!169 fix CVE-2023-25433 CVE-2023-26966 CVE-2023-2908

From: @zppzhangpan 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng

backport-CVE-2023-25433.patch

@@ -0,0 +1,81 @@
+From 688012dca2c39033aa2dc7bcea9796787cfd1b44 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sat, 4 Feb 2023 23:24:21 +0100
+Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage()
+ fix#520  -- enlarge buffsize and check integer overflow within rotateImage().
+
+Reference:https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44
+Conflict:NA
+
+---
+ tools/tiffcrop.c | 36 +++++++++++++++++++++++++++++++++---
+ 1 file changed, 33 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f8b66188e..ca23529b5 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -9560,7 +9560,8 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
+     uint32_t bytes_per_pixel, bytes_per_sample;
+     uint32_t row, rowsize, src_offset, dst_offset;
+     uint32_t i, col, width, length;
+-    uint32_t colsize, buffsize, col_offset, pix_offset;
++    uint32_t colsize, col_offset, pix_offset;
++    tmsize_t buffsize;
+     unsigned char *ibuff;
+     unsigned char *src;
+     unsigned char *dst;
+@@ -9573,12 +9574,40 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
+     spp = image->spp;
+     bps = image->bps;
+ 
++    if ((spp != 0 && bps != 0 &&
++         width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
++        (spp != 0 && bps != 0 &&
++         length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
++    {
++        TIFFError("rotateImage", "Integer overflow detected.");
++        return (-1);
++    }
+     rowsize = ((bps * spp * width) + 7) / 8;
+     colsize = ((bps * spp * length) + 7) / 8;
+     if ((colsize * width) > (rowsize * length))
+-        buffsize = (colsize + 1) * width;
++    {
++        if (((tmsize_t)colsize + 1) != 0 &&
++            (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
++                               ((tmsize_t)colsize + 1)))
++        {
++            TIFFError("rotateImage",
++                      "Integer overflow when calculating buffer size.");
++            return (-1);
++        }
++        buffsize = ((tmsize_t)colsize + 1) * width;
++    }
+     else
++    {
++        if (((tmsize_t)rowsize + 1) != 0 &&
++            (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
++                                ((tmsize_t)rowsize + 1)))
++        {
++            TIFFError("rotateImage",
++                      "Integer overflow when calculating buffer size.");
++            return (-1);
++        }
+         buffsize = (rowsize + 1) * length;
++    }
+ 
+     bytes_per_sample = (bps + 7) / 8;
+     bytes_per_pixel = ((bps * spp) + 7) / 8;
+@@ -9607,7 +9636,8 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
+               (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
+     {
+         TIFFError("rotateImage",
+-                  "Unable to allocate rotation buffer of %1u bytes",
++                  "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT
++                  " bytes ",
+                   buffsize + NUM_BUFF_OVERSIZE_BYTES);
+         return (-1);
+     }
+-- 
+GitLab

backport-CVE-2023-26966.patch

@@ -0,0 +1,36 @@
+From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Thu, 16 Feb 2023 12:03:16 +0100
+Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode().
+
+Closes #530
+
+See merge request !473
+
+Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/473/diffs
+Conflict:NA
+
+---
+ libtiff/tif_luv.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index 051721e82..021756d5d 100644
+--- a/libtiff/tif_luv.c
++++ b/libtiff/tif_luv.c
+@@ -953,6 +953,13 @@ static
+ {
+     register int vi, ui;
+ 
++    /* check for NaN */
++    if (u != u || v != v)
++    {
++        u = U_NEU;
++        v = V_NEU;
++    }
++
+     if (v < UV_VSTART)
+         return oog_encode(u, v);
+     vi = tiff_itrunc((v - UV_VSTART) * (1. / UV_SQSIZ), em);
+-- 
+GitLab

backport-CVE-2023-2908.patch

@@ -0,0 +1,32 @@
+From 64105057d03df64841e3aaaaf05e84c069969f55 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Thu, 20 Apr 2023 20:06:20 +0800
+Subject: [PATCH] fix runtime error: applying zero offset to null pointer
+
+Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/479/diffs
+Conflict:NA
+
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 3d57341f4..c3a7a4183 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -192,11 +192,11 @@ static int setExtraSamples(TIFF *tif, va_list ap, uint32_t *v)
+ static uint16_t countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
+ {
+     uint16_t i = 0;
+-    const char *ep = s + slen;
+-    const char *cp = s;
+ 
+     if (slen > 0)
+     {
++        const char *ep = s + slen;
++        const char *cp = s;
+         do
+         {
+             for (; cp < ep && *cp != '\0'; cp++)
+-- 
+GitLab

libtiff.spec

@@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.5.0
-Release:        6
+Release:        7
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@@ -13,6 +13,9 @@ Patch6003:	backport-CVE-2023-0800-0801-0802-0803-0804.patch
 Patch6004:	backport-CVE-2023-2731.patch
 Patch6005:	backport-CVE-2023-26965.patch
 Patch6006:	backport-CVE-2023-3316.patch
+Patch6007:	backport-CVE-2023-25433.patch
+Patch6008:	backport-CVE-2023-26966.patch
+Patch6009:	backport-CVE-2023-2908.patch
 
 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires:  libtool automake autoconf pkgconfig
@@ -132,6 +135,9 @@ find doc -name 'Makefile*' | xargs rm
 %exclude %{_mandir}/man1/*
 
 %changelog
+* Tue Jul 04 2023 zhangpan <zhangpan103@h-partners.com> - 4.5.0-7
+- fix CVE-2023-25433 CVE-2023-26966 CVE-2023-2908
+
 * Sun Jun 25 2023 zhangpan <zhangpan103@h-partners.com> - 4.5.0-6
 - fix CVE-2023-3316