- _TIFFmemset(sect_buff, 0, sectsize); ++ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + { + if (prev_sectsize < sectsize) + { +- new_buff = _TIFFrealloc(sect_buff, sectsize); ++ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES); + if (!new_buff) + { + _TIFFfree (sect_buff); +- sect_buff = (unsigned char *)limitMalloc(sectsize); ++ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + sect_buff = new_buff; +@@ -7580,7 +7604,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); + return (-1); + } +- _TIFFmemset(sect_buff, 0, sectsize); ++ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); + } + } + +@@ -7611,17 +7635,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + cropsize = crop->bufftotal; + crop_buff = seg_buffs[0].buffer; + if (!crop_buff) +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + else + { + prev_cropsize = seg_buffs[0].size; + if (prev_cropsize < cropsize) + { +- next_buff = _TIFFrealloc(crop_buff, cropsize); ++ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); + if (! next_buff) + { + _TIFFfree (crop_buff); +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + crop_buff = next_buff; +@@ -7634,7 +7658,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + return (-1); + } + +- _TIFFmemset(crop_buff, 0, cropsize); ++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); + seg_buffs[0].buffer = crop_buff; + seg_buffs[0].size = cropsize; + +@@ -7714,17 +7738,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + cropsize = crop->bufftotal; + crop_buff = seg_buffs[i].buffer; + if (!crop_buff) +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + else + { + prev_cropsize = seg_buffs[0].size; + if (prev_cropsize < cropsize) + { +- next_buff = _TIFFrealloc(crop_buff, cropsize); ++ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); + if (! next_buff) + { + _TIFFfree (crop_buff); +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + crop_buff = next_buff; +@@ -7737,7 +7761,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + return (-1); + } + +- _TIFFmemset(crop_buff, 0, cropsize); ++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); + seg_buffs[i].buffer = crop_buff; + seg_buffs[i].size = cropsize; + +@@ -7853,24 +7877,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + crop_buff = *crop_buff_ptr; + if (!crop_buff) + { +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + if (!crop_buff) + { + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); + return (-1); + } +- _TIFFmemset(crop_buff, 0, cropsize); ++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); + prev_cropsize = cropsize; + } + else + { + if (prev_cropsize < cropsize) + { +- new_buff = _TIFFrealloc(crop_buff, cropsize); ++ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); + if (!new_buff) + { + free (crop_buff); +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + crop_buff = new_buff; +@@ -7879,7 +7903,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); + return (-1); + } +- _TIFFmemset(crop_buff, 0, cropsize); ++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); + } + } + +@@ -8177,13 +8201,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image, + if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { + TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); + if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { +- int inknameslen = strlen(inknames) + 1; ++ int inknameslen = (int)strlen(inknames) + 1; + const char* cp = inknames; + while (ninks > 1) { + cp = strchr(cp, '\0'); + if (cp) { + cp++; +- inknameslen += (strlen(cp) + 1); ++ inknameslen += ((int)strlen(cp) + 1); + } + ninks--; + } +@@ -8568,13 +8592,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_ + } + else /* If we have a full buffer's worth, write it out */ + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -8643,12 +8667,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + return (-1); + } + +- if (!(rbuff = (unsigned char *)limitMalloc(buffsize))) ++ /* Add 3 padding bytes for extractContigSamplesShifted32bits */ ++ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) + { +- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize); ++ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); + return (-1); + } +- _TIFFmemset(rbuff, '\0', buffsize); ++ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); + + ibuff = *ibuff_ptr; + switch (rotation) +@@ -9176,13 +9201,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width, + } + else /* If we have a full buffer's worth, write it out */ + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -9273,12 +9298,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ + { + case MIRROR_BOTH: + case MIRROR_VERT: +- line_buff = (unsigned char *)limitMalloc(rowsize); ++ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES); + if (line_buff == NULL) + { +- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize); ++ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES); + return (-1); + } ++ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); + + dst = ibuff + (rowsize * (length - 1)); + for (row = 0; row < length / 2; row++) +@@ -9310,11 +9336,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ + } + else + { /* non 8 bit per sample data */ +- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1))) ++ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES))) + { + TIFFError("mirrorImage", "Unable to allocate mirror line buffer"); + return (-1); + } ++ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); + bytes_per_sample = (bps + 7) / 8; + bytes_per_pixel = ((bps * spp) + 7) / 8; + if (bytes_per_pixel < (bytes_per_sample + 1)) +@@ -9326,7 +9353,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ + { + row_offset = row * rowsize; + src = ibuff + row_offset; +- _TIFFmemset (line_buff, '\0', rowsize); ++ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); + switch (shift_width) + { + case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff)) +-- +GitLab diff --git a/backport-CVE-2022-0561.patch b/backport-CVE-2022-0561.patch new file mode 100644 index 0000000..d74c5e5 --- /dev/null +++ b/backport-CVE-2022-0561.patch @@ -0,0 +1,28 @@ +From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 6 Feb 2022 13:08:38 +0100 +Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +--- + libtiff/tif_dirread.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 23194ced..50ebf8ac 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); +- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); ++ if( dir->tdir_count ) ++ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); ++ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); + _TIFFfree(data); + data=resizeddata; + } +-- +GitLab \ No newline at end of file diff --git a/backport-CVE-2022-0562.patch b/backport-CVE-2022-0562.patch new file mode 100644 index 0000000..98a72fd --- /dev/null +++ b/backport-CVE-2022-0562.patch @@ -0,0 +1,26 @@ +From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 5 Feb 2022 20:36:41 +0100 +Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +--- + libtiff/tif_dirread.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 2bbc4585..23194ced 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif) + goto bad; + } + +- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); ++ if (old_extrasamples > 0) ++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); + _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); + _TIFFfree(new_sampleinfo); + } +-- +GitLab diff --git a/backport-CVE-2022-0865.patch b/backport-CVE-2022-0865.patch new file mode 100644 index 0000000..a95a071 --- /dev/null +++ b/backport-CVE-2022-0865.patch @@ -0,0 +1,34 @@ +From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 24 Feb 2022 22:26:02 +0100 +Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD + in memory-mapped mode and when bit reversal is needed (fixes #385) + +--- + libtiff/tif_jbig.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c +index 7408633..8bfa4ce 100644 +--- a/libtiff/tif_jbig.c ++++ b/libtiff/tif_jbig.c +@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) + */ + tif->tif_flags |= TIFF_NOBITREV; + tif->tif_flags &= ~TIFF_MAPPED; ++ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and ++ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial ++ * value to be consistent with the state of a non-memory mapped file. ++ */ ++ if (tif->tif_flags&TIFF_BUFFERMMAP) { ++ tif->tif_rawdata = NULL; ++ tif->tif_rawdatasize = 0; ++ tif->tif_flags &= ~TIFF_BUFFERMMAP; ++ tif->tif_flags |= TIFF_MYBUFFER; ++ } + + /* Setup the function pointers for encode, decode, and cleanup. */ + tif->tif_setupdecode = JBIGSetupDecode; +-- +2.35.1 + diff --git a/backport-CVE-2022-0891.patch b/backport-CVE-2022-0891.patch new file mode 100644 index 0000000..1d6f210 --- /dev/null +++ b/backport-CVE-2022-0891.patch @@ -0,0 +1,215 @@ +From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Tue, 8 Mar 2022 17:02:44 +0000 +Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in + extractImageSection + +Conflict:NA +Reference:https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c +--- + tools/tiffcrop.c | 92 +++++++++++++++++++----------------------------- + 1 file changed, 36 insertions(+), 56 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index f2e5474a..e62bcc71 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -105,8 +105,8 @@ + * of messages to monitor progress without enabling dump logs. + */ + +-static char tiffcrop_version_id[] = "2.4"; +-static char tiffcrop_rev_date[] = "12-13-2010"; ++static char tiffcrop_version_id[] = "2.4.1"; ++static char tiffcrop_rev_date[] = "03-03-2010"; + + #include "tif_config.h" + #include "libport.h" +@@ -6739,10 +6739,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + uint32_t img_length; + #endif +- uint32_t j, shift1, shift2, trailing_bits; ++ uint32_t j, shift1, trailing_bits; + uint32_t row, first_row, last_row, first_col, last_col; + uint32_t src_offset, dst_offset, row_offset, col_offset; +- uint32_t offset1, offset2, full_bytes; ++ uint32_t offset1, full_bytes; + uint32_t sect_width; + #ifdef DEVELMODE + uint32_t sect_length; +@@ -6752,7 +6752,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + int k; + unsigned char bitset; +- static char *bitarray = NULL; + #endif + + img_width = image->width; +@@ -6770,17 +6769,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + dst_offset = 0; + + #ifdef DEVELMODE +- if (bitarray == NULL) +- { +- if ((bitarray = (char *)malloc(img_width)) == NULL) +- { +- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); +- return (-1); +- } +- } ++ char bitarray[39]; + #endif + +- /* rows, columns, width, length are expressed in pixels */ ++ /* rows, columns, width, length are expressed in pixels ++ * first_row, last_row, .. are index into image array starting at 0 to width-1, ++ * last_col shall be also extracted. */ + first_row = section->y1; + last_row = section->y2; + first_col = section->x1; +@@ -6790,9 +6784,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + sect_length = last_row - first_row + 1; + #endif +- img_rowsize = ((img_width * bps + 7) / 8) * spp; +- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ +- trailing_bits = (sect_width * bps) % 8; ++ /* The read function loadImage() used copy separate plane data into a buffer as interleaved ++ * samples rather than separate planes so the same logic works to extract regions ++ * regardless of the way the data are organized in the input file. ++ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 ++ */ ++ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ ++ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ ++ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ + + #ifdef DEVELMODE + TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n", +@@ -6805,10 +6804,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, + + if ((bps % 8) == 0) + { +- col_offset = first_col * spp * bps / 8; ++ col_offset = (first_col * spp * bps) / 8; + for (row = first_row; row <= last_row; row++) + { +- /* row_offset = row * img_width * spp * bps / 8; */ + row_offset = row * img_rowsize; + src_offset = row_offset + col_offset; + +@@ -6821,14 +6819,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + } + else + { /* bps != 8 */ +- shift1 = spp * ((first_col * bps) % 8); +- shift2 = spp * ((last_col * bps) % 8); ++ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ + for (row = first_row; row <= last_row; row++) + { + /* pull out the first byte */ + row_offset = row * img_rowsize; +- offset1 = row_offset + (first_col * bps / 8); +- offset2 = row_offset + (last_col * bps / 8); ++ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ + + #ifdef DEVELMODE + for (j = 0, k = 7; j < 8; j++, k--) +@@ -6840,12 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + sprintf(&bitarray[9], " "); + for (j = 10, k = 7; j < 18; j++, k--) + { +- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; ++ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; + sprintf(&bitarray[j], (bitset) ? "1" : "0"); + } + bitarray[18] = '\0'; +- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n", +- row, offset1, shift1, offset2, shift2); ++ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n", ++ row, offset1, shift1, offset1+full_bytes, trailing_bits); + #endif + + bytebuff1 = bytebuff2 = 0; +@@ -6869,11 +6865,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + + if (trailing_bits != 0) + { +- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); ++ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ ++ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); + sect_buff[dst_offset] = bytebuff2; + #ifdef DEVELMODE + TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", +- offset2, dst_offset); ++ offset1 + full_bytes, dst_offset); + for (j = 30, k = 7; j < 38; j++, k--) + { + bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; +@@ -6892,8 +6889,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #endif + for (j = 0; j <= full_bytes; j++) + { +- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); +- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); ++ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ ++ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ ++ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); ++ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); + sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); + } + #ifdef DEVELMODE +@@ -6909,36 +6908,17 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #endif + dst_offset += full_bytes; + ++ /* Copy the trailing_bits for the last byte in the destination buffer. ++ Could come from one ore two bytes of the source buffer. */ + if (trailing_bits != 0) + { + #ifdef DEVELMODE +- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset); +-#endif +- if (shift2 > shift1) +- { +- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); +- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); +- sect_buff[dst_offset] = bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 > Shift1\n"); ++ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset); + #endif ++ /* More than necessary bits are already copied into last destination buffer, ++ * only masking of last byte in destination buffer is necessary.*/ ++ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); + } +- else +- { +- if (shift2 < shift1) +- { +- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); +- sect_buff[dst_offset] &= bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 < Shift1\n"); +-#endif +- } +-#ifdef DEVELMODE +- else +- TIFFError ("", " Shift2 == Shift1\n"); +-#endif +- } +- } + #ifdef DEVELMODE + sprintf(&bitarray[28], " "); + sprintf(&bitarray[29], " "); +@@ -7091,7 +7071,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, + width = sections[i].x2 - sections[i].x1 + 1; + length = sections[i].y2 - sections[i].y1 + 1; + sectsize = (uint32_t) +- ceil((width * image->bps + 7) / (double)8) * image->spp * length; ++ ceil((width * image->bps * image->spp + 7) / (double)8) * length; + /* allocate a buffer if we don't have one already */ + if (createImageSection(sectsize, sect_buff_ptr)) + { +-- +GitLab diff --git a/backport-CVE-2022-0907.patch b/backport-CVE-2022-0907.patch new file mode 100644 index 0000000..ce1af73 --- /dev/null +++ b/backport-CVE-2022-0907.patch @@ -0,0 +1,89 @@ +From 10b4736669928673cc9a5c5f2a88ffdc92f1b560 Mon Sep 17 00:00:00 2001 +From: Augustus +Date: Mon, 7 Mar 2022 18:21:49 +0800 +Subject: [PATCH 1/3] add checks for return value of limitMalloc (#392) + +--- + tools/tiffcrop.c | 33 +++++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 12 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 302a7e9..e407bf5 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + if (!sect_buff) + { + sect_buff = (unsigned char *)limitMalloc(sectsize); +- *sect_buff_ptr = sect_buff; ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + else +@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + else + sect_buff = new_buff; + ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + } + +- if (!sect_buff) +- { +- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); +- return (-1); +- } + prev_sectsize = sectsize; + *sect_buff_ptr = sect_buff; + +@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (!crop_buff) + { + crop_buff = (unsigned char *)limitMalloc(cropsize); +- *crop_buff_ptr = crop_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + prev_cropsize = cropsize; + } +@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + } + else + crop_buff = new_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + } + } + +- if (!crop_buff) +- { +- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); +- return (-1); +- } + *crop_buff_ptr = crop_buff; + + if (crop->crop_mode & CROP_INVERT) +@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui + * fill-column: 78 + * End: + */ ++ +-- +2.35.1 + diff --git a/backport-CVE-2022-0908.patch b/backport-CVE-2022-0908.patch new file mode 100644 index 0000000..446c9f6 --- /dev/null +++ b/backport-CVE-2022-0908.patch @@ -0,0 +1,29 @@ +From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 17 Feb 2022 15:28:43 +0100 +Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #383) + +--- + libtiff/tif_dirread.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index d654a1c..a31109a 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5080,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); ++ if (dp->tdir_count > 0 ) ++ { ++ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); ++ } + o[(uint32_t)dp->tdir_count]=0; + if (data!=0) + _TIFFfree(data); +-- +2.27.0 + diff --git a/backport-CVE-2022-0909.patch b/backport-CVE-2022-0909.patch new file mode 100644 index 0000000..9d33170 --- /dev/null +++ b/backport-CVE-2022-0909.patch @@ -0,0 +1,35 @@ +From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Tue, 8 Mar 2022 16:22:04 +0000 +Subject: [PATCH] fix the FPE in tiffcrop (#393) + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/commit/32ea0722ee68f503b7a3f9b2d557acb293fc8cde + +--- + libtiff/tif_dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index a6c254f..77da6ea 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) + break; + case TIFFTAG_XRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_YRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); + break; +-- +2.27.0 + diff --git a/backport-CVE-2022-0924.patch b/backport-CVE-2022-0924.patch new file mode 100644 index 0000000..4eff659 --- /dev/null +++ b/backport-CVE-2022-0924.patch @@ -0,0 +1,56 @@ +From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Thu, 10 Mar 2022 08:48:00 +0000 +Subject: [PATCH] fix heap buffer overflow in tiffcp (#278) + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/commit/88d79a45a31c74cba98c697892fed5f7db8b963a + +--- + tools/tiffcp.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 1f88951..552d8fa 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) + tdata_t obuf; + tstrip_t strip = 0; + tsample_t s; ++ uint16_t bps = 0, bytes_per_sample; + + obuf = limitMalloc(stripsize); + if (obuf == NULL) + return (0); + _TIFFmemset(obuf, 0, stripsize); + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); ++ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ bytes_per_sample = bps/8; + for (s = 0; s < spp; s++) { + uint32_t row; + for (row = 0; row < imagelength; row += rowsperstrip) { +@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) + + cpContigBufToSeparateBuf( + obuf, (uint8_t*) buf + row * rowsize + s, +- nrows, imagewidth, 0, 0, spp, 1); ++ nrows, imagewidth, 0, 0, spp, bytes_per_sample); + if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { + TIFFError(TIFFFileName(out), + "Error, can't write strip %"PRIu32, +-- +2.27.0 + diff --git a/backport-CVE-2022-1354.patch b/backport-CVE-2022-1354.patch new file mode 100644 index 0000000..45f836c --- /dev/null +++ b/backport-CVE-2022-1354.patch @@ -0,0 +1,207 @@ +From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 5 Dec 2021 14:37:46 +0100 +Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319) + +to avoid having the size of the strip arrays inconsistent with the +number of strips returned by TIFFNumberOfStrips(), which may cause +out-ouf-bounds array read afterwards. + +One of the OJPEG hack that alters SamplesPerPixel may influence the +number of strips. Hence compute tif_dir.td_nstrips only afterwards. + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798 +--- + libtiff/tif_dirread.c | 162 ++++++++++++++++++++++-------------------- + 1 file changed, 83 insertions(+), 79 deletions(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index a31109a..707b3e2 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -3794,50 +3794,6 @@ TIFFReadDirectory(TIFF* tif) + MissingRequired(tif,"ImageLength"); + goto bad; + } +- /* +- * Setup appropriate structures (by strip or by tile) +- */ +- if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) { +- tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif); +- tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth; +- tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip; +- tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth; +- tif->tif_flags &= ~TIFF_ISTILED; +- } else { +- tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif); +- tif->tif_flags |= TIFF_ISTILED; +- } +- if (!tif->tif_dir.td_nstrips) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "Cannot handle zero number of %s", +- isTiled(tif) ? "tiles" : "strips"); +- goto bad; +- } +- tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; +- if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) +- tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; +- if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) { +-#ifdef OJPEG_SUPPORT +- if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) && +- (isTiled(tif)==0) && +- (tif->tif_dir.td_nstrips==1)) { +- /* +- * XXX: OJPEG hack. +- * If a) compression is OJPEG, b) it's not a tiled TIFF, +- * and c) the number of strips is 1, +- * then we tolerate the absence of stripoffsets tag, +- * because, presumably, all required data is in the +- * JpegInterchangeFormat stream. +- */ +- TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS); +- } else +-#endif +- { +- MissingRequired(tif, +- isTiled(tif) ? "TileOffsets" : "StripOffsets"); +- goto bad; +- } +- } + /* + * Second pass: extract other information. + */ +@@ -4042,41 +3998,6 @@ TIFFReadDirectory(TIFF* tif) + } /* -- if (!dp->tdir_ignore) */ + } /* -- for-loop -- */ + +- if( tif->tif_mode == O_RDWR && +- tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 && +- tif->tif_dir.td_stripoffset_entry.tdir_count == 0 && +- tif->tif_dir.td_stripoffset_entry.tdir_type == 0 && +- tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 && +- tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 && +- tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 && +- tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 && +- tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 ) +- { +- /* Directory typically created with TIFFDeferStrileArrayWriting() */ +- TIFFSetupStrips(tif); +- } +- else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) ) +- { +- if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 ) +- { +- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry), +- tif->tif_dir.td_nstrips, +- &tif->tif_dir.td_stripoffset_p)) +- { +- goto bad; +- } +- } +- if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 ) +- { +- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry), +- tif->tif_dir.td_nstrips, +- &tif->tif_dir.td_stripbytecount_p)) +- { +- goto bad; +- } +- } +- } +- + /* + * OJPEG hack: + * - If a) compression is OJPEG, and b) photometric tag is missing, +@@ -4147,6 +4068,88 @@ TIFFReadDirectory(TIFF* tif) + } + } + ++ /* ++ * Setup appropriate structures (by strip or by tile) ++ * We do that only after the above OJPEG hack which alters SamplesPerPixel ++ * and thus influences the number of strips in the separate planarconfig. ++ */ ++ if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) { ++ tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif); ++ tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth; ++ tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip; ++ tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth; ++ tif->tif_flags &= ~TIFF_ISTILED; ++ } else { ++ tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif); ++ tif->tif_flags |= TIFF_ISTILED; ++ } ++ if (!tif->tif_dir.td_nstrips) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Cannot handle zero number of %s", ++ isTiled(tif) ? "tiles" : "strips"); ++ goto bad; ++ } ++ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; ++ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) ++ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; ++ if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) { ++#ifdef OJPEG_SUPPORT ++ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) && ++ (isTiled(tif)==0) && ++ (tif->tif_dir.td_nstrips==1)) { ++ /* ++ * XXX: OJPEG hack. ++ * If a) compression is OJPEG, b) it's not a tiled TIFF, ++ * and c) the number of strips is 1, ++ * then we tolerate the absence of stripoffsets tag, ++ * because, presumably, all required data is in the ++ * JpegInterchangeFormat stream. ++ */ ++ TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS); ++ } else ++#endif ++ { ++ MissingRequired(tif, ++ isTiled(tif) ? "TileOffsets" : "StripOffsets"); ++ goto bad; ++ } ++ } ++ ++ if( tif->tif_mode == O_RDWR && ++ tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 && ++ tif->tif_dir.td_stripoffset_entry.tdir_count == 0 && ++ tif->tif_dir.td_stripoffset_entry.tdir_type == 0 && ++ tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 && ++ tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 && ++ tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 && ++ tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 && ++ tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 ) ++ { ++ /* Directory typically created with TIFFDeferStrileArrayWriting() */ ++ TIFFSetupStrips(tif); ++ } ++ else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) ) ++ { ++ if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 ) ++ { ++ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry), ++ tif->tif_dir.td_nstrips, ++ &tif->tif_dir.td_stripoffset_p)) ++ { ++ goto bad; ++ } ++ } ++ if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 ) ++ { ++ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry), ++ tif->tif_dir.td_nstrips, ++ &tif->tif_dir.td_stripbytecount_p)) ++ { ++ goto bad; ++ } ++ } ++ } ++ + /* + * Make sure all non-color channels are extrasamples. + * If it's not the case, define them as such. +-- +2.33.0 + diff --git a/backport-CVE-2022-1355.patch b/backport-CVE-2022-1355.patch new file mode 100644 index 0000000..8118a04 --- /dev/null +++ b/backport-CVE-2022-1355.patch @@ -0,0 +1,58 @@ +From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Sat, 2 Apr 2022 22:33:31 +0200 +Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400) + +Conflict:NA +Reference:https://gitlab.com/gitlab-org/build/omnibus-mirror/libtiff/-/commit/fb1db384959698edd6caeea84e28253d272a0f96 +--- + tools/tiffcp.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 552d8fa..57eef90 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -274,19 +274,34 @@ main(int argc, char* argv[]) + deftilewidth = atoi(optarg); + break; + case 'B': +- *mp++ = 'b'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'b'; *mp = '\0'; ++ } + break; + case 'L': +- *mp++ = 'l'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'l'; *mp = '\0'; ++ } + break; + case 'M': +- *mp++ = 'm'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'm'; *mp = '\0'; ++ } + break; + case 'C': +- *mp++ = 'c'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode) - 1)) ++ { ++ *mp++ = 'c'; *mp = '\0'; ++ } + break; + case '8': +- *mp++ = '8'; *mp = '\0'; ++ if (strlen(mode) < (sizeof(mode)-1)) ++ { ++ *mp++ = '8'; *mp = '\0'; ++ } + break; + case 'x': + pageInSeq = 1; +-- +2.27.0 + diff --git a/backport-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch b/backport-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch new file mode 100644 index 0000000..455212d --- /dev/null +++ b/backport-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch @@ -0,0 +1,179 @@ +From dd1bcc7abb26094e93636e85520f0d8f81ab0fab Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Sat, 11 Jun 2022 09:31:43 +0000 +Subject: [PATCH] fix the FPE in tiffcrop (#415, #427, and #428) + +--- + libtiff/tif_aux.c | 9 +++++++ + libtiff/tiffiop.h | 1 + + tools/tiffcrop.c | 62 ++++++++++++++++++++++++++--------------------- + 3 files changed, 44 insertions(+), 28 deletions(-) + +diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c +index 140f26c7..5b88c8d0 100644 +--- a/libtiff/tif_aux.c ++++ b/libtiff/tif_aux.c +@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val ) + return (float)val; + } + ++uint32_t _TIFFClampDoubleToUInt32(double val) ++{ ++ if( val < 0 ) ++ return 0; ++ if( val > 0xFFFFFFFFU || val != val ) ++ return 0xFFFFFFFFU; ++ return (uint32_t)val; ++} ++ + int _TIFFSeekOK(TIFF* tif, toff_t off) + { + /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */ +diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h +index e3af461d..4e8bdac2 100644 +--- a/libtiff/tiffiop.h ++++ b/libtiff/tiffiop.h +@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64_t); + extern float _TIFFUInt64ToFloat(uint64_t); + + extern float _TIFFClampDoubleToFloat(double); ++extern uint32_t _TIFFClampDoubleToUInt32(double); + + extern tmsize_t + _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip, +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 1f827b2b..90286a5e 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER)) + { +- x1 = (uint32_t) (crop->corners[i].X1 * scale * xres); +- x2 = (uint32_t) (crop->corners[i].X2 * scale * xres); +- y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres); +- y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres); + } + else + { +- x1 = (uint32_t) (crop->corners[i].X1); +- x2 = (uint32_t) (crop->corners[i].X2); +- y1 = (uint32_t) (crop->corners[i].Y1); +- y2 = (uint32_t) (crop->corners[i].Y2); ++ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1); ++ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2); ++ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); ++ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } + /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 + * b) Corners are expected to be submitted as top-left to bottom-right. +@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + { + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { /* User has specified pixels as reference unit */ +- tmargin = (uint32_t)(crop->margins[0]); +- lmargin = (uint32_t)(crop->margins[1]); +- bmargin = (uint32_t)(crop->margins[2]); +- rmargin = (uint32_t)(crop->margins[3]); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]); + } + else + { /* inches or centimeters specified */ +- tmargin = (uint32_t)(crop->margins[0] * scale * yres); +- lmargin = (uint32_t)(crop->margins[1] * scale * xres); +- bmargin = (uint32_t)(crop->margins[2] * scale * yres); +- rmargin = (uint32_t)(crop->margins[3] * scale * xres); ++ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres); ++ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres); ++ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres); ++ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres); + } + + if ((lmargin + rmargin) > image->width) +@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32_t)crop->width; ++ width = _TIFFClampDoubleToUInt32(crop->width); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32_t)crop->length; ++ length = _TIFFClampDoubleToUInt32(crop->length); + else + length = image->length - tmargin - bmargin; + } + else + { + if (crop->crop_mode & CROP_WIDTH) +- width = (uint32_t)(crop->width * scale * image->xres); ++ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres); + else + width = image->width - lmargin - rmargin; + + if (crop->crop_mode & CROP_LENGTH) +- length = (uint32_t)(crop->length * scale * image->yres); ++ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres); + else + length = image->length - tmargin - bmargin; + } +@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER) + { /* inches or centimeters specified */ +- hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); +- vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); + } + else + { /* Otherwise user has specified pixels as reference unit */ +- hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8)); +- vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8)); ++ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8)); ++ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8)); + } + + if ((hmargin * 2.0) > (pwidth * page->hres)) +@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + { + if (page->mode & PAGE_MODE_PAPERSIZE ) + { +- owidth = (uint32_t)((pwidth * page->hres) - (hmargin * 2)); +- olength = (uint32_t)((plength * page->vres) - (vmargin * 2)); ++ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2)); ++ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2)); + } + else + { +- owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres)); +- olength = (uint32_t)(ilength - (vmargin * 2 * page->vres)); ++ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres)); ++ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres)); + } + } + +@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, + if (olength > ilength) + olength = ilength; + ++ if (owidth == 0 || olength == 0) ++ { ++ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages"); ++ exit(EXIT_FAILURE); ++ } ++ + /* Compute the number of pages required for Portrait or Landscape */ + switch (page->orient) + { +-- +GitLab diff --git a/backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch new file mode 100644 index 0000000..f930929 --- /dev/null +++ b/backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch @@ -0,0 +1,146 @@ +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 0da3157743aaabc2f874fdaeb9f46e94cb00efd8..e4a08ca96c03923a49a71aab0f0cfba906ffdf29 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5192,29 +5192,45 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + y1 = (uint32_t) (crop->corners[i].Y1); + y2 = (uint32_t) (crop->corners[i].Y2); + } +- if (x1 < 1) +- crop->regionlist[i].x1 = 0; +- else +- crop->regionlist[i].x1 = (uint32_t) (x1 - 1); ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 ++ * b) Corners are expected to be submitted as top-left to bottom-right. ++ * Therefore, check that and reorder input. ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) ++ */ ++ uint32_t aux; ++ if (x1 > x2) { ++ aux = x1; ++ x1 = x2; ++ x2 = aux; ++ } ++ if (y1 > y2) { ++ aux = y1; ++ y1 = y2; ++ y2 = aux; ++ } ++ if (x1 > image->width - 1) ++ crop->regionlist[i].x1 = image->width - 1; ++ else if (x1 > 0) ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1); + + if (x2 > image->width - 1) + crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = (uint32_t) (x2 - 1); +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ else if (x2 > 0) ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); + +- if (y1 < 1) +- crop->regionlist[i].y1 = 0; +- else +- crop->regionlist[i].y1 = (uint32_t) (y1 - 1); ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ ++ if (y1 > image->length - 1) ++ crop->regionlist[i].y1 = image->length - 1; ++ else if (y1 > 0) ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1); + + if (y2 > image->length - 1) + crop->regionlist[i].y2 = image->length - 1; +- else +- crop->regionlist[i].y2 = (uint32_t) (y2 - 1); +- +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ else if (y2 > 0) ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1); + ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + if (zwidth > max_width) + max_width = zwidth; + if (zlength > max_length) +@@ -5244,7 +5260,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + } + } + return (0); +- } ++ } /* crop_mode == CROP_REGIONS */ + + /* Convert crop margins into offsets into image + * Margins are expressed as pixel rows and columns, not bytes +@@ -5280,7 +5296,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + bmargin = (uint32_t) 0; + return (-1); + } +- } ++ } /* crop_mode == CROP_MARGINS */ + else + { /* no margins requested */ + tmargin = (uint32_t) 0; +@@ -5371,24 +5387,23 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + off->endx = endx; + off->endy = endy; + +- crop_width = endx - startx + 1; +- crop_length = endy - starty + 1; +- +- if (crop_width <= 0) ++ if (endx + 1 <= startx) + { + TIFFError("computeInputPixelOffsets", + "Invalid left/right margins and /or image crop width requested"); + return (-1); + } ++ crop_width = endx - startx + 1; + if (crop_width > image->width) + crop_width = image->width; + +- if (crop_length <= 0) ++ if (endy + 1 <= starty) + { + TIFFError("computeInputPixelOffsets", + "Invalid top/bottom margins and /or image crop length requested"); + return (-1); + } ++ crop_length = endy - starty + 1; + if (crop_length > image->length) + crop_length = image->length; + +@@ -5488,10 +5503,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + else + crop->selections = crop->zones; + +- for (i = 0; i < crop->zones; i++) ++ /* Initialize regions iterator i */ ++ i = 0; ++ for (int j = 0; j < crop->zones; j++) + { +- seg = crop->zonelist[i].position; +- total = crop->zonelist[i].total; ++ seg = crop->zonelist[j].position; ++ total = crop->zonelist[j].total; ++ ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ ++ if (seg == 0 || total == 0 || seg > total) { ++ continue; ++ } + + switch (crop->edge_ref) + { +@@ -5620,8 +5642,11 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + i + 1, zwidth, zlength, + crop->regionlist[i].x1, crop->regionlist[i].x2, + crop->regionlist[i].y1, crop->regionlist[i].y2); ++ /* increment regions iterator */ ++ i++; + } +- ++ /* set number of generated regions out of given zones */ ++ crop->selections = i; + return (0); + } /* end getCropOffsets */ + \ No newline at end of file diff --git a/backport-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627.patch b/backport-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627.patch new file mode 100644 index 0000000..203d54a --- /dev/null +++ b/backport-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627.patch @@ -0,0 +1,104 @@ +From 4746f16253b784287bc8a5003990c1c3b9a03a62 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Thu, 25 Aug 2022 16:11:41 +0200 +Subject: [PATCH] tiffcrop: disable incompatibility of -Z, -X, -Y, -z options + with any PAGE_MODE_x option (fixes #411 and #413) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +tiffcrop does not support 鈥揨, -z, -X and 鈥揧 options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or 鈥揝. + +Code analysis: + +With the options 鈥揨, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[]. +In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) . + +Execution of the else-clause often leads to buffer-overflows. + +Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows. + +The MR solves issues #411 and #413. +--- + tools/tiffcrop.c | 32 +++++++++++++++++++++++++------- + 1 files changed, 25 insertions(+), 7 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 8fd856dc..41a2ea36 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -107,13 +107,15 @@ + * selects which functions dump data, with higher numbers selecting + * lower level, scanline level routines. Debug reports a limited set + * of messages to monitor progress without enabling dump logs. +- * +- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. ++ * ++ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive. + * In no case should the options be applied to a given selection successively. +- */ ++ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options ++ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. ++ */ + +-static char tiffcrop_version_id[] = "2.5.1"; +-static char tiffcrop_rev_date[] = "15-08-2022"; ++static char tiffcrop_version_id[] = "2.5.3"; ++static char tiffcrop_rev_date[] = "26-08-2022"; + + #include "tif_config.h" + #include "libport.h" +@@ -781,9 +783,12 @@ static const char usage_info[] = + " The four debug/dump options are independent, though it makes little sense to\n" + " specify a dump file without specifying a detail level.\n" + "\n" +-"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n" ++"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n" + " In no case should the options be applied to a given selection successively.\n" + "\n" ++"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options\n" ++" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.\n" ++"\n" + ; + + /* This function could be modified to pass starting sample offset +@@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; + S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; + if (XY + Z + R + S > 1) { +- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit"); + exit(EXIT_FAILURE); + } ++ ++ /* Check for not allowed combination: ++ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options ++ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. ++. */ ++ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) { ++ TIFFError("tiffcrop input error", ++ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit"); ++ exit(EXIT_FAILURE); ++ } ++ + } /* end process_command_opts */ + + /* Start a new output file if one has not been previously opened or +@@ -2411,6 +2427,7 @@ main(int argc, char* argv[]) + exit (EXIT_FAILURE); + } + ++ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */ + if (crop.selections > 0) + { + if (processCropSelections(&image, &crop, &read_buff, seg_buffs)) +@@ -2427,6 +2444,7 @@ main(int argc, char* argv[]) + exit (EXIT_FAILURE); + } + } ++ /* Format and write selected image parts to output file(s). */ + if (page.mode == PAGE_MODE_NONE) + { /* Whole image or sections not based on output page size */ + if (crop.selections > 0) +-- +GitLab diff --git a/backport-CVE-2022-3599.patch b/backport-CVE-2022-3599.patch new file mode 100644 index 0000000..57dabb0 --- /dev/null +++ b/backport-CVE-2022-3599.patch @@ -0,0 +1,261 @@ +From f00484b9519df933723deb38fff943dc291a793d Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Tue, 30 Aug 2022 16:56:48 +0200 +Subject: [PATCH] Revised handling of TIFFTAG_INKNAMES and related + TIFFTAG_NUMBEROFINKS value + +In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed: + +Behaviour for writing: + `NumberOfInks` MUST fit to the number of inks in the `InkNames` string. + `NumberOfInks` is automatically set when `InkNames` is set. + If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. + If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. + +Behaviour for reading: + When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string. + If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. + If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. + +This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow + +This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456. + +It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue. +--- + libtiff/tif_dir.c | 119 ++++++++++++++++++++++++----------------- + libtiff/tif_dir.h | 2 + + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirwrite.c | 5 ++ + libtiff/tif_print.c | 4 ++ + 5 files changed, 82 insertions(+), 50 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 793e8a79..816f7756 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v) + } + + /* +- * Confirm we have "samplesperpixel" ink names separated by \0. Returns ++ * Count ink names separated by \0. Returns + * zero if the ink names are not as expected. + */ +-static uint32_t +-checkInkNamesString(TIFF* tif, uint32_t slen, const char* s) ++static uint16_t ++countInkNamesString(TIFF *tif, uint32_t slen, const char *s) + { +- TIFFDirectory* td = &tif->tif_dir; +- uint16_t i = td->td_samplesperpixel; ++ uint16_t i = 0; ++ const char *ep = s + slen; ++ const char *cp = s; + + if (slen > 0) { +- const char* ep = s+slen; +- const char* cp = s; +- for (; i > 0; i--) { ++ do { + for (; cp < ep && *cp != '\0'; cp++) {} + if (cp >= ep) + goto bad; + cp++; /* skip \0 */ +- } +- return ((uint32_t)(cp - s)); ++ i++; ++ } while (cp < ep); ++ return (i); + } + bad: + TIFFErrorExt(tif->tif_clientdata, "TIFFSetField", +- "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16, +- tif->tif_name, +- td->td_samplesperpixel, +- (uint16_t)(td->td_samplesperpixel-i)); ++ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink", ++ tif->tif_name, slen, i); + return (0); + } + +@@ -478,13 +476,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) + _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); + break; + case TIFFTAG_INKNAMES: +- v = (uint16_t) va_arg(ap, uint16_vap); +- s = va_arg(ap, char*); +- v = checkInkNamesString(tif, v, s); +- status = v > 0; +- if( v > 0 ) { +- _TIFFsetNString(&td->td_inknames, s, v); +- td->td_inknameslen = v; ++ { ++ v = (uint16_t) va_arg(ap, uint16_vap); ++ s = va_arg(ap, char*); ++ uint16_t ninksinstring; ++ ninksinstring = countInkNamesString(tif, v, s); ++ status = ninksinstring > 0; ++ if(ninksinstring > 0 ) { ++ _TIFFsetNString(&td->td_inknames, s, v); ++ td->td_inknameslen = v; ++ /* Set NumberOfInks to the value ninksinstring */ ++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) ++ { ++ if (td->td_numberofinks != ninksinstring) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"", ++ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring); ++ td->td_numberofinks = ninksinstring; ++ } ++ } else { ++ td->td_numberofinks = ninksinstring; ++ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS); ++ } ++ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) ++ { ++ if (td->td_numberofinks != td->td_samplesperpixel) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", ++ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel); ++ } ++ } ++ } ++ } ++ break; ++ case TIFFTAG_NUMBEROFINKS: ++ v = (uint16_t)va_arg(ap, uint16_vap); ++ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */ ++ if (TIFFFieldSet(tif, FIELD_INKNAMES)) ++ { ++ if (v != td->td_numberofinks) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")", ++ tif->tif_name, fip->field_name, v, td->td_numberofinks); ++ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */ ++ status = 0; ++ } ++ } else { ++ td->td_numberofinks = (uint16_t)v; ++ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) ++ { ++ if (td->td_numberofinks != td->td_samplesperpixel) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", ++ tif->tif_name, fip->field_name, v, td->td_samplesperpixel); ++ } ++ } + } + break; + case TIFFTAG_PERSAMPLE: +@@ -986,34 +1032,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap) + if (fip->field_bit == FIELD_CUSTOM) { + standard_tag = 0; + } +- +- if( standard_tag == TIFFTAG_NUMBEROFINKS ) +- { +- int i; +- for (i = 0; i < td->td_customValueCount; i++) { +- uint16_t val; +- TIFFTagValue *tv = td->td_customValues + i; +- if (tv->info->field_tag != standard_tag) +- continue; +- if( tv->value == NULL ) +- return 0; +- val = *(uint16_t *)tv->value; +- /* Truncate to SamplesPerPixel, since the */ +- /* setting code for INKNAMES assume that there are SamplesPerPixel */ +- /* inknames. */ +- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ +- if( val > td->td_samplesperpixel ) +- { +- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", +- "Truncating NumberOfInks from %u to %"PRIu16, +- val, td->td_samplesperpixel); +- val = td->td_samplesperpixel; +- } +- *va_arg(ap, uint16_t*) = val; +- return 1; +- } +- return 0; +- } + + switch (standard_tag) { + case TIFFTAG_SUBFILETYPE: +@@ -1195,6 +1213,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap) + case TIFFTAG_INKNAMES: + *va_arg(ap, const char**) = td->td_inknames; + break; ++ case TIFFTAG_NUMBEROFINKS: ++ *va_arg(ap, uint16_t *) = td->td_numberofinks; ++ break; + default: + { + int i; +diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h +index 09065648..0c251c9e 100644 +--- a/libtiff/tif_dir.h ++++ b/libtiff/tif_dir.h +@@ -117,6 +117,7 @@ typedef struct { + /* CMYK parameters */ + int td_inknameslen; + char* td_inknames; ++ uint16_t td_numberofinks; /* number of inks in InkNames string */ + + int td_customValueCount; + TIFFTagValue *td_customValues; +@@ -174,6 +175,7 @@ typedef struct { + #define FIELD_TRANSFERFUNCTION 44 + #define FIELD_INKNAMES 46 + #define FIELD_SUBIFD 49 ++#define FIELD_NUMBEROFINKS 50 + /* FIELD_CUSTOM (see tiffio.h) 65 */ + /* end of support for well-known tags; codec-private tags follow */ + #define FIELD_CODEC 66 /* base of codec-private tags */ +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index 3371cb5c..3b4bcd33 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -114,7 +114,7 @@ tiffFields[] = { + { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray }, + { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, + { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, +- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL }, ++ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL }, + { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL }, + { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL }, + { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL }, +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index 6c86fdca..062e4610 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -626,6 +626,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64_t* pdiroff) + if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames)) + goto bad; + } ++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) ++ { ++ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks)) ++ goto bad; ++ } + if (TIFFFieldSet(tif,FIELD_SUBIFD)) + { + if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir)) +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 16ce5780..a91b9e7b 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -397,6 +397,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + } + fputs("\n", fd); + } ++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) { ++ fprintf(fd, " NumberOfInks: %d\n", ++ td->td_numberofinks); ++ } + if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) { + fprintf(fd, " Thresholding: "); + switch (td->td_threshholding) { +-- +GitLab diff --git a/backport-CVE-2022-3970.patch b/backport-CVE-2022-3970.patch new file mode 100644 index 0000000..b83a539 --- /dev/null +++ b/backport-CVE-2022-3970.patch @@ -0,0 +1,37 @@ +From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Tue, 8 Nov 2022 15:16:58 +0100 +Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on + strips/tiles > 2 GB + +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 +--- + libtiff/tif_getimage.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index a4d0c1d6..60b94d8e 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -3016,15 +3016,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in + return( ok ); + + for( i_row = 0; i_row < read_ysize; i_row++ ) { +- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize, +- raster + (read_ysize - i_row - 1) * read_xsize, ++ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, ++ raster + (size_t)(read_ysize - i_row - 1) * read_xsize, + read_xsize * sizeof(uint32_t) ); +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize, + 0, sizeof(uint32_t) * (tile_xsize - read_xsize) ); + } + + for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) { +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, + 0, sizeof(uint32_t) * tile_xsize ); + } + +-- +GitLab \ No newline at end of file diff --git a/backport-CVE-2022-48281.patch b/backport-CVE-2022-48281.patch index d3cf3cc..159b30d 100644 --- a/backport-CVE-2022-48281.patch +++ b/backport-CVE-2022-48281.patch @@ -8,18 +8,17 @@ Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 14fa18da..7db69883 100644 +index 92f8d09..20b9c23 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c -@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image, - cropsize + NUM_BUFF_OVERSIZE_BYTES); - else - { -- prev_cropsize = seg_buffs[0].size; -+ prev_cropsize = seg_buffs[i].size; - if (prev_cropsize < cropsize) - { - next_buff = _TIFFrealloc( +@@ -7638,7 +7638,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + else + { +- prev_cropsize = seg_buffs[0].size; ++ prev_cropsize = seg_buffs[i].size; + if (prev_cropsize < cropsize) + { + next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); -- -GitLab - +2.33.0 diff --git a/fix-raw2tiff-floating-point-exception.patch b/fix-raw2tiff-floating-point-exception.patch new file mode 100644 index 0000000..ca217c8 --- /dev/null +++ b/fix-raw2tiff-floating-point-exception.patch @@ -0,0 +1,34 @@ +From 42f499986d3c8a1dce55db7d97d501f8e9dfc8f6 Mon Sep 17 00:00:00 2001 +From: t.feng +Date: Mon, 13 Dec 2021 21:03:13 +0800 +Subject: [PATCH] fix raw2tiff floating point exception + +if we input illegal nbands, like: +raw2tiff -b :2 test.raw test.tif +we got: +Floating point exception (core dumped) +so, check nbands before guessSize + +--- + tools/raw2tiff.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c +index dfee715..3a6f00e 100644 +--- a/tools/raw2tiff.c ++++ b/tools/raw2tiff.c +@@ -209,6 +209,11 @@ main(int argc, char* argv[]) + return (EXIT_FAILURE); + } + ++ if (nbands == 0) { ++ fprintf(stderr, "The number of bands is illegal.\n"); ++ return (-1); ++ } ++ + if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0) + return EXIT_FAILURE; + +-- +2.27.0 + diff --git a/libtiff.spec b/libtiff.spec index b1bc3c8..814e1a4 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,12 +1,40 @@ Name: libtiff -Version: 4.5.0 -Release: 1 +Version: 4.3.0 +Release: 22 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz -Patch6000: backport-CVE-2022-48281.patch +Patch6000: backport-CVE-2022-0561.patch +Patch6001: backport-CVE-2022-0562.patch +Patch6002: backport-0001-CVE-2022-22844.patch +Patch6003: backport-0002-CVE-2022-22844.patch +Patch6004: backport-0003-CVE-2022-22844.patch +Patch6005: backport-CVE-2022-0891.patch +Patch6006: backport-CVE-2022-0907.patch +Patch6007: backport-CVE-2022-0908.patch +Patch6008: backport-CVE-2022-0865.patch +Patch6009: backport-CVE-2022-0909.patch +Patch6010: backport-CVE-2022-0924.patch +Patch6011: backport-CVE-2022-1355.patch +Patch6012: backport-0001-CVE-2022-1622-CVE-2022-1623.patch +Patch6013: backport-0002-CVE-2022-1622-CVE-2022-1623.patch +Patch6014: backport-CVE-2022-1354.patch +Patch6015: backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch +Patch6016: backport-0001-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch +Patch6017: backport-0002-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch +Patch6018: backport-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch +Patch6019: backport-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627.patch +Patch6020: backport-0001-CVE-2022-3570-CVE-2022-3598.patch +Patch6021: backport-0002-CVE-2022-3570-CVE-2022-3598.patch +Patch6022: backport-0003-CVE-2022-3570-CVE-2022-3598.patch +Patch6023: backport-CVE-2022-3599.patch +Patch6024: backport-CVE-2022-3970.patch +Patch6025: backport-CVE-2022-48281.patch + +Patch9000: fix-raw2tiff-floating-point-exception.patch + BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -97,11 +125,11 @@ fi %check make check -find doc -name 'Makefile*' | xargs rm +find html -name 'Makefile*' | xargs rm %files %defattr(-,root,root) -%license LICENSE.md +%license COPYRIGHT %doc README.md %{_libdir}/*.so.* @@ -122,13 +150,11 @@ find doc -name 'Makefile*' | xargs rm %defattr(-,root,root) %{_mandir}/man* %doc RELEASE-DATE VERSION -%doc TODO ChangeLog doc +%doc TODO ChangeLog html %exclude %{_mandir}/man1/* +%exclude %{_datadir}/html/man/tiffgt.1.html %changelog -* Tue Feb 07 2023 zhouwenpei - 4.5.0-1 -- update to 4.5.0 - * Sun Jan 29 2023 zhouwenpei - 4.3.0-22 - Type:cve - ID:CVE-2022-48281 diff --git a/tiff-4.3.0.tar.gz b/tiff-4.3.0.tar.gz new file mode 100644 index 0000000..e0468fa Binary files /dev/null and b/tiff-4.3.0.tar.gz differ diff --git a/tiff-4.5.0.tar.gz b/tiff-4.5.0.tar.gz deleted file mode 100644 index 2a73f47..0000000 Binary files a/tiff-4.5.0.tar.gz and /dev/null differ