packages/libtiff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-26965

Browse Source
This commit is contained in:
zhangpan 2023-06-15 06:23:47 +00:00
parent 3180e6f703
commit 7cd2074cdf
2 changed files with 103 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
backport-CVE-2023-26965.patch Normal file
View File

@ -0,0 +1,98 @@
From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Tue, 14 Feb 2023 20:43:43 +0100
Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
Fix issue 527
Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
Closes #527
Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/472/diffs
Conflict:NA
---
tools/tiffcrop.c | 47 +++++++++++++----------------------------------
1 file changed, 13 insertions(+), 34 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index d7ad5ca89..d3e11ba25 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -6771,9 +6771,7 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
uint32_t tw = 0, tl = 0; /* Tile width and length */
tmsize_t tile_rowsize = 0;
unsigned char *read_buff = NULL;
- unsigned char *new_buff = NULL;
int readunit = 0;
- static tmsize_t prev_readsize = 0;
TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -7097,43 +7095,25 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
}
read_buff = *read_ptr;
- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
- /* outside buffer */
- if (!read_buff)
+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
+ * outside buffer */
+ /* Reuse of read_buff from previous image is quite unsafe, because other
+ * functions (like rotateImage() etc.) reallocate that buffer with different
+ * size without updating the local prev_readsize value. */
+ if (read_buff)
{
- if (buffsize > 0xFFFFFFFFU - 3)
- {
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- read_buff =
- (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ _TIFFfree(read_buff);
}
- else
+ if (buffsize > 0xFFFFFFFFU - 3)
{
- if (prev_readsize < buffsize)
- {
- if (buffsize > 0xFFFFFFFFU - 3)
- {
- TIFFError("loadImage",
- "Unable to allocate/reallocate read buffer");
- return (-1);
- }
- new_buff =
- _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
- if (!new_buff)
- {
- free(read_buff);
- read_buff = (unsigned char *)limitMalloc(
- buffsize + NUM_BUFF_OVERSIZE_BYTES);
- }
- else
- read_buff = new_buff;
- }
+ TIFFError("loadImage", "Required read buffer size too large");
+ return (-1);
}
+ read_buff =
+ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (!read_buff)
{
- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+ TIFFError("loadImage", "Unable to allocate read buffer");
return (-1);
}
@@ -7141,7 +7121,6 @@ static int loadImage(TIFF *in, struct image_data *image, struct dump_opts *dump,
read_buff[buffsize + 1] = 0;
read_buff[buffsize + 2] = 0;
- prev_readsize = buffsize;
*read_ptr = read_buff;
/* N.B. The read functions used copy separate plane data into a buffer as
--
GitLab

6
libtiff.spec
View File

@ -1,6 +1,6 @@
Name: libtiff Name: libtiff
Version: 4.5.0 Version: 4.5.0
Release: 4 Release: 5
Summary: TIFF Library and Utilities Summary: TIFF Library and Utilities
License: libtiff License: libtiff
URL: https://www.simplesystems.org/libtiff/ URL: https://www.simplesystems.org/libtiff/
@ -11,6 +11,7 @@ Patch6001: backport-0001-CVE-2023-0795-0796-0797-0798-0799.patch
Patch6002: backport-0002-CVE-2023-0795-0796-0797-0798-0799.patch Patch6002: backport-0002-CVE-2023-0795-0796-0797-0798-0799.patch
Patch6003: backport-CVE-2023-0800-0801-0802-0803-0804.patch Patch6003: backport-CVE-2023-0800-0801-0802-0803-0804.patch
Patch6004: backport-CVE-2023-2731.patch Patch6004: backport-CVE-2023-2731.patch
Patch6005: backport-CVE-2023-26965.patch
BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: libtool automake autoconf pkgconfig BuildRequires: libtool automake autoconf pkgconfig
@ -130,6 +131,9 @@ find doc -name 'Makefile*' | xargs rm
%exclude %{_mandir}/man1/* %exclude %{_mandir}/man1/*
%changelog %changelog
* Thu Jun 15 2023 zhangpan <zhangpan103@h-partners.com> - 4.5.0-5
- fix CVE-2023-26965
* Wed May 24 2023 zhangpan <zhangpan103@h-partners.com> - 4.5.0-4 * Wed May 24 2023 zhangpan <zhangpan103@h-partners.com> - 4.5.0-4
- fix CVE-2023-2731 - fix CVE-2023-2731