packages/libtiff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport patch for fix CVE-2023-6277 issue

Browse Source
This commit is contained in:
liningjie 2023-11-29 18:14:00 +08:00
parent 3686050935
commit 6fcea4f598
2 changed files with 199 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

194
backport-0003-CVE-2023-6277.patch Normal file
View File

@ -0,0 +1,194 @@
From 38f5b5b9f95891d2616f1df70ebcfb53690cb67c Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 29 Nov 2023 18:10:25 +0800
Subject: [PATCH] backport patch for fix CVE-2023-6277 issue
---
libtiff/tif_dirread.c | 129 +++++++++++++++++++++---------------------
1 file changed, 66 insertions(+), 63 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index a98ea1f..b38060f 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1308,19 +1308,22 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
datasize = (*count) * typesize;
assert((tmsize_t)datasize > 0);
- /* Before allocating a huge amount of memory for corrupted files, check if
- * size of requested memory is not greater than file size.
- */
- uint64_t filesize = TIFFGetFileSize(tif);
- if (datasize > filesize)
- {
- TIFFWarningExtR(tif, "ReadDirEntryArray",
- "Requested memory size for tag %d (0x%x) %" PRIu32
- " is greather than filesize %" PRIu64
- ". Memory not allocated, tag not read",
- direntry->tdir_tag, direntry->tdir_tag, datasize,
- filesize);
- return (TIFFReadDirEntryErrAlloc);
+ if (datasize > 100 * 1024 * 1024)
+ {
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size.
+ */
+ const uint64_t filesize = TIFFGetFileSize(tif);
+ if (datasize > filesize)
+ {
+ TIFFWarningExtR(tif, "ReadDirEntryArray",
+ "Requested memory size for tag %d (0x%x) %" PRIu32
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated, tag not read",
+ direntry->tdir_tag, direntry->tdir_tag, datasize,
+ filesize);
+ return (TIFFReadDirEntryErrAlloc);
+ }
}
if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
@@ -5281,18 +5284,22 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
if (!_TIFFFillStrilesInternal(tif, 0))
return -1;
- /* Before allocating a huge amount of memory for corrupted files, check if
- * size of requested memory is not greater than file size. */
- uint64_t filesize = TIFFGetFileSize(tif);
- uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
- if (allocsize > filesize)
- {
- TIFFWarningExtR(tif, module,
- "Requested memory size for StripByteCounts of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- return -1;
+ const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+ uint64_t filesize = 0;
+ if (allocsize > 100 * 1024 * 1024)
+ {
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(
+ tif, module,
+ "Requested memory size for StripByteCounts of %" PRIu64
+ " is greater than filesize %" PRIu64 ". Memory not allocated",
+ allocsize, filesize);
+ return -1;
+ }
}
if (td->td_stripbytecount_p)
@@ -5341,6 +5348,8 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
return -1;
space += datasize;
}
+ if (filesize == 0)
+ filesize = TIFFGetFileSize(tif);
if (filesize < space)
/* we should perhaps return in error ? */
space = filesize;
@@ -5834,20 +5843,6 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
dircount16 = (uint16_t)dircount64;
dirsize = 20;
}
- /* Before allocating a huge amount of memory for corrupted files, check
- * if size of requested memory is not greater than file size. */
- uint64_t filesize = TIFFGetFileSize(tif);
- uint64_t allocsize = (uint64_t)dircount16 * dirsize;
- if (allocsize > filesize)
- {
- TIFFWarningExtR(
- tif, module,
- "Requested memory size for TIFF directory of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated, TIFF directory not read",
- allocsize, filesize);
- return 0;
- }
origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
"to read TIFF directory");
if (origdir == NULL)
@@ -5971,7 +5966,7 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
TIFFWarningExtR(
tif, module,
"Requested memory size for TIFF directory of %" PRIu64
- " is greather than filesize %" PRIu64
+ " is greater than filesize %" PRIu64
". Memory not allocated, TIFF directory not read",
allocsize, filesize);
return 0;
@@ -7221,19 +7216,24 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
return (0);
}
- /* Before allocating a huge amount of memory for corrupted files, check
- * if size of requested memory is not greater than file size. */
- uint64_t filesize = TIFFGetFileSize(tif);
- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
- if (allocsize > filesize)
+ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+ if (allocsize > 100 * 1024 * 1024)
{
- TIFFWarningExtR(tif, module,
- "Requested memory size for StripArray of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- _TIFFfreeExt(tif, data);
- return (0);
+ /* Before allocating a huge amount of memory for corrupted files,
+ * check if size of requested memory is not greater than file size.
+ */
+ const uint64_t filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(
+ tif, module,
+ "Requested memory size for StripArray of %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ _TIFFfreeExt(tif, data);
+ return (0);
+ }
}
resizeddata = (uint64_t *)_TIFFCheckMalloc(
tif, nstrips, sizeof(uint64_t), "for strip array");
@@ -7338,17 +7338,20 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips,
* size of StripByteCount and StripOffset tags is not greater than
* file size.
*/
- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
- uint64_t filesize = TIFFGetFileSize(tif);
- if (allocsize > filesize)
- {
- TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
- "Requested memory size for StripByteCount and "
- "StripOffsets %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- return;
+ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+ if (allocsize > 100 * 1024 * 1024)
+ {
+ const uint64_t filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
+ "Requested memory size for StripByteCount and "
+ "StripOffsets %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return;
+ }
}
newcounts =
--
2.27.0

6
libtiff.spec
View File

@ -1,6 +1,6 @@
Name: libtiff
Version: 4.5.1
Release: 3
Release: 4
Summary: TIFF Library and Utilities
License: libtiff
URL: https://www.simplesystems.org/libtiff/
@ -11,6 +11,7 @@ Patch6001: backport-CVE-2023-38289.patch
Patch6002: backport-CVE-2023-6228.patch
Patch6003: backport-0001-CVE-2023-6277.patch
Patch6004: backport-0002-CVE-2023-6277.patch
Patch6005: backport-0003-CVE-2023-6277.patch
BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: libtool automake autoconf pkgconfig
@ -130,6 +131,9 @@ find doc -name 'Makefile*' | xargs rm
%exclude %{_mandir}/man1/*
%changelog
* Wed Nov 29 2023 liningjie <liningjie@xfusion.com> - 4.5.1-4
- backport patch for fix CVE-2023-6277 issue
* Sat Nov 25 2023 liningjie <liningjie@xfusion.com> - 4.5.1-3
- fix CVE-2023-6277