diff --git a/backport-0001-CVE-2023-0795-0796-0797-0798-0799.patch b/backport-0001-CVE-2023-0795-0796-0797-0798-0799.patch deleted file mode 100644 index 0083ccd..0000000 --- a/backport-0001-CVE-2023-0795-0796-0797-0798-0799.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Fri, 3 Feb 2023 15:31:31 +0100 -Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage() - fix#520 rotateImage() set up a new buffer and calculates its size - individually. Therefore, seg_buffs[] size needs to be updated accordingly. - Before this fix, the seg_buffs buffer size was calculated with a different - formula than within rotateImage(). - -Closes #520. ---- - tools/tiffcrop.c | 36 ++++++++++++++++++++---------------- - 1 file changed, 20 insertions(+), 16 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 7db69883..f8b66188 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -577,7 +577,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t, - static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, - uint32_t, uint32_t, uint8_t *, uint8_t *); - static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, -- unsigned char **); -+ unsigned char **, size_t *); - static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, - unsigned char *); - static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, -@@ -7243,7 +7243,7 @@ static int correct_orientation(struct image_data *image, - } - - if (rotateImage(rotation, image, &image->width, &image->length, -- work_buff_ptr)) -+ work_buff_ptr, NULL)) - { - TIFFError("correct_orientation", "Unable to rotate image"); - return (-1); -@@ -8563,8 +8563,12 @@ static int processCropSelections(struct image_data *image, - if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can - reallocate the buffer */ - { -+ /* rotateImage() set up a new buffer and calculates its size -+ * individually. Therefore, seg_buffs size needs to be updated -+ * accordingly. */ -+ size_t rot_buf_size = 0; - if (rotateImage(crop->rotation, image, &crop->combined_width, -- &crop->combined_length, &crop_buff)) -+ &crop->combined_length, &crop_buff, &rot_buf_size)) - { - TIFFError("processCropSelections", - "Failed to rotate composite regions by %" PRIu32 -@@ -8573,9 +8577,7 @@ static int processCropSelections(struct image_data *image, - return (-1); - } - seg_buffs[0].buffer = crop_buff; -- seg_buffs[0].size = -- (((crop->combined_width * image->bps + 7) / 8) * image->spp) * -- crop->combined_length; -+ seg_buffs[0].size = rot_buf_size; - } - } - else /* Separated Images */ -@@ -8686,10 +8688,13 @@ static int processCropSelections(struct image_data *image, - * ->yres, what it schouldn't do here, when more than one - * section is processed. ToDo: Therefore rotateImage() and its - * usage has to be reworked (e.g. like mirrorImage()) !! -- */ -- if (rotateImage(crop->rotation, image, -- &crop->regionlist[i].width, -- &crop->regionlist[i].length, &crop_buff)) -+ * Furthermore, rotateImage() set up a new buffer and calculates -+ * its size individually. Therefore, seg_buffs size needs to be -+ * updated accordingly. */ -+ size_t rot_buf_size = 0; -+ if (rotateImage( -+ crop->rotation, image, &crop->regionlist[i].width, -+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) - { - TIFFError("processCropSelections", - "Failed to rotate crop region by %" PRIu16 -@@ -8702,10 +8707,7 @@ static int processCropSelections(struct image_data *image, - crop->combined_width = total_width; - crop->combined_length = total_length; - seg_buffs[i].buffer = crop_buff; -- seg_buffs[i].size = -- (((crop->regionlist[i].width * image->bps + 7) / 8) * -- image->spp) * -- crop->regionlist[i].length; -+ seg_buffs[i].size = rot_buf_size; - } - } /* for crop->selections loop */ - } /* Separated Images (else case) */ -@@ -8836,7 +8838,7 @@ static int createCroppedImage(struct image_data *image, struct crop_mask *crop, - CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ - { - if (rotateImage(crop->rotation, image, &crop->combined_width, -- &crop->combined_length, crop_buff_ptr)) -+ &crop->combined_length, crop_buff_ptr, NULL)) - { - TIFFError("createCroppedImage", - "Failed to rotate image or cropped selection by %" PRIu16 -@@ -9552,7 +9554,7 @@ static int rotateContigSamples32bits(uint16_t rotation, uint16_t spp, - /* Rotate an image by a multiple of 90 degrees clockwise */ - static int rotateImage(uint16_t rotation, struct image_data *image, - uint32_t *img_width, uint32_t *img_length, -- unsigned char **ibuff_ptr) -+ unsigned char **ibuff_ptr, size_t *rot_buf_size) - { - int shift_width; - uint32_t bytes_per_pixel, bytes_per_sample; -@@ -9610,6 +9612,8 @@ static int rotateImage(uint16_t rotation, struct image_data *image, - return (-1); - } - _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); -+ if (rot_buf_size != NULL) -+ *rot_buf_size = buffsize; - - ibuff = *ibuff_ptr; - switch (rotation) --- -GitLab diff --git a/backport-0002-CVE-2023-0795-0796-0797-0798-0799.patch b/backport-0002-CVE-2023-0795-0796-0797-0798-0799.patch deleted file mode 100644 index 4ae4885..0000000 --- a/backport-0002-CVE-2023-0795-0796-0797-0798-0799.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 82a7fbb1fa7228499ffeb3a57a1d106a9626d57c Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Sun, 5 Feb 2023 15:53:15 +0000 -Subject: [PATCH] tiffcrop: added check for assumption on composite images - (fixes #496) - -tiffcrop: For composite images with more than one region, the combined_length or combined_width always needs to be equal, respectively. Otherwise, even the first section/region copy action might cause buffer overrun. This is now checked before the first copy action. - -Closes #496, #497, #498, #500, #501. ---- - tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 66 insertions(+), 2 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 84e26ac6..480b927c 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -5935,18 +5935,40 @@ static int computeInputPixelOffsets(struct crop_mask *crop, - - crop->regionlist[i].buffsize = buffsize; - crop->bufftotal += buffsize; -+ -+ /* For composite images with more than one region, the -+ * combined_length or combined_width always needs to be equal, -+ * respectively. -+ * Otherwise, even the first section/region copy -+ * action might cause buffer overrun. */ - if (crop->img_mode == COMPOSITE_IMAGES) - { - switch (crop->edge_ref) - { - case EDGE_LEFT: - case EDGE_RIGHT: -+ if (i > 0 && zlength != crop->combined_length) -+ { -+ TIFFError( -+ "computeInputPixelOffsets", -+ "Only equal length regions can be combined for " -+ "-E left or right"); -+ return (-1); -+ } - crop->combined_length = zlength; - crop->combined_width += zwidth; - break; - case EDGE_BOTTOM: - case EDGE_TOP: /* width from left, length from top */ - default: -+ if (i > 0 && zwidth != crop->combined_width) -+ { -+ TIFFError("computeInputPixelOffsets", -+ "Only equal width regions can be " -+ "combined for -E " -+ "top or bottom"); -+ return (-1); -+ } - crop->combined_width = zwidth; - crop->combined_length += zlength; - break; -@@ -7301,6 +7323,46 @@ static int extractCompositeRegions(struct image_data *image, - crop->combined_width = 0; - crop->combined_length = 0; - -+ /* If there is more than one region, check beforehand whether all the width -+ * and length values of the regions are the same, respectively. */ -+ switch (crop->edge_ref) -+ { -+ default: -+ case EDGE_TOP: -+ case EDGE_BOTTOM: -+ for (i = 1; i < crop->selections; i++) -+ { -+ uint32_t crop_width0 = -+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1; -+ uint32_t crop_width1 = -+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; -+ if (crop_width0 != crop_width1) -+ { -+ TIFFError("extractCompositeRegions", -+ "Only equal width regions can be combined for -E " -+ "top or bottom"); -+ return (1); -+ } -+ } -+ break; -+ case EDGE_LEFT: -+ case EDGE_RIGHT: -+ for (i = 1; i < crop->selections; i++) -+ { -+ uint32_t crop_length0 = -+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1; -+ uint32_t crop_length1 = -+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; -+ if (crop_length0 != crop_length1) -+ { -+ TIFFError("extractCompositeRegions", -+ "Only equal length regions can be combined for " -+ "-E left or right"); -+ return (1); -+ } -+ } -+ } -+ - for (i = 0; i < crop->selections; i++) - { - /* rows, columns, width, length are expressed in pixels */ -@@ -7325,7 +7387,8 @@ static int extractCompositeRegions(struct image_data *image, - default: - case EDGE_TOP: - case EDGE_BOTTOM: -- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width)) -+ if ((crop->selections > i + 1) && -+ (crop_width != crop->regionlist[i + 1].width)) - { - TIFFError("extractCompositeRegions", - "Only equal width regions can be combined for -E " -@@ -7418,7 +7481,8 @@ static int extractCompositeRegions(struct image_data *image, - case EDGE_LEFT: /* splice the pieces of each row together, side by - side */ - case EDGE_RIGHT: -- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length)) -+ if ((crop->selections > i + 1) && -+ (crop_length != crop->regionlist[i + 1].length)) - { - TIFFError("extractCompositeRegions", - "Only equal length regions can be combined for " --- -GitLab - diff --git a/backport-CVE-2022-48281.patch b/backport-CVE-2022-48281.patch deleted file mode 100644 index d3cf3cc..0000000 --- a/backport-CVE-2022-48281.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Sat, 21 Jan 2023 15:58:10 +0000 -Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488. - ---- - tools/tiffcrop.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 14fa18da..7db69883 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image, - cropsize + NUM_BUFF_OVERSIZE_BYTES); - else - { -- prev_cropsize = seg_buffs[0].size; -+ prev_cropsize = seg_buffs[i].size; - if (prev_cropsize < cropsize) - { - next_buff = _TIFFrealloc( --- -GitLab - diff --git a/backport-CVE-2023-0800-0801-0802-0803-0804.patch b/backport-CVE-2023-0800-0801-0802-0803-0804.patch deleted file mode 100644 index 1368875..0000000 --- a/backport-CVE-2023-0800-0801-0802-0803-0804.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Sun, 29 Jan 2023 11:09:26 +0100 -Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main) - image width and length parameters when only cropped image sections are - rotated. Remove buffptr from region structure because never used. - -Closes #492 #493 #494 #495 #499 #518 #519 ---- - tools/tiffcrop.c | 59 ++++++++++++++++++++++++++++-------------------- - 1 file changed, 35 insertions(+), 24 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index ebea7475..519871ec 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -296,7 +296,6 @@ struct region - uint32_t width; /* width in pixels */ - uint32_t length; /* length in pixels */ - uint32_t buffsize; /* size of buffer needed to hold the cropped region */ -- unsigned char *buffptr; /* address of start of the region */ - }; - - /* Cropping parameters from command line and image data -@@ -577,7 +576,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t, - static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, - uint32_t, uint32_t, uint8_t *, uint8_t *); - static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, -- unsigned char **, size_t *); -+ unsigned char **, size_t *, int); - static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, - unsigned char *); - static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, -@@ -5782,7 +5781,6 @@ static void initCropMasks(struct crop_mask *cps) - cps->regionlist[i].width = 0; - cps->regionlist[i].length = 0; - cps->regionlist[i].buffsize = 0; -- cps->regionlist[i].buffptr = NULL; - cps->zonelist[i].position = 0; - cps->zonelist[i].total = 0; - } -@@ -7266,9 +7264,13 @@ static int correct_orientation(struct image_data *image, - (uint16_t)(image->adjustments & ROTATE_ANY)); - return (-1); - } -- -- if (rotateImage(rotation, image, &image->width, &image->length, -- work_buff_ptr, NULL)) -+ /* Dummy variable in order not to switch two times the -+ * image->width,->length within rotateImage(), -+ * but switch xres, yres there. */ -+ uint32_t width = image->width; -+ uint32_t length = image->length; -+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, -+ TRUE)) - { - TIFFError("correct_orientation", "Unable to rotate image"); - return (-1); -@@ -7377,7 +7379,6 @@ static int extractCompositeRegions(struct image_data *image, - /* These should not be needed for composite images */ - crop->regionlist[i].width = crop_width; - crop->regionlist[i].length = crop_length; -- crop->regionlist[i].buffptr = crop_buff; - - src_rowsize = ((img_width * bps * spp) + 7) / 8; - dst_rowsize = (((crop_width * bps * count) + 7) / 8); -@@ -7640,7 +7641,6 @@ static int extractSeparateRegion(struct image_data *image, - - crop->regionlist[region].width = crop_width; - crop->regionlist[region].length = crop_length; -- crop->regionlist[region].buffptr = crop_buff; - - src = read_buff; - dst = crop_buff; -@@ -8635,7 +8635,8 @@ static int processCropSelections(struct image_data *image, - * accordingly. */ - size_t rot_buf_size = 0; - if (rotateImage(crop->rotation, image, &crop->combined_width, -- &crop->combined_length, &crop_buff, &rot_buf_size)) -+ &crop->combined_length, &crop_buff, &rot_buf_size, -+ FALSE)) - { - TIFFError("processCropSelections", - "Failed to rotate composite regions by %" PRIu32 -@@ -8759,9 +8760,10 @@ static int processCropSelections(struct image_data *image, - * its size individually. Therefore, seg_buffs size needs to be - * updated accordingly. */ - size_t rot_buf_size = 0; -- if (rotateImage( -- crop->rotation, image, &crop->regionlist[i].width, -- &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) -+ if (rotateImage(crop->rotation, image, -+ &crop->regionlist[i].width, -+ &crop->regionlist[i].length, &crop_buff, -+ &rot_buf_size, FALSE)) - { - TIFFError("processCropSelections", - "Failed to rotate crop region by %" PRIu16 -@@ -8905,7 +8907,7 @@ static int createCroppedImage(struct image_data *image, struct crop_mask *crop, - CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ - { - if (rotateImage(crop->rotation, image, &crop->combined_width, -- &crop->combined_length, crop_buff_ptr, NULL)) -+ &crop->combined_length, crop_buff_ptr, NULL, TRUE)) - { - TIFFError("createCroppedImage", - "Failed to rotate image or cropped selection by %" PRIu16 -@@ -9621,7 +9623,8 @@ static int rotateContigSamples32bits(uint16_t rotation, uint16_t spp, - /* Rotate an image by a multiple of 90 degrees clockwise */ - static int rotateImage(uint16_t rotation, struct image_data *image, - uint32_t *img_width, uint32_t *img_length, -- unsigned char **ibuff_ptr, size_t *rot_buf_size) -+ unsigned char **ibuff_ptr, size_t *rot_buf_size, -+ int rot_image_params) - { - int shift_width; - uint32_t bytes_per_pixel, bytes_per_sample; -@@ -9869,11 +9872,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image, - - *img_width = length; - *img_length = width; -- image->width = length; -- image->length = width; -- res_temp = image->xres; -- image->xres = image->yres; -- image->yres = res_temp; -+ /* Only toggle image parameters if whole input image is rotated. */ -+ if (rot_image_params) -+ { -+ image->width = length; -+ image->length = width; -+ res_temp = image->xres; -+ image->xres = image->yres; -+ image->yres = res_temp; -+ } - break; - - case 270: -@@ -9956,11 +9963,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image, - - *img_width = length; - *img_length = width; -- image->width = length; -- image->length = width; -- res_temp = image->xres; -- image->xres = image->yres; -- image->yres = res_temp; -+ /* Only toggle image parameters if whole input image is rotated. */ -+ if (rot_image_params) -+ { -+ image->width = length; -+ image->length = width; -+ res_temp = image->xres; -+ image->xres = image->yres; -+ image->yres = res_temp; -+ } - break; - default: - break; --- -GitLab - diff --git a/backport-CVE-2023-25433.patch b/backport-CVE-2023-25433.patch deleted file mode 100644 index 3884260..0000000 --- a/backport-CVE-2023-25433.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 688012dca2c39033aa2dc7bcea9796787cfd1b44 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Sat, 4 Feb 2023 23:24:21 +0100 -Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage() - fix#520 -- enlarge buffsize and check integer overflow within rotateImage(). - -Reference:https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44 -Conflict:NA - ---- - tools/tiffcrop.c | 36 +++++++++++++++++++++++++++++++++--- - 1 file changed, 33 insertions(+), 3 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index f8b66188e..ca23529b5 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -9560,7 +9560,8 @@ static int rotateImage(uint16_t rotation, struct image_data *image, - uint32_t bytes_per_pixel, bytes_per_sample; - uint32_t row, rowsize, src_offset, dst_offset; - uint32_t i, col, width, length; -- uint32_t colsize, buffsize, col_offset, pix_offset; -+ uint32_t colsize, col_offset, pix_offset; -+ tmsize_t buffsize; - unsigned char *ibuff; - unsigned char *src; - unsigned char *dst; -@@ -9573,12 +9574,40 @@ static int rotateImage(uint16_t rotation, struct image_data *image, - spp = image->spp; - bps = image->bps; - -+ if ((spp != 0 && bps != 0 && -+ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) || -+ (spp != 0 && bps != 0 && -+ length > (uint32_t)((UINT32_MAX - 7) / spp / bps))) -+ { -+ TIFFError("rotateImage", "Integer overflow detected."); -+ return (-1); -+ } - rowsize = ((bps * spp * width) + 7) / 8; - colsize = ((bps * spp * length) + 7) / 8; - if ((colsize * width) > (rowsize * length)) -- buffsize = (colsize + 1) * width; -+ { -+ if (((tmsize_t)colsize + 1) != 0 && -+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / -+ ((tmsize_t)colsize + 1))) -+ { -+ TIFFError("rotateImage", -+ "Integer overflow when calculating buffer size."); -+ return (-1); -+ } -+ buffsize = ((tmsize_t)colsize + 1) * width; -+ } - else -+ { -+ if (((tmsize_t)rowsize + 1) != 0 && -+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) / -+ ((tmsize_t)rowsize + 1))) -+ { -+ TIFFError("rotateImage", -+ "Integer overflow when calculating buffer size."); -+ return (-1); -+ } - buffsize = (rowsize + 1) * length; -+ } - - bytes_per_sample = (bps + 7) / 8; - bytes_per_pixel = ((bps * spp) + 7) / 8; -@@ -9607,7 +9636,8 @@ static int rotateImage(uint16_t rotation, struct image_data *image, - (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) - { - TIFFError("rotateImage", -- "Unable to allocate rotation buffer of %1u bytes", -+ "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT -+ " bytes ", - buffsize + NUM_BUFF_OVERSIZE_BYTES); - return (-1); - } --- -GitLab diff --git a/backport-CVE-2023-26965.patch b/backport-CVE-2023-26965.patch deleted file mode 100644 index 164faf0..0000000 --- a/backport-CVE-2023-26965.patch +++ /dev/null @@ -1,98 +0,0 @@ -From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Tue, 14 Feb 2023 20:43:43 +0100 -Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images. - Fix issue 527 - -Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value. - -Closes #527 - -Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/472/diffs -Conflict:NA - ---- - tools/tiffcrop.c | 47 +++++++++++++---------------------------------- - 1 file changed, 13 insertions(+), 34 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index d7ad5ca89..d3e11ba25 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, - uint32_t tw = 0, tl = 0; /* Tile width and length */ - tmsize_t tile_rowsize = 0; - unsigned char *read_buff = NULL; -- unsigned char *new_buff = NULL; - int readunit = 0; -- static tmsize_t prev_readsize = 0; - - TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); - TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); -@@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, - } - - read_buff = *read_ptr; -- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ -- /* outside buffer */ -- if (!read_buff) -+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit -+ * outside buffer */ -+ /* Reuse of read_buff from previous image is quite unsafe, because other -+ * functions (like rotateImage() etc.) reallocate that buffer with different -+ * size without updating the local prev_readsize value. */ -+ if (read_buff) - { -- if (buffsize > 0xFFFFFFFFU - 3) -- { -- TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); -- return (-1); -- } -- read_buff = -- (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); -+ _TIFFfree(read_buff); - } -- else -+ if (buffsize > 0xFFFFFFFFU - 3) - { -- if (prev_readsize < buffsize) -- { -- if (buffsize > 0xFFFFFFFFU - 3) -- { -- TIFFError("loadImage", -- "Unable to allocate/reallocate read buffer"); -- return (-1); -- } -- new_buff = -- _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); -- if (!new_buff) -- { -- free(read_buff); -- read_buff = (unsigned char *)limitMalloc( -- buffsize + NUM_BUFF_OVERSIZE_BYTES); -- } -- else -- read_buff = new_buff; -- } -+ TIFFError("loadImage", "Required read buffer size too large"); -+ return (-1); - } -+ read_buff = -+ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); - if (!read_buff) - { -- TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); -+ TIFFError("loadImage", "Unable to allocate read buffer"); - return (-1); - } - -@@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump, - read_buff[buffsize + 1] = 0; - read_buff[buffsize + 2] = 0; - -- prev_readsize = buffsize; - *read_ptr = read_buff; - - /* N.B. The read functions used copy separate plane data into a buffer as --- -GitLab diff --git a/backport-CVE-2023-26966.patch b/backport-CVE-2023-26966.patch deleted file mode 100644 index b35ac0d..0000000 --- a/backport-CVE-2023-26966.patch +++ /dev/null @@ -1,36 +0,0 @@ -From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Thu, 16 Feb 2023 12:03:16 +0100 -Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode(). - -Closes #530 - -See merge request !473 - -Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/473/diffs -Conflict:NA - ---- - libtiff/tif_luv.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c -index 051721e82..021756d5d 100644 ---- a/libtiff/tif_luv.c -+++ b/libtiff/tif_luv.c -@@ -953,6 +953,13 @@ static - { - register int vi, ui; - -+ /* check for NaN */ -+ if (u != u || v != v) -+ { -+ u = U_NEU; -+ v = V_NEU; -+ } -+ - if (v < UV_VSTART) - return oog_encode(u, v); - vi = tiff_itrunc((v - UV_VSTART) * (1. / UV_SQSIZ), em); --- -GitLab diff --git a/backport-CVE-2023-2731.patch b/backport-CVE-2023-2731.patch deleted file mode 100644 index e946345..0000000 --- a/backport-CVE-2023-2731.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 29 Apr 2023 12:20:46 +0200 -Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a - strip whith a missing end-of-information marker (fixes #548) - -Reference:https://github.com/libsdl-org/libtiff/commit/9be22b639ea69e102d3847dca4c53ef025e9527b -Conflict:NA ---- - libtiff/tif_lzw.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c -index ba75a07e..d631fa10 100644 ---- a/libtiff/tif_lzw.c -+++ b/libtiff/tif_lzw.c -@@ -423,6 +423,10 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s) - - if (sp->read_error) - { -+ TIFFErrorExtR(tif, module, -+ "LZWDecode: Scanline %" PRIu32 " cannot be read due to " -+ "previous error", -+ tif->tif_row); - return 0; - } - -@@ -742,6 +746,7 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s) - return (1); - - no_eoi: -+ sp->read_error = 1; - TIFFErrorExtR(tif, module, - "LZWDecode: Strip %" PRIu32 " not terminated with EOI code", - tif->tif_curstrip); diff --git a/backport-CVE-2023-2908.patch b/backport-CVE-2023-2908.patch deleted file mode 100644 index 253be54..0000000 --- a/backport-CVE-2023-2908.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 64105057d03df64841e3aaaaf05e84c069969f55 Mon Sep 17 00:00:00 2001 -From: zhailiangliang -Date: Thu, 20 Apr 2023 20:06:20 +0800 -Subject: [PATCH] fix runtime error: applying zero offset to null pointer - -Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/479/diffs -Conflict:NA - ---- - libtiff/tif_dir.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index 3d57341f4..c3a7a4183 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -192,11 +192,11 @@ static int setExtraSamples(TIFF *tif, va_list ap, uint32_t *v) - static uint16_t countInkNamesString(TIFF *tif, uint32_t slen, const char *s) - { - uint16_t i = 0; -- const char *ep = s + slen; -- const char *cp = s; - - if (slen > 0) - { -+ const char *ep = s + slen; -+ const char *cp = s; - do - { - for (; cp < ep && *cp != '\0'; cp++) --- -GitLab diff --git a/backport-CVE-2023-3316.patch b/backport-CVE-2023-3316.patch deleted file mode 100644 index 0f2faed..0000000 --- a/backport-CVE-2023-3316.patch +++ /dev/null @@ -1,54 +0,0 @@ -From d63de61b1ec3385f6383ef9a1f453e4b8b11d536 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Fri, 3 Feb 2023 17:38:55 +0100 -Subject: [PATCH] TIFFClose() avoid NULL pointer dereferencing. fix#515 - -Closes #515 - -Reference:https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536 -Conflict:NA - ---- - libtiff/tif_close.c | 11 +++++++---- - tools/tiffcrop.c | 5 ++++- - 2 files changed, 11 insertions(+), 5 deletions(-) - -diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c -index 985d290cf..907d7f139 100644 ---- a/libtiff/tif_close.c -+++ b/libtiff/tif_close.c -@@ -147,9 +147,12 @@ void _TIFFCleanupIFDOffsetAndNumberMaps(TIFF *tif) - - void TIFFClose(TIFF *tif) - { -- TIFFCloseProc closeproc = tif->tif_closeproc; -- thandle_t fd = tif->tif_clientdata; -+ if (tif != NULL) -+ { -+ TIFFCloseProc closeproc = tif->tif_closeproc; -+ thandle_t fd = tif->tif_clientdata; - -- TIFFCleanup(tif); -- (void)(*closeproc)(fd); -+ TIFFCleanup(tif); -+ (void)(*closeproc)(fd); -+ } - } -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 7db69883e..84e26ac66 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -2920,7 +2920,10 @@ int main(int argc, char *argv[]) - } - } - -- TIFFClose(out); -+ if (out != NULL) -+ { -+ TIFFClose(out); -+ } - - return (0); - } /* end main */ --- -GitLab diff --git a/backport-CVE-2023-3576.patch b/backport-CVE-2023-3576.patch deleted file mode 100644 index 395a88b..0000000 --- a/backport-CVE-2023-3576.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 881a070194783561fd209b7c789a4e75566f7f37 Mon Sep 17 00:00:00 2001 -From: zhailiangliang -Date: Tue, 7 Mar 2023 15:02:08 +0800 -Subject: [PATCH] Fix memory leak in tiffcrop.c - -Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/475/diffs -Conflict:NA - ---- - tools/tiffcrop.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index d3e11ba25..24d0ca84f 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -8782,8 +8782,13 @@ static int createCroppedImage(struct image_data *image, struct crop_mask *crop, - - read_buff = *read_buff_ptr; - -+ /* Memory is freed before crop_buff_ptr is overwritten */ -+ if (*crop_buff_ptr != NULL) -+ { -+ _TIFFfree(*crop_buff_ptr); -+ } -+ - /* process full image, no crop buffer needed */ -- crop_buff = read_buff; - *crop_buff_ptr = read_buff; - crop->combined_width = image->width; - crop->combined_length = image->length; --- -GitLab diff --git a/backport-CVE-2023-38288.patch b/backport-CVE-2023-38288.patch new file mode 100644 index 0000000..2f91966 --- /dev/null +++ b/backport-CVE-2023-38288.patch @@ -0,0 +1,31 @@ +From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001 +From: Arie Haenel +Date: Wed, 19 Jul 2023 19:34:25 +0000 +Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images + (fixes #591) + +--- + tools/tiffcp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 3b2d1ddac..80b39829a 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1754,6 +1754,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer) + "Width * Samples/Pixel)"); + return 0; + } ++ ++ if ( (imagew - tilew * spp) > INT_MAX ){ ++ TIFFError(TIFFFileName(in), ++ "Error, image raster scan line size is too large"); ++ return 0; ++ } ++ + iskew = imagew - tilew * spp; + tilebuf = limitMalloc(tilesize); + if (tilebuf == 0) +-- +GitLab + diff --git a/backport-CVE-2023-38289.patch b/backport-CVE-2023-38289.patch new file mode 100644 index 0000000..358b92a --- /dev/null +++ b/backport-CVE-2023-38289.patch @@ -0,0 +1,59 @@ +From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001 +From: Arie Haenel +Date: Wed, 19 Jul 2023 19:40:01 +0000 +Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes + #592) + +--- + tools/raw2tiff.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c +index 4ee59e5d7..0d6b0b664 100644 +--- a/tools/raw2tiff.c ++++ b/tools/raw2tiff.c +@@ -101,6 +101,7 @@ int main(int argc, char *argv[]) + int fd; + char *outfilename = NULL; + TIFF *out; ++ uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/ + + uint32_t row, col, band; + int c; +@@ -221,6 +222,33 @@ int main(int argc, char *argv[]) + if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0) + return EXIT_FAILURE; + ++ /* check for integer overflow in */ ++ /* hdr_size + (*width) * (*length) * nbands * depth */ ++ ++ if ((width == 0) || (length == 0) ){ ++ fprintf(stderr, "Too large nbands value specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ ++ temp_limit_check = nbands * depth; ++ ++ if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) { ++ fprintf(stderr, "Too large length size specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ temp_limit_check = temp_limit_check * length; ++ ++ if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) { ++ fprintf(stderr, "Too large width size specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ temp_limit_check = temp_limit_check * width; ++ ++ if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) { ++ fprintf(stderr, "Too large header size specified.\n"); ++ return (EXIT_FAILURE); ++ } ++ + if (outfilename == NULL) + outfilename = argv[optind + 1]; + out = TIFFOpen(outfilename, "w"); +-- +GitLab + diff --git a/libtiff.spec b/libtiff.spec index b9a5cac..6dc3d27 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,22 +1,13 @@ Name: libtiff -Version: 4.5.0 -Release: 8 +Version: 4.5.1 +Release: 1 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz -Patch6000: backport-CVE-2022-48281.patch -Patch6001: backport-0001-CVE-2023-0795-0796-0797-0798-0799.patch -Patch6002: backport-0002-CVE-2023-0795-0796-0797-0798-0799.patch -Patch6003: backport-CVE-2023-0800-0801-0802-0803-0804.patch -Patch6004: backport-CVE-2023-2731.patch -Patch6005: backport-CVE-2023-26965.patch -Patch6006: backport-CVE-2023-3316.patch -Patch6007: backport-CVE-2023-25433.patch -Patch6008: backport-CVE-2023-26966.patch -Patch6009: backport-CVE-2023-2908.patch -Patch6010: backport-CVE-2023-3576.patch +Patch6000: backport-CVE-2023-38288.patch +Patch6001: backport-CVE-2023-38289.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -136,6 +127,9 @@ find doc -name 'Makefile*' | xargs rm %exclude %{_mandir}/man1/* %changelog +* Mon Jul 24 2023 zhouwenpei - 4.5.1-1 +- update 4.5.1 + * Thu Jul 13 2023 zhangpan - 4.5.0-8 - fix CVE-2023-3576 diff --git a/tiff-4.5.0.tar.gz b/tiff-4.5.0.tar.gz deleted file mode 100644 index 2a73f47..0000000 Binary files a/tiff-4.5.0.tar.gz and /dev/null differ diff --git a/tiff-4.5.1.tar.gz b/tiff-4.5.1.tar.gz new file mode 100644 index 0000000..235b81a Binary files /dev/null and b/tiff-4.5.1.tar.gz differ