packages/libtiff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

upgrade to 4.5.1

Browse Source
This commit is contained in:
zhouwenpei 2023-07-24 11:21:45 +00:00
parent 0a86562b15
commit 794e4d0a72
16 changed files with 97 additions and 817 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
backport-0001-CVE-2023-0795-0796-0797-0798-0799.patch
View File

@ -1,120 +0,0 @@
From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Fri, 3 Feb 2023 15:31:31 +0100
Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage()
fix#520 rotateImage() set up a new buffer and calculates its size
individually. Therefore, seg_buffs[] size needs to be updated accordingly.
Before this fix, the seg_buffs buffer size was calculated with a different
formula than within rotateImage().
Closes #520.
---
tools/tiffcrop.c | 36 ++++++++++++++++++++----------------
1 file changed, 20 insertions(+), 16 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 7db69883..f8b66188 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -577,7 +577,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
uint32_t, uint32_t, uint8_t *, uint8_t *);
static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
- unsigned char **);
+ unsigned char **, size_t *);
static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
unsigned char *);
static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
@@ -7243,7 +7243,7 @@ static int correct_orientation(struct image_data *image,
}
if (rotateImage(rotation, image, &image->width, &image->length,
- work_buff_ptr))
+ work_buff_ptr, NULL))
{
TIFFError("correct_orientation", "Unable to rotate image");
return (-1);
@@ -8563,8 +8563,12 @@ static int processCropSelections(struct image_data *image,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can
reallocate the buffer */
{
+ /* rotateImage() set up a new buffer and calculates its size
+ * individually. Therefore, seg_buffs size needs to be updated
+ * accordingly. */
+ size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff))
+ &crop->combined_length, &crop_buff, &rot_buf_size))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %" PRIu32
@@ -8573,9 +8577,7 @@ static int processCropSelections(struct image_data *image,
return (-1);
}
seg_buffs[0].buffer = crop_buff;
- seg_buffs[0].size =
- (((crop->combined_width * image->bps + 7) / 8) * image->spp) *
- crop->combined_length;
+ seg_buffs[0].size = rot_buf_size;
}
}
else /* Separated Images */
@@ -8686,10 +8688,13 @@ static int processCropSelections(struct image_data *image,
* ->yres, what it schouldn't do here, when more than one
* section is processed. ToDo: Therefore rotateImage() and its
* usage has to be reworked (e.g. like mirrorImage()) !!
- */
- if (rotateImage(crop->rotation, image,
- &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff))
+ * Furthermore, rotateImage() set up a new buffer and calculates
+ * its size individually. Therefore, seg_buffs size needs to be
+ * updated accordingly. */
+ size_t rot_buf_size = 0;
+ if (rotateImage(
+ crop->rotation, image, &crop->regionlist[i].width,
+ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %" PRIu16
@@ -8702,10 +8707,7 @@ static int processCropSelections(struct image_data *image,
crop->combined_width = total_width;
crop->combined_length = total_length;
seg_buffs[i].buffer = crop_buff;
- seg_buffs[i].size =
- (((crop->regionlist[i].width * image->bps + 7) / 8) *
- image->spp) *
- crop->regionlist[i].length;
+ seg_buffs[i].size = rot_buf_size;
}
} /* for crop->selections loop */
} /* Separated Images (else case) */
@@ -8836,7 +8838,7 @@ static int createCroppedImage(struct image_data *image, struct crop_mask *crop,
CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr))
+ &crop->combined_length, crop_buff_ptr, NULL))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %" PRIu16
@@ -9552,7 +9554,7 @@ static int rotateContigSamples32bits(uint16_t rotation, uint16_t spp,
/* Rotate an image by a multiple of 90 degrees clockwise */
static int rotateImage(uint16_t rotation, struct image_data *image,
uint32_t *img_width, uint32_t *img_length,
- unsigned char **ibuff_ptr)
+ unsigned char **ibuff_ptr, size_t *rot_buf_size)
{
int shift_width;
uint32_t bytes_per_pixel, bytes_per_sample;
@@ -9610,6 +9612,8 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
return (-1);
}
_TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (rot_buf_size != NULL)
+ *rot_buf_size = buffsize;
ibuff = *ibuff_ptr;
switch (rotation)
--
GitLab

128
backport-0002-CVE-2023-0795-0796-0797-0798-0799.patch
View File

@ -1,128 +0,0 @@
From 82a7fbb1fa7228499ffeb3a57a1d106a9626d57c Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Sun, 5 Feb 2023 15:53:15 +0000
Subject: [PATCH] tiffcrop: added check for assumption on composite images
(fixes #496)
tiffcrop: For composite images with more than one region, the combined_length or combined_width always needs to be equal, respectively. Otherwise, even the first section/region copy action might cause buffer overrun. This is now checked before the first copy action.
Closes #496, #497, #498, #500, #501.
---
tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 66 insertions(+), 2 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 84e26ac6..480b927c 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5935,18 +5935,40 @@ static int computeInputPixelOffsets(struct crop_mask *crop,
crop->regionlist[i].buffsize = buffsize;
crop->bufftotal += buffsize;
+
+ /* For composite images with more than one region, the
+ * combined_length or combined_width always needs to be equal,
+ * respectively.
+ * Otherwise, even the first section/region copy
+ * action might cause buffer overrun. */
if (crop->img_mode == COMPOSITE_IMAGES)
{
switch (crop->edge_ref)
{
case EDGE_LEFT:
case EDGE_RIGHT:
+ if (i > 0 && zlength != crop->combined_length)
+ {
+ TIFFError(
+ "computeInputPixelOffsets",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (-1);
+ }
crop->combined_length = zlength;
crop->combined_width += zwidth;
break;
case EDGE_BOTTOM:
case EDGE_TOP: /* width from left, length from top */
default:
+ if (i > 0 && zwidth != crop->combined_width)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Only equal width regions can be "
+ "combined for -E "
+ "top or bottom");
+ return (-1);
+ }
crop->combined_width = zwidth;
crop->combined_length += zlength;
break;
@@ -7301,6 +7323,46 @@ static int extractCompositeRegions(struct image_data *image,
crop->combined_width = 0;
crop->combined_length = 0;
+ /* If there is more than one region, check beforehand whether all the width
+ * and length values of the regions are the same, respectively. */
+ switch (crop->edge_ref)
+ {
+ default:
+ case EDGE_TOP:
+ case EDGE_BOTTOM:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_width0 =
+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
+ uint32_t crop_width1 =
+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ if (crop_width0 != crop_width1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal width regions can be combined for -E "
+ "top or bottom");
+ return (1);
+ }
+ }
+ break;
+ case EDGE_LEFT:
+ case EDGE_RIGHT:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_length0 =
+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
+ uint32_t crop_length1 =
+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ if (crop_length0 != crop_length1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (1);
+ }
+ }
+ }
+
for (i = 0; i < crop->selections; i++)
{
/* rows, columns, width, length are expressed in pixels */
@@ -7325,7 +7387,8 @@ static int extractCompositeRegions(struct image_data *image,
default:
case EDGE_TOP:
case EDGE_BOTTOM:
- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
+ if ((crop->selections > i + 1) &&
+ (crop_width != crop->regionlist[i + 1].width))
{
TIFFError("extractCompositeRegions",
"Only equal width regions can be combined for -E "
@@ -7418,7 +7481,8 @@ static int extractCompositeRegions(struct image_data *image,
case EDGE_LEFT: /* splice the pieces of each row together, side by
side */
case EDGE_RIGHT:
- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
+ if ((crop->selections > i + 1) &&
+ (crop_length != crop->regionlist[i + 1].length))
{
TIFFError("extractCompositeRegions",
"Only equal length regions can be combined for "
--
GitLab

25
backport-CVE-2022-48281.patch
View File

@ -1,25 +0,0 @@
From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Sat, 21 Jan 2023 15:58:10 +0000
Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488.
---
tools/tiffcrop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 14fa18da..7db69883 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image,
cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
- prev_cropsize = seg_buffs[0].size;
+ prev_cropsize = seg_buffs[i].size;
if (prev_cropsize < cropsize)
{
next_buff = _TIFFrealloc(
--
GitLab

162
backport-CVE-2023-0800-0801-0802-0803-0804.patch
View File

@ -1,162 +0,0 @@
From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sun, 29 Jan 2023 11:09:26 +0100
Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
image width and length parameters when only cropped image sections are
rotated. Remove buffptr from region structure because never used.
Closes #492 #493 #494 #495 #499 #518 #519
---
tools/tiffcrop.c | 59 ++++++++++++++++++++++++++++--------------------
1 file changed, 35 insertions(+), 24 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index ebea7475..519871ec 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -296,7 +296,6 @@ struct region
uint32_t width; /* width in pixels */
uint32_t length; /* length in pixels */
uint32_t buffsize; /* size of buffer needed to hold the cropped region */
- unsigned char *buffptr; /* address of start of the region */
};
/* Cropping parameters from command line and image data
@@ -577,7 +576,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
uint32_t, uint32_t, uint8_t *, uint8_t *);
static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
- unsigned char **, size_t *);
+ unsigned char **, size_t *, int);
static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
unsigned char *);
static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
@@ -5782,7 +5781,6 @@ static void initCropMasks(struct crop_mask *cps)
cps->regionlist[i].width = 0;
cps->regionlist[i].length = 0;
cps->regionlist[i].buffsize = 0;
- cps->regionlist[i].buffptr = NULL;
cps->zonelist[i].position = 0;
cps->zonelist[i].total = 0;
}
@@ -7266,9 +7264,13 @@ static int correct_orientation(struct image_data *image,
(uint16_t)(image->adjustments & ROTATE_ANY));
return (-1);
}
-
- if (rotateImage(rotation, image, &image->width, &image->length,
- work_buff_ptr, NULL))
+ /* Dummy variable in order not to switch two times the
+ * image->width,->length within rotateImage(),
+ * but switch xres, yres there. */
+ uint32_t width = image->width;
+ uint32_t length = image->length;
+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,
+ TRUE))
{
TIFFError("correct_orientation", "Unable to rotate image");
return (-1);
@@ -7377,7 +7379,6 @@ static int extractCompositeRegions(struct image_data *image,
/* These should not be needed for composite images */
crop->regionlist[i].width = crop_width;
crop->regionlist[i].length = crop_length;
- crop->regionlist[i].buffptr = crop_buff;
src_rowsize = ((img_width * bps * spp) + 7) / 8;
dst_rowsize = (((crop_width * bps * count) + 7) / 8);
@@ -7640,7 +7641,6 @@ static int extractSeparateRegion(struct image_data *image,
crop->regionlist[region].width = crop_width;
crop->regionlist[region].length = crop_length;
- crop->regionlist[region].buffptr = crop_buff;
src = read_buff;
dst = crop_buff;
@@ -8635,7 +8635,8 @@ static int processCropSelections(struct image_data *image,
* accordingly. */
size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff, &rot_buf_size))
+ &crop->combined_length, &crop_buff, &rot_buf_size,
+ FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %" PRIu32
@@ -8759,9 +8760,10 @@ static int processCropSelections(struct image_data *image,
* its size individually. Therefore, seg_buffs size needs to be
* updated accordingly. */
size_t rot_buf_size = 0;
- if (rotateImage(
- crop->rotation, image, &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+ if (rotateImage(crop->rotation, image,
+ &crop->regionlist[i].width,
+ &crop->regionlist[i].length, &crop_buff,
+ &rot_buf_size, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %" PRIu16
@@ -8905,7 +8907,7 @@ static int createCroppedImage(struct image_data *image, struct crop_mask *crop,
CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr, NULL))
+ &crop->combined_length, crop_buff_ptr, NULL, TRUE))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %" PRIu16
@@ -9621,7 +9623,8 @@ static int rotateContigSamples32bits(uint16_t rotation, uint16_t spp,
/* Rotate an image by a multiple of 90 degrees clockwise */
static int rotateImage(uint16_t rotation, struct image_data *image,
uint32_t *img_width, uint32_t *img_length,
- unsigned char **ibuff_ptr, size_t *rot_buf_size)
+ unsigned char **ibuff_ptr, size_t *rot_buf_size,
+ int rot_image_params)
{
int shift_width;
uint32_t bytes_per_pixel, bytes_per_sample;
@@ -9869,11 +9872,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params)
+ {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
case 270:
@@ -9956,11 +9963,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params)
+ {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
default:
break;
--
GitLab

81
backport-CVE-2023-25433.patch
View File

@ -1,81 +0,0 @@
From 688012dca2c39033aa2dc7bcea9796787cfd1b44 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sat, 4 Feb 2023 23:24:21 +0100
Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage()
fix#520 -- enlarge buffsize and check integer overflow within rotateImage().
Reference:https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44
Conflict:NA
---
tools/tiffcrop.c | 36 +++++++++++++++++++++++++++++++++---
1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index f8b66188e..ca23529b5 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -9560,7 +9560,8 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
uint32_t bytes_per_pixel, bytes_per_sample;
uint32_t row, rowsize, src_offset, dst_offset;
uint32_t i, col, width, length;
- uint32_t colsize, buffsize, col_offset, pix_offset;
+ uint32_t colsize, col_offset, pix_offset;
+ tmsize_t buffsize;
unsigned char *ibuff;
unsigned char *src;
unsigned char *dst;
@@ -9573,12 +9574,40 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
spp = image->spp;
bps = image->bps;
+ if ((spp != 0 && bps != 0 &&
+ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
+ (spp != 0 && bps != 0 &&
+ length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
+ {
+ TIFFError("rotateImage", "Integer overflow detected.");
+ return (-1);
+ }
rowsize = ((bps * spp * width) + 7) / 8;
colsize = ((bps * spp * length) + 7) / 8;
if ((colsize * width) > (rowsize * length))
- buffsize = (colsize + 1) * width;
+ {
+ if (((tmsize_t)colsize + 1) != 0 &&
+ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+ ((tmsize_t)colsize + 1)))
+ {
+ TIFFError("rotateImage",
+ "Integer overflow when calculating buffer size.");
+ return (-1);
+ }
+ buffsize = ((tmsize_t)colsize + 1) * width;
+ }
else
+ {
+ if (((tmsize_t)rowsize + 1) != 0 &&
+ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+ ((tmsize_t)rowsize + 1)))
+ {
+ TIFFError("rotateImage",
+ "Integer overflow when calculating buffer size.");
+ return (-1);
+ }
buffsize = (rowsize + 1) * length;
+ }
bytes_per_sample = (bps + 7) / 8;
bytes_per_pixel = ((bps * spp) + 7) / 8;
@@ -9607,7 +9636,8 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
(unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
{
TIFFError("rotateImage",
- "Unable to allocate rotation buffer of %1u bytes",
+ "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT
+ " bytes ",
buffsize + NUM_BUFF_OVERSIZE_BYTES);
return (-1);
}
--
GitLab

98
backport-CVE-2023-26965.patch
View File

@ -1,98 +0,0 @@
From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Tue, 14 Feb 2023 20:43:43 +0100
Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
Fix issue 527
Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
Closes #527
Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/472/diffs
Conflict:NA
---
tools/tiffcrop.c | 47 +++++++++++++----------------------------------
1 file changed, 13 insertions(+), 34 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index d7ad5ca89..d3e11ba25 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
uint32_t tw = 0, tl = 0; /* Tile width and length */
tmsize_t tile_rowsize = 0;
unsigned char *read_buff = NULL;
- unsigned char *new_buff = NULL;
int readunit = 0;
- static tmsize_t prev_readsize = 0;
TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
}
read_buff = *read_ptr;
- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
- /* outside buffer */
- if (!read_buff)
+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
+ * outside buffer */
+ /* Reuse of read_buff from previous image is quite unsafe, because other
+ * functions (like rotateImage() etc.) reallocate that buffer with different
+ * size without updating the local prev_readsize value. */
+ if (read_buff)
{
- if (buffsize > 0xFFFFFFFFU - 3)
- {
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- read_buff =
- (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ _TIFFfree(read_buff);
}
- else
+ if (buffsize > 0xFFFFFFFFU - 3)
{
- if (prev_readsize < buffsize)
- {
- if (buffsize > 0xFFFFFFFFU - 3)
- {
- TIFFError("loadImage",
- "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- new_buff =
- _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
- if (!new_buff)
- {
- free(read_buff);
- read_buff = (unsigned char *)limitMalloc(
- buffsize + NUM_BUFF_OVERSIZE_BYTES);
- }
- else
- read_buff = new_buff;
- }
+ TIFFError("loadImage", "Required read buffer size too large");
+ return (-1);
}
+ read_buff =
+ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (!read_buff)
{
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ TIFFError("loadImage", "Unable to allocate read buffer");
return (-1);
}
@@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
read_buff[buffsize + 1] = 0;
read_buff[buffsize + 2] = 0;
- prev_readsize = buffsize;
*read_ptr = read_buff;
/* N.B. The read functions used copy separate plane data into a buffer as
--
GitLab

36
backport-CVE-2023-26966.patch
View File

@ -1,36 +0,0 @@
From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Thu, 16 Feb 2023 12:03:16 +0100
Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode().
Closes #530
See merge request !473
Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/473/diffs
Conflict:NA
---
libtiff/tif_luv.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
index 051721e82..021756d5d 100644
--- a/libtiff/tif_luv.c
+++ b/libtiff/tif_luv.c
@@ -953,6 +953,13 @@ static
{
register int vi, ui;
+ /* check for NaN */
+ if (u != u || v != v)
+ {
+ u = U_NEU;
+ v = V_NEU;
+ }
+
if (v < UV_VSTART)
return oog_encode(u, v);
vi = tiff_itrunc((v - UV_VSTART) * (1. / UV_SQSIZ), em);
--
GitLab

35
backport-CVE-2023-2731.patch
View File

@ -1,35 +0,0 @@
From 9be22b639ea69e102d3847dca4c53ef025e9527b Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 29 Apr 2023 12:20:46 +0200
Subject: [PATCH] LZWDecode(): avoid crash when trying to read again from a
strip whith a missing end-of-information marker (fixes #548)
Reference:https://github.com/libsdl-org/libtiff/commit/9be22b639ea69e102d3847dca4c53ef025e9527b
Conflict:NA
---
libtiff/tif_lzw.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index ba75a07e..d631fa10 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -423,6 +423,10 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s)
if (sp->read_error)
{
+ TIFFErrorExtR(tif, module,
+ "LZWDecode: Scanline %" PRIu32 " cannot be read due to "
+ "previous error",
+ tif->tif_row);
return 0;
}
@@ -742,6 +746,7 @@ static int LZWDecode(TIFF *tif, uint8_t *op0, tmsize_t occ0, uint16_t s)
return (1);
no_eoi:
+ sp->read_error = 1;
TIFFErrorExtR(tif, module,
"LZWDecode: Strip %" PRIu32 " not terminated with EOI code",
tif->tif_curstrip);

32
backport-CVE-2023-2908.patch
View File

@ -1,32 +0,0 @@
From 64105057d03df64841e3aaaaf05e84c069969f55 Mon Sep 17 00:00:00 2001
From: zhailiangliang <zhailiangliang@loongson.cn>
Date: Thu, 20 Apr 2023 20:06:20 +0800
Subject: [PATCH] fix runtime error: applying zero offset to null pointer
Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/479/diffs
Conflict:NA
---
libtiff/tif_dir.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 3d57341f4..c3a7a4183 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -192,11 +192,11 @@ static int setExtraSamples(TIFF *tif, va_list ap, uint32_t *v)
static uint16_t countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
{
uint16_t i = 0;
- const char *ep = s + slen;
- const char *cp = s;
if (slen > 0)
{
+ const char *ep = s + slen;
+ const char *cp = s;
do
{
for (; cp < ep && *cp != '\0'; cp++)
--
GitLab

54
backport-CVE-2023-3316.patch
View File

@ -1,54 +0,0 @@
From d63de61b1ec3385f6383ef9a1f453e4b8b11d536 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Fri, 3 Feb 2023 17:38:55 +0100
Subject: [PATCH] TIFFClose() avoid NULL pointer dereferencing. fix#515
Closes #515
Reference:https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536
Conflict:NA
---
libtiff/tif_close.c | 11 +++++++----
tools/tiffcrop.c | 5 ++++-
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
index 985d290cf..907d7f139 100644
--- a/libtiff/tif_close.c
+++ b/libtiff/tif_close.c
@@ -147,9 +147,12 @@ void _TIFFCleanupIFDOffsetAndNumberMaps(TIFF *tif)
void TIFFClose(TIFF *tif)
{
- TIFFCloseProc closeproc = tif->tif_closeproc;
- thandle_t fd = tif->tif_clientdata;
+ if (tif != NULL)
+ {
+ TIFFCloseProc closeproc = tif->tif_closeproc;
+ thandle_t fd = tif->tif_clientdata;
- TIFFCleanup(tif);
- (void)(*closeproc)(fd);
+ TIFFCleanup(tif);
+ (void)(*closeproc)(fd);
+ }
}
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 7db69883e..84e26ac66 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2920,7 +2920,10 @@ int main(int argc, char *argv[])
}
}
- TIFFClose(out);
+ if (out != NULL)
+ {
+ TIFFClose(out);
+ }
return (0);
} /* end main */
--
GitLab

33
backport-CVE-2023-3576.patch
View File

@ -1,33 +0,0 @@
From 881a070194783561fd209b7c789a4e75566f7f37 Mon Sep 17 00:00:00 2001
From: zhailiangliang <zhailiangliang@loongson.cn>
Date: Tue, 7 Mar 2023 15:02:08 +0800
Subject: [PATCH] Fix memory leak in tiffcrop.c
Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/475/diffs
Conflict:NA
---
tools/tiffcrop.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index d3e11ba25..24d0ca84f 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -8782,8 +8782,13 @@ static int createCroppedImage(struct image_data *image, struct crop_mask *crop,
read_buff = *read_buff_ptr;
+ /* Memory is freed before crop_buff_ptr is overwritten */
+ if (*crop_buff_ptr != NULL)
+ {
+ _TIFFfree(*crop_buff_ptr);
+ }
+
/* process full image, no crop buffer needed */
- crop_buff = read_buff;
*crop_buff_ptr = read_buff;
crop->combined_width = image->width;
crop->combined_length = image->length;
--
GitLab

31
backport-CVE-2023-38288.patch Normal file
View File

@ -0,0 +1,31 @@
From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001
From: Arie Haenel <arie.haenel@jct.ac.il>
Date: Wed, 19 Jul 2023 19:34:25 +0000
Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images
(fixes #591)
---
tools/tiffcp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 3b2d1ddac..80b39829a 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1754,6 +1754,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
"Width * Samples/Pixel)");
return 0;
}
+
+ if ( (imagew - tilew * spp) > INT_MAX ){
+ TIFFError(TIFFFileName(in),
+ "Error, image raster scan line size is too large");
+ return 0;
+ }
+
iskew = imagew - tilew * spp;
tilebuf = limitMalloc(tilesize);
if (tilebuf == 0)
--
GitLab

59
backport-CVE-2023-38289.patch Normal file
View File

@ -0,0 +1,59 @@
From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001
From: Arie Haenel <arie.haenel@jct.ac.il>
Date: Wed, 19 Jul 2023 19:40:01 +0000
Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes
#592)
---
tools/raw2tiff.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
index 4ee59e5d7..0d6b0b664 100644
--- a/tools/raw2tiff.c
+++ b/tools/raw2tiff.c
@@ -101,6 +101,7 @@ int main(int argc, char *argv[])
int fd;
char *outfilename = NULL;
TIFF *out;
+ uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/
uint32_t row, col, band;
int c;
@@ -221,6 +222,33 @@ int main(int argc, char *argv[])
if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
return EXIT_FAILURE;
+ /* check for integer overflow in */
+ /* hdr_size + (*width) * (*length) * nbands * depth */
+
+ if ((width == 0) || (length == 0) ){
+ fprintf(stderr, "Too large nbands value specified.\n");
+ return (EXIT_FAILURE);
+ }
+
+ temp_limit_check = nbands * depth;
+
+ if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) {
+ fprintf(stderr, "Too large length size specified.\n");
+ return (EXIT_FAILURE);
+ }
+ temp_limit_check = temp_limit_check * length;
+
+ if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) {
+ fprintf(stderr, "Too large width size specified.\n");
+ return (EXIT_FAILURE);
+ }
+ temp_limit_check = temp_limit_check * width;
+
+ if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) {
+ fprintf(stderr, "Too large header size specified.\n");
+ return (EXIT_FAILURE);
+ }
+
if (outfilename == NULL)
outfilename = argv[optind + 1];
out = TIFFOpen(outfilename, "w");
--
GitLab

20
libtiff.spec
View File

@ -1,22 +1,13 @@
Name: libtiff
Version: 4.5.0
Release: 8
Version: 4.5.1
Release: 1
Summary: TIFF Library and Utilities
License: libtiff
URL: https://www.simplesystems.org/libtiff/
Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
Patch6000: backport-CVE-2022-48281.patch
Patch6001: backport-0001-CVE-2023-0795-0796-0797-0798-0799.patch
Patch6002: backport-0002-CVE-2023-0795-0796-0797-0798-0799.patch
Patch6003: backport-CVE-2023-0800-0801-0802-0803-0804.patch
Patch6004: backport-CVE-2023-2731.patch
Patch6005: backport-CVE-2023-26965.patch
Patch6006: backport-CVE-2023-3316.patch
Patch6007: backport-CVE-2023-25433.patch
Patch6008: backport-CVE-2023-26966.patch
Patch6009: backport-CVE-2023-2908.patch
Patch6010: backport-CVE-2023-3576.patch
Patch6000: backport-CVE-2023-38288.patch
Patch6001: backport-CVE-2023-38289.patch
BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: libtool automake autoconf pkgconfig
@ -136,6 +127,9 @@ find doc -name 'Makefile*' | xargs rm
%exclude %{_mandir}/man1/*
%changelog
* Mon Jul 24 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 4.5.1-1
- update 4.5.1
* Thu Jul 13 2023 zhangpan <zhangpan103@h-partners.com> - 4.5.0-8
- fix CVE-2023-3576

BIN
tiff-4.5.0.tar.gz
View File

Binary file not shown.

BIN
tiff-4.5.1.tar.gz Normal file
View File

Binary file not shown.