diff --git a/backport-0001-CVE-2022-1622-CVE-2022-1623.patch b/backport-0001-CVE-2022-1622-CVE-2022-1623.patch deleted file mode 100644 index 529766d..0000000 --- a/backport-0001-CVE-2022-1622-CVE-2022-1623.patch +++ /dev/null @@ -1,772 +0,0 @@ -From 189d65779275132c86abd1e06cdab8a080645b32 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 10 Mar 2022 12:14:31 +0100 -Subject: [PATCH 1/3] tif_lzw.c: make LZW_CHECKEOS non-optional - -Conflict:NA -Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/318/diffs - -this is pre-patch for CVE-2022-1622 and CVE-2022-1623 ---- - libtiff/tif_lzw.c | 551 ++++++++++++++++++++++++++++++---------------- - 1 file changed, 356 insertions(+), 195 deletions(-) - -diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c -index c06aec4..c28366b 100644 ---- a/libtiff/tif_lzw.c -+++ b/libtiff/tif_lzw.c -@@ -1,6 +1,7 @@ - /* - * Copyright (c) 1988-1997 Sam Leffler - * Copyright (c) 1991-1997 Silicon Graphics, Inc. -+ * Copyright (c) 2022 Even Rouault - * - * Permission to use, copy, modify, distribute, and sell this software and - * its documentation for any purpose is hereby granted without fee, provided -@@ -36,8 +37,13 @@ - */ - #include "tif_predict.h" - -+#include - #include - -+/* Select the plausible largest natural integer type for the architecture */ -+#define SIZEOF_WORDTYPE SIZEOF_SIZE_T -+typedef size_t WordType; -+ - /* - * NB: The 5.0 spec describes a different algorithm than Aldus - * implements. Specifically, Aldus does code length transitions -@@ -52,13 +58,6 @@ - * Future revisions to the TIFF spec are expected to "clarify this issue". - */ - #define LZW_COMPAT /* include backwards compatibility code */ --/* -- * Each strip of data is supposed to be terminated by a CODE_EOI. -- * If the following #define is included, the decoder will also -- * check for end-of-strip w/o seeing this code. This makes the -- * library more robust, but also slower. -- */ --#define LZW_CHECKEOS /* include checks for strips w/o EOI code */ - - #define MAXCODE(n) ((1L<<(n))-1) - /* -@@ -92,7 +91,7 @@ typedef struct { - unsigned short nbits; /* # of bits/code */ - unsigned short maxcode; /* maximum code for lzw_nbits */ - unsigned short free_ent; /* next free entry in hash table */ -- unsigned long nextdata; /* next bits of i/o */ -+ WordType nextdata; /* next bits of i/o */ - long nextbits; /* # of valid bits in lzw_nextdata */ - - int rw_mode; /* preserve rw_mode from init */ -@@ -119,8 +118,10 @@ typedef struct { - typedef struct code_ent { - struct code_ent *next; - unsigned short length; /* string len, including this token */ -- unsigned char value; /* data value */ -+ /* firstchar should be placed immediately before value in this structure */ - unsigned char firstchar; /* first token of string */ -+ unsigned char value; /* data value */ -+ bool repeated; - } code_t; - - typedef int (*decodeFunc)(TIFF*, uint8_t*, tmsize_t, uint16_t); -@@ -131,10 +132,8 @@ typedef struct { - /* Decoding specific data */ - long dec_nbitsmask; /* lzw_nbits 1 bits, right adjusted */ - long dec_restart; /* restart count */ --#ifdef LZW_CHECKEOS - uint64_t dec_bitsleft; /* available bits in raw data */ - tmsize_t old_tif_rawcc; /* value of tif_rawcc at the end of the previous TIFLZWDecode() call */ --#endif - decodeFunc dec_decode; /* regular or backwards compatible */ - code_t* dec_codep; /* current recognized code */ - code_t* dec_oldcodep; /* previously recognized code */ -@@ -167,26 +166,6 @@ static void cl_hash(LZWCodecState*); - * LZW Decoder. - */ - --#ifdef LZW_CHECKEOS --/* -- * This check shouldn't be necessary because each -- * strip is suppose to be terminated with CODE_EOI. -- */ --#define NextCode(_tif, _sp, _bp, _code, _get) { \ -- if ((_sp)->dec_bitsleft < (uint64_t)nbits) { \ -- TIFFWarningExt(_tif->tif_clientdata, module, \ -- "LZWDecode: Strip %"PRIu32" not terminated with EOI code", \ -- _tif->tif_curstrip); \ -- _code = CODE_EOI; \ -- } else { \ -- _get(_sp,_bp,_code); \ -- (_sp)->dec_bitsleft -= nbits; \ -- } \ --} --#else --#define NextCode(tif, sp, bp, code, get) get(sp, bp, code) --#endif -- - static int - LZWFixupTags(TIFF* tif) - { -@@ -236,17 +215,17 @@ LZWSetupDecode(TIFF* tif) - */ - code = 255; - do { -- sp->dec_codetab[code].value = (unsigned char)code; - sp->dec_codetab[code].firstchar = (unsigned char)code; -+ sp->dec_codetab[code].value = (unsigned char)code; -+ sp->dec_codetab[code].repeated = true; - sp->dec_codetab[code].length = 1; - sp->dec_codetab[code].next = NULL; - } while (code--); - /* -- * Zero-out the unused entries -- */ -- /* Silence false positive */ -- /* coverity[overrun-buffer-arg] */ -- _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, -+ * Zero-out the unused entries */ -+ /* Silence false positive */ -+ /* coverity[overrun-buffer-arg] */ -+ memset(&sp->dec_codetab[CODE_CLEAR], 0, - (CODE_FIRST - CODE_CLEAR) * sizeof (code_t)); - } - return (1); -@@ -316,11 +295,9 @@ LZWPreDecode(TIFF* tif, uint16_t s) - - sp->dec_restart = 0; - sp->dec_nbitsmask = MAXCODE(BITS_MIN); --#ifdef LZW_CHECKEOS - sp->dec_bitsleft = 0; -- sp->old_tif_rawcc = 0; --#endif -- sp->dec_free_entp = sp->dec_codetab + CODE_FIRST; -+ sp->old_tif_rawcc = 0; -+ sp->dec_free_entp = sp->dec_codetab - 1 ; // + CODE_FIRST; - /* - * Zero entries that are not yet filled in. We do - * this to guard against bogus input data that causes -@@ -328,8 +305,7 @@ LZWPreDecode(TIFF* tif, uint16_t s) - * come up with a way to safely bounds-check input codes - * while decoding then you can remove this operation. - */ -- _TIFFmemset(sp->dec_free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); -- sp->dec_oldcodep = &sp->dec_codetab[-1]; -+ sp->dec_oldcodep = &sp->dec_codetab[0]; - sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1]; - return (1); - } -@@ -337,24 +313,77 @@ LZWPreDecode(TIFF* tif, uint16_t s) - /* - * Decode a "hunk of data". - */ --#define GetNextCode(sp, bp, code) { \ -- nextdata = (nextdata<<8) | *(bp)++; \ -- nextbits += 8; \ -- if (nextbits < nbits) { \ -- nextdata = (nextdata<<8) | *(bp)++; \ -- nextbits += 8; \ -- } \ -- code = (hcode_t)((nextdata >> (nextbits-nbits)) & nbitsmask); \ -- nextbits -= nbits; \ --} -+/* Get the next 32 or 64-bit from the input data */ -+ -+#ifdef WORDS_BIGENDIAN -+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)) -+#elif SIZEOF_WORDTYPE == 8 -+# if defined(__GNUC__) && defined(__x86_64__) -+# define GetNextData(nextdata, bp) nextdata = __builtin_bswap64(*(uint64_t*)(bp)) -+# elif defined(_M_X64) -+# define GetNextData(nextdata, bp) nextdata = _byteswap_uint64(*(uint64_t*)(bp)) -+# elif defined(__GNUC__) -+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \ -+ nextdata = __builtin_bswap64(nextdata) -+# else -+# define GetNextData(nextdata, bp) nextdata = (((uint64_t)bp[0]) << 56) | \ -+ (((uint64_t)bp[1]) << 48) | \ -+ (((uint64_t)bp[2]) << 40) | \ -+ (((uint64_t)bp[3]) << 32) | \ -+ (((uint64_t)bp[4]) << 24) | \ -+ (((uint64_t)bp[5]) << 16) | \ -+ (((uint64_t)bp[6]) << 8) | \ -+ (((uint64_t)bp[7])) -+# endif -+#elif SIZEOF_WORDTYPE == 4 -+# if defined(__GNUC__) && defined(__i386__) -+# define GetNextData(nextdata, bp) nextdata = __builtin_bswap32(*(uint32_t*)(bp)) -+# elif defined(_M_X86) -+# define GetNextData(nextdata, bp) nextdata = _byteswap_ulong(*(unsigned long*)(bp)) -+# elif defined(__GNUC__) -+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \ -+ nextdata = __builtin_bswap32(nextdata) -+# else -+# define GetNextData(nextdata, bp) nextdata = (((uint32_t)bp[0]) << 24) | \ -+ (((uint32_t)bp[1]) << 16) | \ -+ (((uint32_t)bp[2]) << 8) | \ -+ (((uint32_t)bp[3])) -+# endif -+#else -+# error "Unhandled SIZEOF_WORDTYPE" -+#endif - --static void --codeLoop(TIFF* tif, const char* module) --{ -- TIFFErrorExt(tif->tif_clientdata, module, -- "Bogus encoding, loop in the code table; scanline %"PRIu32, -- tif->tif_row); --} -+#define GetNextCodeLZW() do { \ -+ nextbits -= nbits; \ -+ if (nextbits < 0) { \ -+ if (dec_bitsleft >= 8 * SIZEOF_WORDTYPE) { \ -+ unsigned codetmp = (unsigned)(nextdata << (-nextbits)); \ -+ GetNextData(nextdata, bp); \ -+ bp += SIZEOF_WORDTYPE; \ -+ nextbits += 8 * SIZEOF_WORDTYPE; \ -+ dec_bitsleft -= 8 * SIZEOF_WORDTYPE; \ -+ code = (WordType)((codetmp | (nextdata >> nextbits)) & nbitsmask); \ -+ break; \ -+ } \ -+ else {\ -+ if( dec_bitsleft < 8) { \ -+ goto no_eoi; \ -+ }\ -+ nextdata = (nextdata<<8) | *(bp)++; \ -+ nextbits += 8; \ -+ dec_bitsleft -= 8; \ -+ if( nextbits < 0 ) { \ -+ if( dec_bitsleft < 8) { \ -+ goto no_eoi; \ -+ }\ -+ nextdata = (nextdata<<8) | *(bp)++; \ -+ nextbits += 8; \ -+ dec_bitsleft -= 8; \ -+ } \ -+ } \ -+ } \ -+ code = (WordType)((nextdata >> nextbits) & nbitsmask); \ -+} while(0) - - static int - LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) -@@ -363,13 +392,10 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) - LZWCodecState *sp = DecoderState(tif); - char *op = (char*) op0; - long occ = (long) occ0; -- char *tp; - unsigned char *bp; -- hcode_t code; -- int len; - long nbits, nextbits, nbitsmask; -- unsigned long nextdata; -- code_t *codep, *free_entp, *maxcodep, *oldcodep; -+ WordType nextdata; -+ code_t *free_entp, *maxcodep, *oldcodep; - - (void) s; - assert(sp != NULL); -@@ -386,7 +412,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) - if (sp->dec_restart) { - long residue; - -- codep = sp->dec_codep; -+ code_t* codep = sp->dec_codep; - residue = codep->length - sp->dec_restart; - if (residue > occ) { - /* -@@ -400,7 +426,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) - codep = codep->next; - } while (--residue > occ && codep); - if (codep) { -- tp = op + occ; -+ uint8_t* tp = op + occ; - do { - *--tp = codep->value; - codep = codep->next; -@@ -413,7 +439,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) - */ - op += residue; - occ -= residue; -- tp = op; -+ uint8_t* tp = op; - do { - int t; - --tp; -@@ -425,9 +451,8 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) - } - - bp = (unsigned char *)tif->tif_rawcp; --#ifdef LZW_CHECKEOS - sp->dec_bitsleft += (((uint64_t)tif->tif_rawcc - sp->old_tif_rawcc) << 3); --#endif -+ uint64_t dec_bitsleft = sp->dec_bitsleft; - nbits = sp->lzw_nbits; - nextdata = sp->lzw_nextdata; - nextbits = sp->lzw_nextbits; -@@ -435,128 +460,235 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) - oldcodep = sp->dec_oldcodep; - free_entp = sp->dec_free_entp; - maxcodep = sp->dec_maxcodep; -+ code_t* const dec_codetab = sp->dec_codetab; -+ code_t* codep; -+ -+ if (occ == 0) { -+ goto after_loop; -+ } -+ -+begin: -+ { -+ WordType code; -+ GetNextCodeLZW(); -+ codep = dec_codetab + code; -+ if (code >= CODE_FIRST) -+ goto code_above_or_equal_to_258; -+ if (code < 256) -+ goto code_below_256; -+ if (code == CODE_EOI) -+ goto after_loop; -+ goto code_clear; -+ -+code_below_256: -+ { -+ if (codep > free_entp) -+ goto error_code; -+ free_entp->next = oldcodep; -+ free_entp->firstchar = oldcodep->firstchar; -+ free_entp->length = oldcodep->length+1; -+ free_entp->value = (uint8_t)code; -+ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - code)); -+ if (++free_entp > maxcodep) { -+ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */ -+ nbits = BITS_MAX; -+ nbitsmask = MAXCODE(nbits); -+ maxcodep = dec_codetab + nbitsmask-1; -+ if( free_entp >= &dec_codetab[CSIZE] ) -+ { -+ /* At that point, the next valid states are either EOI or a */ -+ /* CODE_CLEAR. If a regular code is read, at the next */ -+ /* attempt at registering a new entry, we will error out */ -+ /* due to setting free_entp before any valid code */ -+ free_entp = dec_codetab - 1; -+ } -+ } -+ oldcodep = codep; -+ *op++ = (uint8_t)code; -+ occ--; -+ if (occ == 0) -+ goto after_loop; -+ goto begin; -+ } - -- while (occ > 0) { -- NextCode(tif, sp, bp, code, GetNextCode); -- if (code == CODE_EOI) -- break; -- if (code == CODE_CLEAR) { -- do { -- free_entp = sp->dec_codetab + CODE_FIRST; -- _TIFFmemset(free_entp, 0, -- (CSIZE - CODE_FIRST) * sizeof (code_t)); -- nbits = BITS_MIN; -- nbitsmask = MAXCODE(BITS_MIN); -- maxcodep = sp->dec_codetab + nbitsmask-1; -- NextCode(tif, sp, bp, code, GetNextCode); -- } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */ -- if (code == CODE_EOI) -- break; -- if (code > CODE_CLEAR) { -- TIFFErrorExt(tif->tif_clientdata, tif->tif_name, -- "LZWDecode: Corrupted LZW table at scanline %"PRIu32, -- tif->tif_row); -- return (0); -- } -- *op++ = (char)code; -- occ--; -- oldcodep = sp->dec_codetab + code; -- continue; -- } -- codep = sp->dec_codetab + code; -- -- /* -- * Add the new entry to the code table. -- */ -- if (free_entp < &sp->dec_codetab[0] || -- free_entp >= &sp->dec_codetab[CSIZE]) { -- TIFFErrorExt(tif->tif_clientdata, module, -- "Corrupted LZW table at scanline %"PRIu32, -- tif->tif_row); -- return (0); -- } -+code_above_or_equal_to_258: -+ { -+ /* -+ * Add the new entry to the code table. -+ */ -+ -+ if (codep >= free_entp) -+ { -+ if (codep != free_entp) -+ goto error_code; -+ free_entp->value = oldcodep->firstchar; -+ } -+ else -+ { -+ free_entp->value = codep->firstchar; -+ } -+ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - free_entp->value)); -+ free_entp->next = oldcodep; -+ -+ free_entp->firstchar = oldcodep->firstchar; -+ free_entp->length = oldcodep->length+1; -+ if (++free_entp > maxcodep) { -+ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */ -+ nbits = BITS_MAX; -+ nbitsmask = MAXCODE(nbits); -+ maxcodep = dec_codetab + nbitsmask-1; -+ if (free_entp >= &dec_codetab[CSIZE]) -+ { -+ /* At that point, the next valid states are either EOI or a */ -+ /* CODE_CLEAR. If a regular code is read, at the next */ -+ /* attempt at registering a new entry, we will error out */ -+ /* due to setting free_entp before any valid code */ -+ free_entp = dec_codetab - 1; -+ } -+ } -+ oldcodep = codep; -+ -+ /* -+ * Code maps to a string, copy string -+ * value to output (written in reverse). -+ */ -+ /* tiny bit faster on x86_64 to store in unsigned short than int */ -+ unsigned short len = codep->length; -+ -+ if (len < 3) /* equivalent to len == 2 given all other conditions */ -+ { -+ if (occ <= 2) -+ { -+ if (occ == 2) -+ { -+ memcpy(op, &(codep->firstchar), 2); -+ op += 2; -+ occ -= 2; -+ goto after_loop; -+ } -+ goto too_short_buffer; -+ } - -- free_entp->next = oldcodep; -- if (free_entp->next < &sp->dec_codetab[0] || -- free_entp->next >= &sp->dec_codetab[CSIZE]) { -- TIFFErrorExt(tif->tif_clientdata, module, -- "Corrupted LZW table at scanline %"PRIu32, -- tif->tif_row); -- return (0); -- } -- free_entp->firstchar = free_entp->next->firstchar; -- free_entp->length = free_entp->next->length+1; -- free_entp->value = (codep < free_entp) ? -- codep->firstchar : free_entp->firstchar; -- if (++free_entp > maxcodep) { -- if (++nbits > BITS_MAX) /* should not happen */ -- nbits = BITS_MAX; -- nbitsmask = MAXCODE(nbits); -- maxcodep = sp->dec_codetab + nbitsmask-1; -- } -- oldcodep = codep; -- if (code >= 256) { -- /* -- * Code maps to a string, copy string -- * value to output (written in reverse). -- */ -- if(codep->length == 0) { -- TIFFErrorExt(tif->tif_clientdata, module, -- "Wrong length of decoded string: " -- "data probably corrupted at scanline %"PRIu32, -- tif->tif_row); -- return (0); -- } -- if (codep->length > occ) { -- /* -- * String is too long for decode buffer, -- * locate portion that will fit, copy to -- * the decode buffer, and setup restart -- * logic for the next decoding call. -- */ -- sp->dec_codep = codep; -- do { -- codep = codep->next; -- } while (codep && codep->length > occ); -- if (codep) { -- sp->dec_restart = (long)occ; -- tp = op + occ; -- do { -- *--tp = codep->value; -- codep = codep->next; -- } while (--occ && codep); -- if (codep) -- codeLoop(tif, module); -- } -- break; -- } -- len = codep->length; -- tp = op + len; -- do { -- int t; -- --tp; -- t = codep->value; -- codep = codep->next; -- *tp = (char)t; -- } while (codep && tp > op); -- if (codep) { -- codeLoop(tif, module); -- break; -- } -- assert(occ >= len); -- op += len; -- occ -= len; -- } else { -- *op++ = (char)code; -- occ--; -- } -- } -+ memcpy(op, &(codep->firstchar), 2); -+ op += 2; -+ occ -= 2; -+ goto begin; /* we can save the comparison occ > 0 */ -+ } -+ -+ if (len == 3) -+ { -+ if (occ <= 3) -+ { -+ if (occ == 3) -+ { -+ op[0] = codep->firstchar; -+ op[1] = codep->next->value; -+ op[2] = codep->value; -+ op += 3; -+ occ -= 3; -+ goto after_loop; -+ } -+ goto too_short_buffer; -+ } -+ op[0] = codep->firstchar; -+ op[1] = codep->next->value; -+ op[2] = codep->value; -+ op += 3; -+ occ -= 3; -+ goto begin; /* we can save the comparison occ > 0 */ -+ } -+ -+ if (len > occ) -+ { -+ goto too_short_buffer; -+ } -+ -+ if (codep->repeated) -+ { -+ memset(op, codep->value, len); -+ op += len; -+ occ -= len; -+ if (occ == 0) -+ goto after_loop; -+ goto begin; -+ } -+ -+ uint8_t* tp = op + len; -+ -+ assert(len >= 4); -+ -+ *--tp = codep->value; -+ codep = codep->next; -+ *--tp = codep->value; -+ codep = codep->next; -+ *--tp = codep->value; -+ codep = codep->next; -+ *--tp = codep->value; -+ if (tp > op) -+ { -+ do { -+ codep = codep->next; -+ *--tp = codep->value; -+ } while (tp > op); -+ } -+ -+ assert(occ >= len); -+ op += len; -+ occ -= len; -+ if (occ == 0) -+ goto after_loop; -+ goto begin; -+ } - -+code_clear: -+ { -+ free_entp = dec_codetab + CODE_FIRST; -+ nbits = BITS_MIN; -+ nbitsmask = MAXCODE(BITS_MIN); -+ maxcodep = dec_codetab + nbitsmask-1; -+ do { -+ GetNextCodeLZW(); -+ } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */ -+ if (code == CODE_EOI) -+ goto after_loop; -+ if (code > CODE_EOI) { -+ goto error_code; -+ } -+ *op++ = (uint8_t)code; -+ occ--; -+ oldcodep = dec_codetab + code; -+ if (occ == 0) -+ goto after_loop; -+ goto begin; -+ } -+ } -+ -+too_short_buffer: -+ { -+ /* -+ * String is too long for decode buffer, -+ * locate portion that will fit, copy to -+ * the decode buffer, and setup restart -+ * logic for the next decoding call. -+ */ -+ sp->dec_codep = codep; -+ do { -+ codep = codep->next; -+ } while (codep->length > occ); -+ -+ sp->dec_restart = occ; -+ uint8_t* tp = op + occ; -+ do { -+ *--tp = codep->value; -+ codep = codep->next; -+ } while (--occ); -+ } -+ -+after_loop: - tif->tif_rawcc -= (tmsize_t)((uint8_t*) bp - tif->tif_rawcp ); - tif->tif_rawcp = (uint8_t*) bp; --#ifdef LZW_CHECKEOS - sp->old_tif_rawcc = tif->tif_rawcc; --#endif -+ sp->dec_bitsleft = dec_bitsleft; - sp->lzw_nbits = (unsigned short) nbits; - sp->lzw_nextdata = nextdata; - sp->lzw_nextbits = nextbits; -@@ -572,9 +704,35 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) - return (0); - } - return (1); -+ -+no_eoi: -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "LZWDecode: Strip %"PRIu32" not terminated with EOI code", -+ tif->tif_curstrip); -+ return 0; -+error_code: -+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Using code not yet in table"); -+ return 0; - } - - #ifdef LZW_COMPAT -+ -+/* -+ * This check shouldn't be necessary because each -+ * strip is suppose to be terminated with CODE_EOI. -+ */ -+#define NextCode(_tif, _sp, _bp, _code, _get, dec_bitsleft) { \ -+ if (dec_bitsleft < (uint64_t)nbits) { \ -+ TIFFWarningExt(_tif->tif_clientdata, module, \ -+ "LZWDecode: Strip %"PRIu32" not terminated with EOI code", \ -+ _tif->tif_curstrip); \ -+ _code = CODE_EOI; \ -+ } else { \ -+ _get(_sp,_bp,_code); \ -+ dec_bitsleft -= nbits; \ -+ } \ -+} -+ - /* - * Decode a "hunk of data" for old images. - */ -@@ -601,7 +759,8 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) - unsigned char *bp; - int code, nbits; - int len; -- long nextbits, nextdata, nbitsmask; -+ long nextbits, nbitsmask; -+ WordType nextdata; - code_t *codep, *free_entp, *maxcodep, *oldcodep; - - (void) s; -@@ -653,9 +812,10 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) - } - - bp = (unsigned char *)tif->tif_rawcp; --#ifdef LZW_CHECKEOS -+ - sp->dec_bitsleft += (((uint64_t)tif->tif_rawcc - sp->old_tif_rawcc) << 3); --#endif -+ uint64_t dec_bitsleft = sp->dec_bitsleft; -+ - nbits = sp->lzw_nbits; - nextdata = sp->lzw_nextdata; - nextbits = sp->lzw_nextbits; -@@ -665,7 +825,7 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) - maxcodep = sp->dec_maxcodep; - - while (occ > 0) { -- NextCode(tif, sp, bp, code, GetNextCodeCompat); -+ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft); - if (code == CODE_EOI) - break; - if (code == CODE_CLEAR) { -@@ -676,7 +836,7 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) - nbits = BITS_MIN; - nbitsmask = MAXCODE(BITS_MIN); - maxcodep = sp->dec_codetab + nbitsmask; -- NextCode(tif, sp, bp, code, GetNextCodeCompat); -+ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft); - } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */ - if (code == CODE_EOI) - break; -@@ -772,9 +932,10 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) - - tif->tif_rawcc -= (tmsize_t)((uint8_t*) bp - tif->tif_rawcp ); - tif->tif_rawcp = (uint8_t*) bp; --#ifdef LZW_CHECKEOS -+ - sp->old_tif_rawcc = tif->tif_rawcc; --#endif -+ sp->dec_bitsleft = dec_bitsleft; -+ - sp->lzw_nbits = (unsigned short)nbits; - sp->lzw_nextdata = nextdata; - sp->lzw_nextbits = nextbits; -@@ -893,7 +1054,7 @@ LZWEncode(TIFF* tif, uint8_t* bp, tmsize_t cc, uint16_t s) - hcode_t ent; - long disp; - long incount, outcount, checkpoint; -- unsigned long nextdata; -+ WordType nextdata; - long nextbits; - int free_ent, maxcode, nbits; - uint8_t* op; -@@ -1057,7 +1218,7 @@ LZWPostEncode(TIFF* tif) - register LZWCodecState *sp = EncoderState(tif); - uint8_t* op = tif->tif_rawcp; - long nextbits = sp->lzw_nextbits; -- unsigned long nextdata = sp->lzw_nextdata; -+ WordType nextdata = sp->lzw_nextdata; - long outcount = sp->enc_outcount; - int nbits = sp->lzw_nbits; - --- -2.27.0 - diff --git a/backport-0001-CVE-2022-22844.patch b/backport-0001-CVE-2022-22844.patch deleted file mode 100644 index 1cd1069..0000000 --- a/backport-0001-CVE-2022-22844.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 49b81e99704bd199a24ccce65f974cc2d78cccc4 Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Tue, 4 Jan 2022 11:01:37 +0000 -Subject: [PATCH] fixing global-buffer-overflow in tiffset - -Conflict:NA -Reference:https://gitlab.com/libtiff/libtiff/-/commit/49b81e99704bd199a24ccce65f974cc2d78cccc4 - ---- - tools/tiffset.c | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - -diff --git a/tools/tiffset.c b/tools/tiffset.c -index 8c9e23c..b7badd9 100644 ---- a/tools/tiffset.c -+++ b/tools/tiffset.c -@@ -146,9 +146,19 @@ main(int argc, char* argv[]) - - arg_index++; - if (TIFFFieldDataType(fip) == TIFF_ASCII) { -- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) -- fprintf( stderr, "Failed to set %s=%s\n", -- TIFFFieldName(fip), argv[arg_index] ); -+ if(TIFFFieldPassCount( fip )) { -+ size_t len; -+ len = (uint32_t)(strlen(argv[arg_index] + 1)); -+ if (TIFFSetField(tiff, TIFFFieldTag(fip), -+ (uint16_t)len, argv[arg_index]) != 1) -+ fprintf( stderr, "Failed to set %s=%s", -+ TIFFFieldName(fip), argv[arg_index] ); -+ } else { -+ if (TIFFSetField(tiff, TIFFFieldTag(fip), -+ argv[arg_index]) != 1) -+ fprintf( stderr, "Failed to set %s=%s", -+ TIFFFieldName(fip), argv[arg_index] ); -+ } - } else if (TIFFFieldWriteCount(fip) > 0 - || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { - int ret = 1; --- -2.33.0 - diff --git a/backport-0001-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch b/backport-0001-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch deleted file mode 100644 index 98f46e1..0000000 --- a/backport-0001-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch +++ /dev/null @@ -1,607 +0,0 @@ -From e319508023580e2f70e6e626f745b5b2a1707313 Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Tue, 10 May 2022 20:03:17 +0000 -Subject: [PATCH] tiffcrop: Fix issue #330 and some more from 320 to 349 - ---- - tools/tiffcrop.c | 282 +++++++++++++++++++++++++++++++++++------------ - 1 file changed, 210 insertions(+), 72 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 77cf6ed1..791ec5e7 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -63,20 +63,24 @@ - * units when sectioning image into columns x rows - * using the -S cols:rows option. - * -X # Horizontal dimension of region to extract expressed in current -- * units -+ * units, relative to the specified origin reference 'edge' left (default for X) or right. - * -Y # Vertical dimension of region to extract expressed in current -- * units -+ * units, relative to the specified origin reference 'edge' top (default for Y) or bottom. - * -O orient Orientation for output image, portrait, landscape, auto - * -P page Page size for output image segments, eg letter, legal, tabloid, - * etc. - * -S cols:rows Divide the image into equal sized segments using cols across - * and rows down -- * -E t|l|r|b Edge to use as origin -+ * -E t|l|r|b Edge to use as origin (i.e. 'side' of the image not 'corner') -+ * top = width from left, zones from top to bottom (default) -+ * bottom = width from left, zones from bottom to top -+ * left = zones from left to right, length from top -+ * right = zones from right to left, length from top - * -m #,#,#,# Margins from edges for selection: top, left, bottom, right - * (commas separated) - * -Z #:#,#:# Zones of the image designated as zone X of Y, - * eg 1:3 would be first of three equal portions measured -- * from reference edge -+ * from reference edge (i.e. 'side' not corner) - * -N odd|even|#,#-#,#|last - * Select sequences and/or ranges of images within file - * to process. The words odd or even may be used to specify -@@ -103,10 +107,13 @@ - * selects which functions dump data, with higher numbers selecting - * lower level, scanline level routines. Debug reports a limited set - * of messages to monitor progress without enabling dump logs. -+ * -+ * Note: The (-X|-Y), -Z and -z options are mutually exclusive. -+ * In no case should the options be applied to a given selection successively. - */ - --static char tiffcrop_version_id[] = "2.4.1"; --static char tiffcrop_rev_date[] = "03-03-2010"; -+static char tiffcrop_version_id[] = "2.5"; -+static char tiffcrop_rev_date[] = "02-09-2022"; - - #include "tif_config.h" - #include "libport.h" -@@ -774,6 +781,9 @@ static const char usage_info[] = - " The four debug/dump options are independent, though it makes little sense to\n" - " specify a dump file without specifying a detail level.\n" - "\n" -+"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n" -+" In no case should the options be applied to a given selection successively.\n" -+"\n" - ; - - /* This function could be modified to pass starting sample offset -@@ -2121,6 +2131,15 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 - /*NOTREACHED*/ - } - } -+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/ -+ char XY, Z, R; -+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); -+ Z = (crop_data->crop_mode & CROP_ZONES); -+ R = (crop_data->crop_mode & CROP_REGIONS); -+ if ((XY && Z) || (XY && R) || (Z && R)) { -+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit"); -+ exit(EXIT_FAILURE); -+ } - } /* end process_command_opts */ - - /* Start a new output file if one has not been previously opened or -@@ -2746,7 +2765,7 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols, - tsample_t count, uint32_t start, uint32_t end) - { - int i, bytes_per_sample, sindex; -- uint32_t col, dst_rowsize, bit_offset; -+ uint32_t col, dst_rowsize, bit_offset, numcols; - uint32_t src_byte /*, src_bit */; - uint8_t *src = in; - uint8_t *dst = out; -@@ -2757,6 +2776,10 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols, - return (1); - } - -+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. -+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! -+ */ -+ numcols = abs(end - start); - if ((start > end) || (start > cols)) - { - TIFFError ("extractContigSamplesBytes", -@@ -2769,6 +2792,9 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols, - "Invalid end column value %"PRIu32" ignored", end); - end = cols; - } -+ if (abs(end - start) > numcols) { -+ end = start + numcols; -+ } - - dst_rowsize = (bps * (end - start) * count) / 8; - -@@ -2812,7 +2838,7 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols, - tsample_t count, uint32_t start, uint32_t end) - { - int ready_bits = 0, sindex = 0; -- uint32_t col, src_byte, src_bit, bit_offset; -+ uint32_t col, src_byte, src_bit, bit_offset, numcols; - uint8_t maskbits = 0, matchbits = 0; - uint8_t buff1 = 0, buff2 = 0; - uint8_t *src = in; -@@ -2824,6 +2850,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols, - return (1); - } - -+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. -+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! -+ */ -+ numcols = abs(end - start); - if ((start > end) || (start > cols)) - { - TIFFError ("extractContigSamples8bits", -@@ -2836,7 +2866,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols, - "Invalid end column value %"PRIu32" ignored", end); - end = cols; - } -- -+ if (abs(end - start) > numcols) { -+ end = start + numcols; -+ } -+ - ready_bits = 0; - maskbits = (uint8_t)-1 >> (8 - bps); - buff1 = buff2 = 0; -@@ -2889,7 +2922,7 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols, - tsample_t count, uint32_t start, uint32_t end) - { - int ready_bits = 0, sindex = 0; -- uint32_t col, src_byte, src_bit, bit_offset; -+ uint32_t col, src_byte, src_bit, bit_offset, numcols; - uint16_t maskbits = 0, matchbits = 0; - uint16_t buff1 = 0, buff2 = 0; - uint8_t bytebuff = 0; -@@ -2902,6 +2935,10 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols, - return (1); - } - -+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. -+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! -+ */ -+ numcols = abs(end - start); - if ((start > end) || (start > cols)) - { - TIFFError ("extractContigSamples16bits", -@@ -2914,6 +2951,9 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols, - "Invalid end column value %"PRIu32" ignored", end); - end = cols; - } -+ if (abs(end - start) > numcols) { -+ end = start + numcols; -+ } - - ready_bits = 0; - maskbits = (uint16_t)-1 >> (16 - bps); -@@ -2978,7 +3018,7 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols, - tsample_t count, uint32_t start, uint32_t end) - { - int ready_bits = 0, sindex = 0; -- uint32_t col, src_byte, src_bit, bit_offset; -+ uint32_t col, src_byte, src_bit, bit_offset, numcols; - uint32_t maskbits = 0, matchbits = 0; - uint32_t buff1 = 0, buff2 = 0; - uint8_t bytebuff1 = 0, bytebuff2 = 0; -@@ -2991,6 +3031,10 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols, - return (1); - } - -+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. -+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! -+ */ -+ numcols = abs(end - start); - if ((start > end) || (start > cols)) - { - TIFFError ("extractContigSamples24bits", -@@ -3003,6 +3047,9 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols, - "Invalid end column value %"PRIu32" ignored", end); - end = cols; - } -+ if (abs(end - start) > numcols) { -+ end = start + numcols; -+ } - - ready_bits = 0; - maskbits = (uint32_t)-1 >> (32 - bps); -@@ -3087,7 +3134,7 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, - tsample_t count, uint32_t start, uint32_t end) - { - int ready_bits = 0, sindex = 0 /*, shift_width = 0 */; -- uint32_t col, src_byte, src_bit, bit_offset; -+ uint32_t col, src_byte, src_bit, bit_offset, numcols; - uint32_t longbuff1 = 0, longbuff2 = 0; - uint64_t maskbits = 0, matchbits = 0; - uint64_t buff1 = 0, buff2 = 0, buff3 = 0; -@@ -3102,6 +3149,10 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, - } - - -+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. -+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! -+ */ -+ numcols = abs(end - start); - if ((start > end) || (start > cols)) - { - TIFFError ("extractContigSamples32bits", -@@ -3114,6 +3165,9 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, - "Invalid end column value %"PRIu32" ignored", end); - end = cols; - } -+ if (abs(end - start) > numcols) { -+ end = start + numcols; -+ } - - /* shift_width = ((bps + 7) / 8) + 1; */ - ready_bits = 0; -@@ -3193,7 +3247,7 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols, - int shift) - { - int ready_bits = 0, sindex = 0; -- uint32_t col, src_byte, src_bit, bit_offset; -+ uint32_t col, src_byte, src_bit, bit_offset, numcols; - uint8_t maskbits = 0, matchbits = 0; - uint8_t buff1 = 0, buff2 = 0; - uint8_t *src = in; -@@ -3205,6 +3259,10 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols, - return (1); - } - -+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. -+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! -+ */ -+ numcols = abs(end - start); - if ((start > end) || (start > cols)) - { - TIFFError ("extractContigSamplesShifted8bits", -@@ -3217,6 +3275,9 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols, - "Invalid end column value %"PRIu32" ignored", end); - end = cols; - } -+ if (abs(end - start) > numcols) { -+ end = start + numcols; -+ } - - ready_bits = shift; - maskbits = (uint8_t)-1 >> (8 - bps); -@@ -3273,7 +3334,7 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols, - int shift) - { - int ready_bits = 0, sindex = 0; -- uint32_t col, src_byte, src_bit, bit_offset; -+ uint32_t col, src_byte, src_bit, bit_offset, numcols; - uint16_t maskbits = 0, matchbits = 0; - uint16_t buff1 = 0, buff2 = 0; - uint8_t bytebuff = 0; -@@ -3286,6 +3347,10 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols, - return (1); - } - -+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. -+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! -+ */ -+ numcols = abs(end - start); - if ((start > end) || (start > cols)) - { - TIFFError ("extractContigSamplesShifted16bits", -@@ -3298,6 +3363,9 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols, - "Invalid end column value %"PRIu32" ignored", end); - end = cols; - } -+ if (abs(end - start) > numcols) { -+ end = start + numcols; -+ } - - ready_bits = shift; - maskbits = (uint16_t)-1 >> (16 - bps); -@@ -3363,7 +3431,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols, - int shift) - { - int ready_bits = 0, sindex = 0; -- uint32_t col, src_byte, src_bit, bit_offset; -+ uint32_t col, src_byte, src_bit, bit_offset, numcols; - uint32_t maskbits = 0, matchbits = 0; - uint32_t buff1 = 0, buff2 = 0; - uint8_t bytebuff1 = 0, bytebuff2 = 0; -@@ -3376,6 +3444,16 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols, - return (1); - } - -+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. -+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! -+ */ -+ /*--- Remark, which is true for all those functions extractCongigSamplesXXX() -- -+ * The mitigation of the start/end test does not allways make sense, because the function is often called with e.g.: -+ * start = 31; end = 32; cols = 32 to extract the last column in a 32x32 sample image. -+ * If then, a worng parameter (e.g. cols = 10) is provided, the mitigated settings would be start=0; end=1. -+ * Therefore, an error message and no copy action might be the better reaction to wrong parameter configurations. -+ */ -+ numcols = abs(end - start); - if ((start > end) || (start > cols)) - { - TIFFError ("extractContigSamplesShifted24bits", -@@ -3388,6 +3466,9 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols, - "Invalid end column value %"PRIu32" ignored", end); - end = cols; - } -+ if (abs(end - start) > numcols) { -+ end = start + numcols; -+ } - - ready_bits = shift; - maskbits = (uint32_t)-1 >> (32 - bps); -@@ -3449,7 +3530,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols, - buff2 = (buff2 << 8); - bytebuff2 = bytebuff1; - ready_bits -= 8; -- } -+ } - - return (0); - } /* end extractContigSamplesShifted24bits */ -@@ -3461,7 +3542,7 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, - int shift) - { - int ready_bits = 0, sindex = 0 /*, shift_width = 0 */; -- uint32_t col, src_byte, src_bit, bit_offset; -+ uint32_t col, src_byte, src_bit, bit_offset, numcols; - uint32_t longbuff1 = 0, longbuff2 = 0; - uint64_t maskbits = 0, matchbits = 0; - uint64_t buff1 = 0, buff2 = 0, buff3 = 0; -@@ -3476,6 +3557,10 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, - } - - -+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. -+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! -+ */ -+ numcols = abs(end - start); - if ((start > end) || (start > cols)) - { - TIFFError ("extractContigSamplesShifted32bits", -@@ -3488,6 +3573,9 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, - "Invalid end column value %"PRIu32" ignored", end); - end = cols; - } -+ if (abs(end - start) > numcols) { -+ end = start + numcols; -+ } - - /* shift_width = ((bps + 7) / 8) + 1; */ - ready_bits = shift; -@@ -5429,7 +5517,7 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt - { - struct offset offsets; - int i; -- int32_t test; -+ uint32_t uaux; - uint32_t seg, total, need_buff = 0; - uint32_t buffsize; - uint32_t zwidth, zlength; -@@ -5510,8 +5598,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt - seg = crop->zonelist[j].position; - total = crop->zonelist[j].total; - -- /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ -+ /* check for not allowed zone cases like 0:0; 4:3; or negative ones etc. and skip that input */ -+ if (crop->zonelist[j].position < 0 || crop->zonelist[j].total < 0) { -+ TIFFError("getCropOffsets", "Negative crop zone values %d:%d are not allowed, thus skipped.", crop->zonelist[j].position, crop->zonelist[j].total); -+ continue; -+ } - if (seg == 0 || total == 0 || seg > total) { -+ TIFFError("getCropOffsets", "Crop zone %d:%d is out of specification, thus skipped.", seg, total); - continue; - } - -@@ -5524,17 +5617,23 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt - - crop->regionlist[i].x1 = offsets.startx + - (uint32_t)(offsets.crop_width * 1.0 * (seg - 1) / total); -- test = (int32_t)offsets.startx + -- (int32_t)(offsets.crop_width * 1.0 * seg / total); -- if (test < 1 ) -- crop->regionlist[i].x2 = 0; -- else -- { -- if (test > (int32_t)(image->width - 1)) -+ /* FAULT: IMHO in the old code here, the calculation of x2 was based on wrong assumtions. The whole image was assumed and 'endy' and 'starty' are not respected anymore!*/ -+ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */ -+ if (crop->regionlist[i].x1 > offsets.endx) { -+ crop->regionlist[i].x1 = offsets.endx; -+ } else if (crop->regionlist[i].x1 >= image->width) { -+ crop->regionlist[i].x1 = image->width - 1; -+ } -+ -+ crop->regionlist[i].x2 = offsets.startx + (uint32_t)(offsets.crop_width * 1.0 * seg / total); -+ if (crop->regionlist[i].x2 > 0) crop->regionlist[i].x2 = crop->regionlist[i].x2 - 1; -+ if (crop->regionlist[i].x2 < crop->regionlist[i].x1) { -+ crop->regionlist[i].x2 = crop->regionlist[i].x1; -+ } else if (crop->regionlist[i].x2 > offsets.endx) { -+ crop->regionlist[i].x2 = offsets.endx; -+ } else if (crop->regionlist[i].x2 >= image->width) { - crop->regionlist[i].x2 = image->width - 1; -- else -- crop->regionlist[i].x2 = test - 1; -- } -+ } - zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; - - /* This is passed to extractCropZone or extractCompositeZones */ -@@ -5549,22 +5648,27 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt - crop->regionlist[i].x1 = offsets.startx; - crop->regionlist[i].x2 = offsets.endx; - -- test = offsets.endy - (uint32_t)(offsets.crop_length * 1.0 * seg / total); -- if (test < 1 ) -- crop->regionlist[i].y1 = 0; -- else -- crop->regionlist[i].y1 = test + 1; -+ /* FAULT: IMHO in the old code here, the calculation of y1/y2 was based on wrong assumtions. The whole image was assumed and 'endy' and 'starty' are not respected anymore!*/ -+ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */ -+ uaux = (uint32_t)(offsets.crop_length * 1.0 * seg / total); -+ if (uaux <= offsets.endy + 1) { -+ crop->regionlist[i].y1 = offsets.endy - uaux + 1; -+ } else { -+ crop->regionlist[i].y1 = 0; -+ } -+ if (crop->regionlist[i].y1 < offsets.starty) { -+ crop->regionlist[i].y1 = offsets.starty; -+ } - -- test = offsets.endy - (offsets.crop_length * 1.0 * (seg - 1) / total); -- if (test < 1 ) -- crop->regionlist[i].y2 = 0; -- else -- { -- if (test > (int32_t)(image->length - 1)) -- crop->regionlist[i].y2 = image->length - 1; -- else -- crop->regionlist[i].y2 = test; -- } -+ uaux = (uint32_t)(offsets.crop_length * 1.0 * (seg - 1) / total); -+ if (uaux <= offsets.endy) { -+ crop->regionlist[i].y2 = offsets.endy - uaux; -+ } else { -+ crop->regionlist[i].y2 = 0; -+ } -+ if (crop->regionlist[i].y2 < offsets.starty) { -+ crop->regionlist[i].y2 = offsets.starty; -+ } - zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; - - /* This is passed to extractCropZone or extractCompositeZones */ -@@ -5575,32 +5679,42 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt - crop->combined_width = (uint32_t)zwidth; - break; - case EDGE_RIGHT: /* zones from right to left, length from top */ -- zlength = offsets.crop_length; -- crop->regionlist[i].y1 = offsets.starty; -- crop->regionlist[i].y2 = offsets.endy; -- -- crop->regionlist[i].x1 = offsets.startx + -- (uint32_t)(offsets.crop_width * (total - seg) * 1.0 / total); -- test = offsets.startx + -- (offsets.crop_width * (total - seg + 1) * 1.0 / total); -- if (test < 1 ) -- crop->regionlist[i].x2 = 0; -- else -- { -- if (test > (int32_t)(image->width - 1)) -- crop->regionlist[i].x2 = image->width - 1; -- else -- crop->regionlist[i].x2 = test - 1; -- } -- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; -+ zlength = offsets.crop_length; -+ crop->regionlist[i].y1 = offsets.starty; -+ crop->regionlist[i].y2 = offsets.endy; -+ -+ crop->regionlist[i].x1 = offsets.startx + -+ (uint32_t)(offsets.crop_width * (total - seg) * 1.0 / total); -+ /* FAULT: IMHO from here on, the calculation of y2 are based on wrong assumtions. The whole image is assumed and 'endy' and 'starty' are not respected anymore!*/ -+ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */ -+ uaux = (uint32_t)(offsets.crop_width * 1.0 * seg / total); -+ if (uaux <= offsets.endx + 1) { -+ crop->regionlist[i].x1 = offsets.endx - uaux + 1; -+ } else { -+ crop->regionlist[i].x1 = 0; -+ } -+ if (crop->regionlist[i].x1 < offsets.startx) { -+ crop->regionlist[i].x1 = offsets.startx; -+ } - -- /* This is passed to extractCropZone or extractCompositeZones */ -- crop->combined_length = (uint32_t)zlength; -- if (crop->exp_mode == COMPOSITE_IMAGES) -- crop->combined_width += (uint32_t)zwidth; -- else -- crop->combined_width = (uint32_t)zwidth; -- break; -+ uaux = (uint32_t)(offsets.crop_width * 1.0 * (seg - 1) / total); -+ if (uaux <= offsets.endx) { -+ crop->regionlist[i].x2 = offsets.endx - uaux; -+ } else { -+ crop->regionlist[i].x2 = 0; -+ } -+ if (crop->regionlist[i].x2 < offsets.startx) { -+ crop->regionlist[i].x2 = offsets.startx; -+ } -+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; -+ -+ /* This is passed to extractCropZone or extractCompositeZones */ -+ crop->combined_length = (uint32_t)zlength; -+ if (crop->exp_mode == COMPOSITE_IMAGES) -+ crop->combined_width += (uint32_t)zwidth; -+ else -+ crop->combined_width = (uint32_t)zwidth; -+ break; - case EDGE_TOP: /* width from left, zones from top to bottom */ - default: - zwidth = offsets.crop_width; -@@ -5608,6 +5722,14 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt - crop->regionlist[i].x2 = offsets.endx; - - crop->regionlist[i].y1 = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * (seg - 1) / total); -+ if (crop->regionlist[i].y1 > offsets.endy) { -+ crop->regionlist[i].y1 = offsets.endy; -+ } else if (crop->regionlist[i].y1 >= image->length) { -+ crop->regionlist[i].y1 = image->length - 1; -+ } -+ -+ /* FAULT: IMHO from here on, the calculation of y2 are based on wrong assumtions. The whole image is assumed and 'endy' and 'starty' are not respected anymore!*/ -+ /* OLD Code: - test = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * seg / total); - if (test < 1 ) - crop->regionlist[i].y2 = 0; -@@ -5618,6 +5740,18 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt - else - crop->regionlist[i].y2 = test - 1; - } -+ */ -+ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */ -+ crop->regionlist[i].y2 = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * seg / total); -+ if (crop->regionlist[i].y2 > 0)crop->regionlist[i].y2 = crop->regionlist[i].y2 - 1; -+ if (crop->regionlist[i].y2 < crop->regionlist[i].y1) { -+ crop->regionlist[i].y2 = crop->regionlist[i].y1; -+ } else if (crop->regionlist[i].y2 > offsets.endy) { -+ crop->regionlist[i].y2 = offsets.endy; -+ } else if (crop->regionlist[i].y2 >= image->length) { -+ crop->regionlist[i].y2 = image->length - 1; -+ } -+ - zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; - - /* This is passed to extractCropZone or extractCompositeZones */ -@@ -7551,7 +7685,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, - total_width = total_length = 0; - for (i = 0; i < crop->selections; i++) - { -- cropsize = crop->bufftotal; -+ -+ cropsize = crop->bufftotal; - crop_buff = seg_buffs[i].buffer; - if (!crop_buff) - crop_buff = (unsigned char *)limitMalloc(cropsize); -@@ -7640,6 +7775,9 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, - - if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ - { -+ /* rotateImage() changes image->width, ->length, ->xres and ->yres, what it schouldn't do here, when more than one section is processed. -+ * ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !! -+ */ - if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, - &crop->regionlist[i].length, &crop_buff)) - { -@@ -7655,8 +7793,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, - seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8) - * image->spp) * crop->regionlist[i].length; - } -- } -- } -+ } /* for crop->selections loop */ -+ } /* Separated Images (else case) */ - return (0); - } /* end processCropSelections */ - --- -GitLab diff --git a/backport-0001-CVE-2022-3570-CVE-2022-3598.patch b/backport-0001-CVE-2022-3570-CVE-2022-3598.patch deleted file mode 100644 index 5842711..0000000 --- a/backport-0001-CVE-2022-3570-CVE-2022-3598.patch +++ /dev/null @@ -1,49 +0,0 @@ -From fc3e3a202d65e4b0f42a63c8001324b2a7fae88b Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Mon, 27 Sep 2021 18:42:22 +0200 -Subject: [PATCH] tiffcrop.c: remove useless 'set but not read' variables - ---- - tools/tiffcrop.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index b85c2ce7..0da31577 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -1177,7 +1177,6 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, - tstrip_t strip = 0; - tsize_t stripsize = TIFFStripSize(out); - tsize_t rowstripsize, scanlinesize = TIFFScanlineSize(out); -- tsize_t total_bytes = 0; - tdata_t obuf; - - (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); -@@ -1215,7 +1214,6 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, - - stripsize = TIFFVStripSize(out, nrows); - src = buf + (row * rowsize); -- total_bytes += stripsize; - memset (obuf, '\0', rowstripsize); - if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump)) - { -@@ -2710,7 +2708,7 @@ static void dump_info(FILE *dumpfile, int format, char *prefix, char *msg, ...) - static int dump_buffer (FILE* dumpfile, int format, uint32_t rows, uint32_t width, - uint32_t row, unsigned char *buff) - { -- int j, k; -+ int k; - uint32_t i; - unsigned char * dump_ptr; - -@@ -2728,7 +2726,7 @@ static int dump_buffer (FILE* dumpfile, int format, uint32_t rows, uint32_t widt - "Row %4"PRIu32", %"PRIu32" bytes at offset %"PRIu32, - row + i + 1u, width, row * width); - -- for (j = 0, k = width; k >= 10; j += 10, k -= 10, dump_ptr += 10) -+ for (k = width; k >= 10; k -= 10, dump_ptr += 10) - dump_data (dumpfile, format, "", dump_ptr, 10); - if (k > 0) - dump_data (dumpfile, format, "", dump_ptr, k); --- -GitLab diff --git a/backport-0002-CVE-2022-1622-CVE-2022-1623.patch b/backport-0002-CVE-2022-1622-CVE-2022-1623.patch deleted file mode 100644 index bad52c4..0000000 --- a/backport-0002-CVE-2022-1622-CVE-2022-1623.patch +++ /dev/null @@ -1,56 +0,0 @@ -From b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Fri, 22 Apr 2022 18:58:52 +0200 -Subject: [PATCH] tif_lzw.c: fix potential out-of-bounds error when trying to - read in the same tile/strip after an error has occured (fixes #410) - -Conflict:NA -Reference:https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a ---- - libtiff/tif_lzw.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c -index c28366b..1f255d9 100644 ---- a/libtiff/tif_lzw.c -+++ b/libtiff/tif_lzw.c -@@ -140,6 +140,7 @@ typedef struct { - code_t* dec_free_entp; /* next free entry */ - code_t* dec_maxcodep; /* max available entry */ - code_t* dec_codetab; /* kept separate for small machines */ -+ int read_error; /* whether a read error has occured, and which should cause further reads in the same strip/tile to be aborted */ - - /* Encoding specific data */ - int enc_oldcode; /* last code encountered */ -@@ -307,6 +308,7 @@ LZWPreDecode(TIFF* tif, uint16_t s) - */ - sp->dec_oldcodep = &sp->dec_codetab[0]; - sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1]; -+ sp->read_error = 0; - return (1); - } - -@@ -399,7 +401,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) - - (void) s; - assert(sp != NULL); -- assert(sp->dec_codetab != NULL); -+ assert(sp->dec_codetab != NULL); -+ -+ if (sp->read_error) { -+ return 0; -+ } - - /* - Fail if value does not fit in long. -@@ -711,6 +717,7 @@ no_eoi: - tif->tif_curstrip); - return 0; - error_code: -+ sp->read_error = 1; - TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Using code not yet in table"); - return 0; - } --- -2.27.0 - diff --git a/backport-0002-CVE-2022-22844.patch b/backport-0002-CVE-2022-22844.patch deleted file mode 100644 index 015de92..0000000 --- a/backport-0002-CVE-2022-22844.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 0cf67888e32e36b45828dd467920684c93f2b22d Mon Sep 17 00:00:00 2001 -From: Timothy Lyanguzov -Date: Tue, 25 Jan 2022 04:27:28 +0000 -Subject: [PATCH] Apply 4 suggestion(s) to 1 file(s) - -Conflict:NA -Reference:https://gitlab.com/libtiff/libtiff/-/commit/0cf67888e32e36b45828dd467920684c93f2b22d - ---- - tools/tiffset.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/tools/tiffset.c b/tools/tiffset.c -index b7badd9..b8b52c0 100644 ---- a/tools/tiffset.c -+++ b/tools/tiffset.c -@@ -148,15 +148,15 @@ main(int argc, char* argv[]) - if (TIFFFieldDataType(fip) == TIFF_ASCII) { - if(TIFFFieldPassCount( fip )) { - size_t len; -- len = (uint32_t)(strlen(argv[arg_index] + 1)); -- if (TIFFSetField(tiff, TIFFFieldTag(fip), -+ len = strlen(argv[arg_index] + 1); -+ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), - (uint16_t)len, argv[arg_index]) != 1) -- fprintf( stderr, "Failed to set %s=%s", -+ fprintf( stderr, "Failed to set %s=%s\n", - TIFFFieldName(fip), argv[arg_index] ); - } else { - if (TIFFSetField(tiff, TIFFFieldTag(fip), - argv[arg_index]) != 1) -- fprintf( stderr, "Failed to set %s=%s", -+ fprintf( stderr, "Failed to set %s=%s\n", - TIFFFieldName(fip), argv[arg_index] ); - } - } else if (TIFFFieldWriteCount(fip) > 0 --- -2.33.0 - diff --git a/backport-0002-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch b/backport-0002-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch deleted file mode 100644 index a967734..0000000 --- a/backport-0002-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Mon, 15 Aug 2022 22:11:03 +0200 -Subject: [PATCH 1/2] =?UTF-8?q?According=20to=20Richard=20Nolde=20https://?= - =?UTF-8?q?gitlab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the?= - =?UTF-8?q?=20tiffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutua?= - =?UTF-8?q?lly=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),?= - =?UTF-8?q?=20-Z=20and=20-z.?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is now checked and ends tiffcrop if those arguments are not mutually exclusive. - -This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424 ---- - tools/tiffcrop.c | 31 ++++++++++++++++--------------- - 1 file changed, 16 insertions(+), 15 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 90286a5e..c3b758ec 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -108,12 +108,12 @@ - * lower level, scanline level routines. Debug reports a limited set - * of messages to monitor progress without enabling dump logs. - * -- * Note: The (-X|-Y), -Z and -z options are mutually exclusive. -+ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. - * In no case should the options be applied to a given selection successively. - */ - --static char tiffcrop_version_id[] = "2.5"; --static char tiffcrop_rev_date[] = "02-09-2022"; -+static char tiffcrop_version_id[] = "2.5.1"; -+static char tiffcrop_rev_date[] = "15-08-2022"; - - #include "tif_config.h" - #include "libport.h" -@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022"; - #define ROTATECW_270 32 - #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270) - --#define CROP_NONE 0 --#define CROP_MARGINS 1 --#define CROP_WIDTH 2 --#define CROP_LENGTH 4 --#define CROP_ZONES 8 --#define CROP_REGIONS 16 -+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */ -+#define CROP_MARGINS 1 /* "-m" */ -+#define CROP_WIDTH 2 /* "-X" */ -+#define CROP_LENGTH 4 /* "-Y" */ -+#define CROP_ZONES 8 /* "-Z" */ -+#define CROP_REGIONS 16 /* "-z" */ - #define CROP_ROTATE 32 - #define CROP_MIRROR 64 - #define CROP_INVERT 128 -@@ -316,7 +316,7 @@ struct crop_mask { - #define PAGE_MODE_RESOLUTION 1 - #define PAGE_MODE_PAPERSIZE 2 - #define PAGE_MODE_MARGINS 4 --#define PAGE_MODE_ROWSCOLS 8 -+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */ - - #define INVERT_DATA_ONLY 10 - #define INVERT_DATA_AND_TAG 11 -@@ -781,7 +781,7 @@ static const char usage_info[] = - " The four debug/dump options are independent, though it makes little sense to\n" - " specify a dump file without specifying a detail level.\n" - "\n" --"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n" -+"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n" - " In no case should the options be applied to a given selection successively.\n" - "\n" - ; -@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 - /*NOTREACHED*/ - } - } -- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/ -- char XY, Z, R; -+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ -+ char XY, Z, R, S; - XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); - Z = (crop_data->crop_mode & CROP_ZONES); - R = (crop_data->crop_mode & CROP_REGIONS); -- if ((XY && Z) || (XY && R) || (Z && R)) { -- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit"); -+ S = (page->mode & PAGE_MODE_ROWSCOLS); -+ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { -+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); - exit(EXIT_FAILURE); - } - } /* end process_command_opts */ --- -GitLab - - -From bad48e90b410df32172006c7876da449ba62cdba Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Sat, 20 Aug 2022 23:35:26 +0200 -Subject: [PATCH 2/2] tiffcrop -S option: Make decision simpler. - ---- - tools/tiffcrop.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index c3b758ec..8fd856dc 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 - } - /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ - char XY, Z, R, S; -- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); -- Z = (crop_data->crop_mode & CROP_ZONES); -- R = (crop_data->crop_mode & CROP_REGIONS); -- S = (page->mode & PAGE_MODE_ROWSCOLS); -- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { -+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0; -+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0; -+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; -+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; -+ if (XY + Z + R + S > 1) { - TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); - exit(EXIT_FAILURE); - } --- -GitLab diff --git a/backport-0002-CVE-2022-3570-CVE-2022-3598.patch b/backport-0002-CVE-2022-3570-CVE-2022-3598.patch deleted file mode 100644 index 2d9fc59..0000000 --- a/backport-0002-CVE-2022-3570-CVE-2022-3598.patch +++ /dev/null @@ -1,34 +0,0 @@ -From aac006e5796437f1729b1284fbfa506b2b730aff Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Sat, 19 Feb 2022 16:08:15 +0000 -Subject: [PATCH] tiffcrop: buffsize check formula in loadImage() amended - (fixes #273,#275) - ---- - tools/tiffcrop.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index e4a08ca9..f2e5474a 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -6153,9 +6153,15 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - TIFFError("loadImage", "Integer overflow detected."); - exit(EXIT_FAILURE); - } -- if (buffsize < (uint32_t) (((length * width * spp * bps) + 7) / 8)) -+ /* The buffsize_check and the possible adaptation of buffsize -+ * has to account also for padding of each line to a byte boundary. -+ * This is assumed by mirrorImage() and rotateImage(). -+ * Otherwise buffer-overflow might occur there. -+ */ -+ buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8); -+ if (buffsize < buffsize_check) - { -- buffsize = ((length * width * spp * bps) + 7) / 8; -+ buffsize = buffsize_check; - #ifdef DEBUG2 - TIFFError("loadImage", - "Stripsize %"PRIu32" is too small, using imagelength * width * spp * bps / 8 = %"PRIu32, --- -GitLab diff --git a/backport-0003-CVE-2022-22844.patch b/backport-0003-CVE-2022-22844.patch deleted file mode 100644 index bb5b5c3..0000000 --- a/backport-0003-CVE-2022-22844.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 0a827a985f891d6df481a6f581c723640fad7874 Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Tue, 25 Jan 2022 04:30:38 +0000 -Subject: [PATCH] fix a small typo in strlen - -Conflict:NA -Reference:https://gitlab.com/libtiff/libtiff/-/commit/0a827a985f891d6df481a6f581c723640fad7874 - ---- - tools/tiffset.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/tiffset.c b/tools/tiffset.c -index b8b52c0..e7a88c0 100644 ---- a/tools/tiffset.c -+++ b/tools/tiffset.c -@@ -148,7 +148,7 @@ main(int argc, char* argv[]) - if (TIFFFieldDataType(fip) == TIFF_ASCII) { - if(TIFFFieldPassCount( fip )) { - size_t len; -- len = strlen(argv[arg_index] + 1); -+ len = strlen(argv[arg_index]) + 1; - if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), - (uint16_t)len, argv[arg_index]) != 1) - fprintf( stderr, "Failed to set %s=%s\n", --- -2.33.0 - diff --git a/backport-0003-CVE-2022-3570-CVE-2022-3598.patch b/backport-0003-CVE-2022-3570-CVE-2022-3598.patch deleted file mode 100644 index 2791a04..0000000 --- a/backport-0003-CVE-2022-3570-CVE-2022-3598.patch +++ /dev/null @@ -1,659 +0,0 @@ -From afd7086090dafd3949afd172822cbcec4ed17d56 Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Thu, 13 Oct 2022 14:33:27 +0000 -Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271, - #381, #386, #388, #389, #435) - ---- - tools/tiffcrop.c | 209 ++++++++++++++++++++++++++--------------------- - 1 file changed, 118 insertions(+), 91 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 41a2ea36..deab5feb 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -114,8 +114,8 @@ - * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. - */ - --static char tiffcrop_version_id[] = "2.5.3"; --static char tiffcrop_rev_date[] = "26-08-2022"; -+static char tiffcrop_version_id[] = "2.5.4"; -+static char tiffcrop_rev_date[] = "27-08-2022"; - - #include "tif_config.h" - #include "libport.h" -@@ -212,6 +212,10 @@ static char tiffcrop_rev_date[] = "26-08-2022"; - - #define TIFF_DIR_MAX 65534 - -+/* Some conversion subroutines require image buffers, which are at least 3 bytes -+ * larger than the necessary size for the image itself. */ -+#define NUM_BUFF_OVERSIZE_BYTES 3 -+ - /* Offsets into buffer for margins and fixed width and length segments */ - struct offset { - uint32_t tmargin; -@@ -233,7 +237,7 @@ struct offset { - */ - - struct buffinfo { -- uint32_t size; /* size of this buffer */ -+ size_t size; /* size of this buffer */ - unsigned char *buffer; /* address of the allocated buffer */ - }; - -@@ -810,8 +814,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, - uint32_t dst_rowsize, shift_width; - uint32_t bytes_per_sample, bytes_per_pixel; - uint32_t trailing_bits, prev_trailing_bits; -- uint32_t tile_rowsize = TIFFTileRowSize(in); -- uint32_t src_offset, dst_offset; -+ tmsize_t tile_rowsize = TIFFTileRowSize(in); -+ tmsize_t src_offset, dst_offset; - uint32_t row_offset, col_offset; - uint8_t *bufp = (uint8_t*) buf; - unsigned char *src = NULL; -@@ -861,7 +865,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, - TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); - exit(EXIT_FAILURE); - } -- tilebuf = limitMalloc(tile_buffsize + 3); -+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); - if (tilebuf == 0) - return 0; - tilebuf[tile_buffsize] = 0; -@@ -1024,7 +1028,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf, - for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++) - { - srcbuffs[sample] = NULL; -- tbuff = (unsigned char *)limitMalloc(tilesize + 8); -+ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES); - if (!tbuff) - { - TIFFError ("readSeparateTilesIntoBuffer", -@@ -1217,7 +1221,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, - } - rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); - -- obuf = limitMalloc (rowstripsize); -+ /* Add 3 padding bytes for extractContigSamples32bits */ -+ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES); - if (obuf == NULL) - return 1; - -@@ -1229,7 +1234,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, - - stripsize = TIFFVStripSize(out, nrows); - src = buf + (row * rowsize); -- memset (obuf, '\0', rowstripsize); -+ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES); - if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump)) - { - _TIFFfree(obuf); -@@ -1237,10 +1242,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, - } - if ((dump->outfile != NULL) && (dump->level == 1)) - { -- dump_info(dump->outfile, dump->format,"", -+ if (scanlinesize > 0x0ffffffffULL) { -+ dump_info(dump->infile, dump->format, "loadImage", -+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", -+ scanlinesize); -+ } -+ dump_info(dump->outfile, dump->format,"", - "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d", -- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf); -- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf); -+ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf); -+ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf); - } - - if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) -@@ -1267,7 +1277,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng - uint32_t tl, tw; - uint32_t row, col, nrow, ncol; - uint32_t src_rowsize, col_offset; -- uint32_t tile_rowsize = TIFFTileRowSize(out); -+ tmsize_t tile_rowsize = TIFFTileRowSize(out); - uint8_t* bufp = (uint8_t*) buf; - tsize_t tile_buffsize = 0; - tsize_t tilesize = TIFFTileSize(out); -@@ -1310,9 +1320,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng - } - src_rowsize = ((imagewidth * spp * bps) + 7U) / 8; - -- tilebuf = limitMalloc(tile_buffsize); -+ /* Add 3 padding bytes for extractContigSamples32bits */ -+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); - if (tilebuf == 0) - return 1; -+ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); - for (row = 0; row < imagelength; row += tl) - { - nrow = (row + tl > imagelength) ? imagelength - row : tl; -@@ -1358,7 +1370,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele - uint32_t imagewidth, tsample_t spp, - struct dump_opts * dump) - { -- tdata_t obuf = limitMalloc(TIFFTileSize(out)); -+ /* Add 3 padding bytes for extractContigSamples32bits */ -+ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); - uint32_t tl, tw; - uint32_t row, col, nrow, ncol; - uint32_t src_rowsize, col_offset; -@@ -1368,6 +1381,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele - - if (obuf == NULL) - return 1; -+ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); - - if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || - !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || -@@ -1793,14 +1807,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 - - *opt_offset = '\0'; - /* convert option to lowercase */ -- end = strlen (opt_ptr); -+ end = (unsigned int)strlen (opt_ptr); - for (i = 0; i < end; i++) - *(opt_ptr + i) = tolower((int) *(opt_ptr + i)); - /* Look for dump format specification */ - if (strncmp(opt_ptr, "for", 3) == 0) - { - /* convert value to lowercase */ -- end = strlen (opt_offset + 1); -+ end = (unsigned int)strlen (opt_offset + 1); - for (i = 1; i <= end; i++) - *(opt_offset + i) = tolower((int) *(opt_offset + i)); - /* check dump format value */ -@@ -2273,6 +2287,8 @@ main(int argc, char* argv[]) - size_t length; - char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */ - -+ assert(NUM_BUFF_OVERSIZE_BYTES >= 3); -+ - little_endian = *((unsigned char *)&little_endian) & '1'; - - initImageData(&image); -@@ -3227,13 +3243,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, - /* If we have a full buffer's worth, write it out */ - if (ready_bits >= 32) - { -- bytebuff1 = (buff2 >> 56); -+ bytebuff1 = (uint8_t)(buff2 >> 56); - *dst++ = bytebuff1; -- bytebuff2 = (buff2 >> 48); -+ bytebuff2 = (uint8_t)(buff2 >> 48); - *dst++ = bytebuff2; -- bytebuff3 = (buff2 >> 40); -+ bytebuff3 = (uint8_t)(buff2 >> 40); - *dst++ = bytebuff3; -- bytebuff4 = (buff2 >> 32); -+ bytebuff4 = (uint8_t)(buff2 >> 32); - *dst++ = bytebuff4; - ready_bits -= 32; - -@@ -3642,13 +3658,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, - } - else /* If we have a full buffer's worth, write it out */ - { -- bytebuff1 = (buff2 >> 56); -+ bytebuff1 = (uint8_t)(buff2 >> 56); - *dst++ = bytebuff1; -- bytebuff2 = (buff2 >> 48); -+ bytebuff2 = (uint8_t)(buff2 >> 48); - *dst++ = bytebuff2; -- bytebuff3 = (buff2 >> 40); -+ bytebuff3 = (uint8_t)(buff2 >> 40); - *dst++ = bytebuff3; -- bytebuff4 = (buff2 >> 32); -+ bytebuff4 = (uint8_t)(buff2 >> 32); - *dst++ = bytebuff4; - ready_bits -= 32; - -@@ -3825,10 +3841,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3 - static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) - { - uint8_t* bufp = buf; -- int32_t bytes_read = 0; -+ tmsize_t bytes_read = 0; - uint32_t strip, nstrips = TIFFNumberOfStrips(in); -- uint32_t stripsize = TIFFStripSize(in); -- uint32_t rows = 0; -+ tmsize_t stripsize = TIFFStripSize(in); -+ tmsize_t rows = 0; - uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); - tsize_t scanline_size = TIFFScanlineSize(in); - -@@ -3841,11 +3857,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) - bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1); - rows = bytes_read / scanline_size; - if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize)) -- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32, -+ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64, - strip + 1, bytes_read, stripsize); - - if (bytes_read < 0 && !ignore) { -- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows", -+ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows", - strip, rows); - return 0; - } -@@ -4310,13 +4326,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, - /* If we have a full buffer's worth, write it out */ - if (ready_bits >= 32) - { -- bytebuff1 = (buff2 >> 56); -+ bytebuff1 = (uint8_t)(buff2 >> 56); - *dst++ = bytebuff1; -- bytebuff2 = (buff2 >> 48); -+ bytebuff2 = (uint8_t)(buff2 >> 48); - *dst++ = bytebuff2; -- bytebuff3 = (buff2 >> 40); -+ bytebuff3 = (uint8_t)(buff2 >> 40); - *dst++ = bytebuff3; -- bytebuff4 = (buff2 >> 32); -+ bytebuff4 = (uint8_t)(buff2 >> 32); - *dst++ = bytebuff4; - ready_bits -= 32; - -@@ -4359,10 +4375,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, - "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", - row + 1, col + 1, src_byte, src_bit, dst - out); - -- dump_long (dumpfile, format, "Match bits ", matchbits); -+ dump_wide (dumpfile, format, "Match bits ", matchbits); - dump_data (dumpfile, format, "Src bits ", src, 4); -- dump_long (dumpfile, format, "Buff1 bits ", buff1); -- dump_long (dumpfile, format, "Buff2 bits ", buff2); -+ dump_wide (dumpfile, format, "Buff1 bits ", buff1); -+ dump_wide (dumpfile, format, "Buff2 bits ", buff2); - dump_byte (dumpfile, format, "Write bits1", bytebuff1); - dump_byte (dumpfile, format, "Write bits2", bytebuff2); - dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); -@@ -4835,13 +4851,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, - /* If we have a full buffer's worth, write it out */ - if (ready_bits >= 32) - { -- bytebuff1 = (buff2 >> 56); -+ bytebuff1 = (uint8_t)(buff2 >> 56); - *dst++ = bytebuff1; -- bytebuff2 = (buff2 >> 48); -+ bytebuff2 = (uint8_t)(buff2 >> 48); - *dst++ = bytebuff2; -- bytebuff3 = (buff2 >> 40); -+ bytebuff3 = (uint8_t)(buff2 >> 40); - *dst++ = bytebuff3; -- bytebuff4 = (buff2 >> 32); -+ bytebuff4 = (uint8_t)(buff2 >> 32); - *dst++ = bytebuff4; - ready_bits -= 32; - -@@ -4884,10 +4900,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, - "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", - row + 1, col + 1, src_byte, src_bit, dst - out); - -- dump_long (dumpfile, format, "Match bits ", matchbits); -+ dump_wide (dumpfile, format, "Match bits ", matchbits); - dump_data (dumpfile, format, "Src bits ", src, 4); -- dump_long (dumpfile, format, "Buff1 bits ", buff1); -- dump_long (dumpfile, format, "Buff2 bits ", buff2); -+ dump_wide (dumpfile, format, "Buff1 bits ", buff1); -+ dump_wide (dumpfile, format, "Buff2 bits ", buff2); - dump_byte (dumpfile, format, "Write bits1", bytebuff1); - dump_byte (dumpfile, format, "Write bits2", bytebuff2); - dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); -@@ -4910,7 +4926,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt - { - int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; - uint32_t j; -- int32_t bytes_read = 0; -+ tmsize_t bytes_read = 0; - uint16_t bps = 0, planar; - uint32_t nstrips; - uint32_t strips_per_sample; -@@ -4976,7 +4992,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt - for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - srcbuffs[s] = NULL; -- buff = limitMalloc(stripsize + 3); -+ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES); - if (!buff) - { - TIFFError ("readSeparateStripsIntoBuffer", -@@ -4999,7 +5015,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt - buff = srcbuffs[s]; - strip = (s * strips_per_sample) + j; - bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize); -- rows_this_strip = bytes_read / src_rowsize; -+ rows_this_strip = (uint32_t)(bytes_read / src_rowsize); - if (bytes_read < 0 && !ignore) - { - TIFFError(TIFFFileName(in), -@@ -6062,13 +6078,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - uint16_t input_compression = 0, input_photometric = 0; - uint16_t subsampling_horiz, subsampling_vert; - uint32_t width = 0, length = 0; -- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0; -+ tmsize_t stsize = 0, tlsize = 0, buffsize = 0; -+ tmsize_t scanlinesize = 0; - uint32_t tw = 0, tl = 0; /* Tile width and length */ -- uint32_t tile_rowsize = 0; -+ tmsize_t tile_rowsize = 0; - unsigned char *read_buff = NULL; - unsigned char *new_buff = NULL; - int readunit = 0; -- static uint32_t prev_readsize = 0; -+ static tmsize_t prev_readsize = 0; - - TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); - TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); -@@ -6325,6 +6342,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - /* The buffsize_check and the possible adaptation of buffsize - * has to account also for padding of each line to a byte boundary. - * This is assumed by mirrorImage() and rotateImage(). -+ * Furthermore, functions like extractContigSamplesShifted32bits() -+ * need a buffer, which is at least 3 bytes larger than the actual image. - * Otherwise buffer-overflow might occur there. - */ - buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8); -@@ -6376,7 +6395,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); - return (-1); - } -- read_buff = (unsigned char *)limitMalloc(buffsize+3); -+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); - } - else - { -@@ -6387,11 +6406,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); - return (-1); - } -- new_buff = _TIFFrealloc(read_buff, buffsize+3); -+ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); - if (!new_buff) - { - free (read_buff); -- read_buff = (unsigned char *)limitMalloc(buffsize+3); -+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); - } - else - read_buff = new_buff; -@@ -6464,8 +6483,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c - dump_info (dump->infile, dump->format, "", - "Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp); - -+ if (scanlinesize > 0x0ffffffffULL) { -+ dump_info(dump->infile, dump->format, "loadImage", -+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", -+ scanlinesize); -+ } - for (i = 0; i < length; i++) -- dump_buffer(dump->infile, dump->format, 1, scanlinesize, -+ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize, - i, read_buff + (i * scanlinesize)); - } - return (0); -@@ -7485,13 +7509,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image, - if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { - TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); - if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { -- int inknameslen = strlen(inknames) + 1; -+ int inknameslen = (int)strlen(inknames) + 1; - const char* cp = inknames; - while (ninks > 1) { - cp = strchr(cp, '\0'); - if (cp) { - cp++; -- inknameslen += (strlen(cp) + 1); -+ inknameslen += ((int)strlen(cp) + 1); - } - ninks--; - } -@@ -7554,23 +7578,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) - - if (!sect_buff) - { -- sect_buff = (unsigned char *)limitMalloc(sectsize); -+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); - if (!sect_buff) - { - TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); - return (-1); - } -- _TIFFmemset(sect_buff, 0, sectsize); -+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); - } - else - { - if (prev_sectsize < sectsize) - { -- new_buff = _TIFFrealloc(sect_buff, sectsize); -+ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES); - if (!new_buff) - { - _TIFFfree (sect_buff); -- sect_buff = (unsigned char *)limitMalloc(sectsize); -+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); - } - else - sect_buff = new_buff; -@@ -7580,7 +7604,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) - TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); - return (-1); - } -- _TIFFmemset(sect_buff, 0, sectsize); -+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); - } - } - -@@ -7611,17 +7635,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, - cropsize = crop->bufftotal; - crop_buff = seg_buffs[0].buffer; - if (!crop_buff) -- crop_buff = (unsigned char *)limitMalloc(cropsize); -+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); - else - { - prev_cropsize = seg_buffs[0].size; - if (prev_cropsize < cropsize) - { -- next_buff = _TIFFrealloc(crop_buff, cropsize); -+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); - if (! next_buff) - { - _TIFFfree (crop_buff); -- crop_buff = (unsigned char *)limitMalloc(cropsize); -+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); - } - else - crop_buff = next_buff; -@@ -7634,7 +7658,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, - return (-1); - } - -- _TIFFmemset(crop_buff, 0, cropsize); -+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); - seg_buffs[0].buffer = crop_buff; - seg_buffs[0].size = cropsize; - -@@ -7714,17 +7738,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, - cropsize = crop->bufftotal; - crop_buff = seg_buffs[i].buffer; - if (!crop_buff) -- crop_buff = (unsigned char *)limitMalloc(cropsize); -+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); - else - { - prev_cropsize = seg_buffs[0].size; - if (prev_cropsize < cropsize) - { -- next_buff = _TIFFrealloc(crop_buff, cropsize); -+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); - if (! next_buff) - { - _TIFFfree (crop_buff); -- crop_buff = (unsigned char *)limitMalloc(cropsize); -+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); - } - else - crop_buff = next_buff; -@@ -7737,7 +7761,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, - return (-1); - } - -- _TIFFmemset(crop_buff, 0, cropsize); -+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); - seg_buffs[i].buffer = crop_buff; - seg_buffs[i].size = cropsize; - -@@ -7853,24 +7877,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, - crop_buff = *crop_buff_ptr; - if (!crop_buff) - { -- crop_buff = (unsigned char *)limitMalloc(cropsize); -+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); - if (!crop_buff) - { - TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); - return (-1); - } -- _TIFFmemset(crop_buff, 0, cropsize); -+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); - prev_cropsize = cropsize; - } - else - { - if (prev_cropsize < cropsize) - { -- new_buff = _TIFFrealloc(crop_buff, cropsize); -+ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); - if (!new_buff) - { - free (crop_buff); -- crop_buff = (unsigned char *)limitMalloc(cropsize); -+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); - } - else - crop_buff = new_buff; -@@ -7879,7 +7903,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, - TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); - return (-1); - } -- _TIFFmemset(crop_buff, 0, cropsize); -+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); - } - } - -@@ -8177,13 +8201,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image, - if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { - TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); - if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { -- int inknameslen = strlen(inknames) + 1; -+ int inknameslen = (int)strlen(inknames) + 1; - const char* cp = inknames; - while (ninks > 1) { - cp = strchr(cp, '\0'); - if (cp) { - cp++; -- inknameslen += (strlen(cp) + 1); -+ inknameslen += ((int)strlen(cp) + 1); - } - ninks--; - } -@@ -8568,13 +8592,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_ - } - else /* If we have a full buffer's worth, write it out */ - { -- bytebuff1 = (buff2 >> 56); -+ bytebuff1 = (uint8_t)(buff2 >> 56); - *dst++ = bytebuff1; -- bytebuff2 = (buff2 >> 48); -+ bytebuff2 = (uint8_t)(buff2 >> 48); - *dst++ = bytebuff2; -- bytebuff3 = (buff2 >> 40); -+ bytebuff3 = (uint8_t)(buff2 >> 40); - *dst++ = bytebuff3; -- bytebuff4 = (buff2 >> 32); -+ bytebuff4 = (uint8_t)(buff2 >> 32); - *dst++ = bytebuff4; - ready_bits -= 32; - -@@ -8643,12 +8667,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, - return (-1); - } - -- if (!(rbuff = (unsigned char *)limitMalloc(buffsize))) -+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */ -+ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) - { -- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize); -+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); - return (-1); - } -- _TIFFmemset(rbuff, '\0', buffsize); -+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); - - ibuff = *ibuff_ptr; - switch (rotation) -@@ -9176,13 +9201,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width, - } - else /* If we have a full buffer's worth, write it out */ - { -- bytebuff1 = (buff2 >> 56); -+ bytebuff1 = (uint8_t)(buff2 >> 56); - *dst++ = bytebuff1; -- bytebuff2 = (buff2 >> 48); -+ bytebuff2 = (uint8_t)(buff2 >> 48); - *dst++ = bytebuff2; -- bytebuff3 = (buff2 >> 40); -+ bytebuff3 = (uint8_t)(buff2 >> 40); - *dst++ = bytebuff3; -- bytebuff4 = (buff2 >> 32); -+ bytebuff4 = (uint8_t)(buff2 >> 32); - *dst++ = bytebuff4; - ready_bits -= 32; - -@@ -9273,12 +9298,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ - { - case MIRROR_BOTH: - case MIRROR_VERT: -- line_buff = (unsigned char *)limitMalloc(rowsize); -+ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES); - if (line_buff == NULL) - { -- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize); -+ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES); - return (-1); - } -+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); - - dst = ibuff + (rowsize * (length - 1)); - for (row = 0; row < length / 2; row++) -@@ -9310,11 +9336,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ - } - else - { /* non 8 bit per sample data */ -- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1))) -+ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES))) - { - TIFFError("mirrorImage", "Unable to allocate mirror line buffer"); - return (-1); - } -+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); - bytes_per_sample = (bps + 7) / 8; - bytes_per_pixel = ((bps * spp) + 7) / 8; - if (bytes_per_pixel < (bytes_per_sample + 1)) -@@ -9326,7 +9353,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ - { - row_offset = row * rowsize; - src = ibuff + row_offset; -- _TIFFmemset (line_buff, '\0', rowsize); -+ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); - switch (shift_width) - { - case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff)) --- -GitLab diff --git a/backport-CVE-2022-0561.patch b/backport-CVE-2022-0561.patch deleted file mode 100644 index d74c5e5..0000000 --- a/backport-CVE-2022-0561.patch +++ /dev/null @@ -1,28 +0,0 @@ -From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sun, 6 Feb 2022 13:08:38 +0100 -Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null - source pointer and size of zero (fixes #362) - ---- - libtiff/tif_dirread.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 23194ced..50ebf8ac 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l - _TIFFfree(data); - return(0); - } -- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); -- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); -+ if( dir->tdir_count ) -+ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); -+ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); - _TIFFfree(data); - data=resizeddata; - } --- -GitLab \ No newline at end of file diff --git a/backport-CVE-2022-0562.patch b/backport-CVE-2022-0562.patch deleted file mode 100644 index 98a72fd..0000000 --- a/backport-CVE-2022-0562.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 5 Feb 2022 20:36:41 +0100 -Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null - source pointer and size of zero (fixes #362) - ---- - libtiff/tif_dirread.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 2bbc4585..23194ced 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif) - goto bad; - } - -- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); -+ if (old_extrasamples > 0) -+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); - _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); - _TIFFfree(new_sampleinfo); - } --- -GitLab diff --git a/backport-CVE-2022-0865.patch b/backport-CVE-2022-0865.patch deleted file mode 100644 index a95a071..0000000 --- a/backport-CVE-2022-0865.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 24 Feb 2022 22:26:02 +0100 -Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD - in memory-mapped mode and when bit reversal is needed (fixes #385) - ---- - libtiff/tif_jbig.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c -index 7408633..8bfa4ce 100644 ---- a/libtiff/tif_jbig.c -+++ b/libtiff/tif_jbig.c -@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) - */ - tif->tif_flags |= TIFF_NOBITREV; - tif->tif_flags &= ~TIFF_MAPPED; -+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and -+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial -+ * value to be consistent with the state of a non-memory mapped file. -+ */ -+ if (tif->tif_flags&TIFF_BUFFERMMAP) { -+ tif->tif_rawdata = NULL; -+ tif->tif_rawdatasize = 0; -+ tif->tif_flags &= ~TIFF_BUFFERMMAP; -+ tif->tif_flags |= TIFF_MYBUFFER; -+ } - - /* Setup the function pointers for encode, decode, and cleanup. */ - tif->tif_setupdecode = JBIGSetupDecode; --- -2.35.1 - diff --git a/backport-CVE-2022-0891.patch b/backport-CVE-2022-0891.patch deleted file mode 100644 index 1d6f210..0000000 --- a/backport-CVE-2022-0891.patch +++ /dev/null @@ -1,215 +0,0 @@ -From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Tue, 8 Mar 2022 17:02:44 +0000 -Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in - extractImageSection - -Conflict:NA -Reference:https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c ---- - tools/tiffcrop.c | 92 +++++++++++++++++++----------------------------- - 1 file changed, 36 insertions(+), 56 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index f2e5474a..e62bcc71 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -105,8 +105,8 @@ - * of messages to monitor progress without enabling dump logs. - */ - --static char tiffcrop_version_id[] = "2.4"; --static char tiffcrop_rev_date[] = "12-13-2010"; -+static char tiffcrop_version_id[] = "2.4.1"; -+static char tiffcrop_rev_date[] = "03-03-2010"; - - #include "tif_config.h" - #include "libport.h" -@@ -6739,10 +6739,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - uint32_t img_length; - #endif -- uint32_t j, shift1, shift2, trailing_bits; -+ uint32_t j, shift1, trailing_bits; - uint32_t row, first_row, last_row, first_col, last_col; - uint32_t src_offset, dst_offset, row_offset, col_offset; -- uint32_t offset1, offset2, full_bytes; -+ uint32_t offset1, full_bytes; - uint32_t sect_width; - #ifdef DEVELMODE - uint32_t sect_length; -@@ -6752,7 +6752,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - int k; - unsigned char bitset; -- static char *bitarray = NULL; - #endif - - img_width = image->width; -@@ -6770,17 +6769,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - dst_offset = 0; - - #ifdef DEVELMODE -- if (bitarray == NULL) -- { -- if ((bitarray = (char *)malloc(img_width)) == NULL) -- { -- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); -- return (-1); -- } -- } -+ char bitarray[39]; - #endif - -- /* rows, columns, width, length are expressed in pixels */ -+ /* rows, columns, width, length are expressed in pixels -+ * first_row, last_row, .. are index into image array starting at 0 to width-1, -+ * last_col shall be also extracted. */ - first_row = section->y1; - last_row = section->y2; - first_col = section->x1; -@@ -6790,9 +6784,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - sect_length = last_row - first_row + 1; - #endif -- img_rowsize = ((img_width * bps + 7) / 8) * spp; -- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ -- trailing_bits = (sect_width * bps) % 8; -+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved -+ * samples rather than separate planes so the same logic works to extract regions -+ * regardless of the way the data are organized in the input file. -+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 -+ */ -+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ -+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ -+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ - - #ifdef DEVELMODE - TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n", -@@ -6805,10 +6804,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, - - if ((bps % 8) == 0) - { -- col_offset = first_col * spp * bps / 8; -+ col_offset = (first_col * spp * bps) / 8; - for (row = first_row; row <= last_row; row++) - { -- /* row_offset = row * img_width * spp * bps / 8; */ - row_offset = row * img_rowsize; - src_offset = row_offset + col_offset; - -@@ -6821,14 +6819,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - } - else - { /* bps != 8 */ -- shift1 = spp * ((first_col * bps) % 8); -- shift2 = spp * ((last_col * bps) % 8); -+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ - for (row = first_row; row <= last_row; row++) - { - /* pull out the first byte */ - row_offset = row * img_rowsize; -- offset1 = row_offset + (first_col * bps / 8); -- offset2 = row_offset + (last_col * bps / 8); -+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ - - #ifdef DEVELMODE - for (j = 0, k = 7; j < 8; j++, k--) -@@ -6840,12 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - sprintf(&bitarray[9], " "); - for (j = 10, k = 7; j < 18; j++, k--) - { -- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; -+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; - sprintf(&bitarray[j], (bitset) ? "1" : "0"); - } - bitarray[18] = '\0'; -- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n", -- row, offset1, shift1, offset2, shift2); -+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n", -+ row, offset1, shift1, offset1+full_bytes, trailing_bits); - #endif - - bytebuff1 = bytebuff2 = 0; -@@ -6869,11 +6865,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - - if (trailing_bits != 0) - { -- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); -+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ -+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); - sect_buff[dst_offset] = bytebuff2; - #ifdef DEVELMODE - TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", -- offset2, dst_offset); -+ offset1 + full_bytes, dst_offset); - for (j = 30, k = 7; j < 38; j++, k--) - { - bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; -@@ -6892,8 +6889,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #endif - for (j = 0; j <= full_bytes; j++) - { -- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); -- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); -+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ -+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ -+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); -+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); - sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); - } - #ifdef DEVELMODE -@@ -6909,36 +6908,17 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #endif - dst_offset += full_bytes; - -+ /* Copy the trailing_bits for the last byte in the destination buffer. -+ Could come from one ore two bytes of the source buffer. */ - if (trailing_bits != 0) - { - #ifdef DEVELMODE -- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset); --#endif -- if (shift2 > shift1) -- { -- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); -- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); -- sect_buff[dst_offset] = bytebuff2; --#ifdef DEVELMODE -- TIFFError ("", " Shift2 > Shift1\n"); -+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset); - #endif -+ /* More than necessary bits are already copied into last destination buffer, -+ * only masking of last byte in destination buffer is necessary.*/ -+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); - } -- else -- { -- if (shift2 < shift1) -- { -- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); -- sect_buff[dst_offset] &= bytebuff2; --#ifdef DEVELMODE -- TIFFError ("", " Shift2 < Shift1\n"); --#endif -- } --#ifdef DEVELMODE -- else -- TIFFError ("", " Shift2 == Shift1\n"); --#endif -- } -- } - #ifdef DEVELMODE - sprintf(&bitarray[28], " "); - sprintf(&bitarray[29], " "); -@@ -7091,7 +7071,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, - width = sections[i].x2 - sections[i].x1 + 1; - length = sections[i].y2 - sections[i].y1 + 1; - sectsize = (uint32_t) -- ceil((width * image->bps + 7) / (double)8) * image->spp * length; -+ ceil((width * image->bps * image->spp + 7) / (double)8) * length; - /* allocate a buffer if we don't have one already */ - if (createImageSection(sectsize, sect_buff_ptr)) - { --- -GitLab diff --git a/backport-CVE-2022-0907.patch b/backport-CVE-2022-0907.patch deleted file mode 100644 index ce1af73..0000000 --- a/backport-CVE-2022-0907.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 10b4736669928673cc9a5c5f2a88ffdc92f1b560 Mon Sep 17 00:00:00 2001 -From: Augustus -Date: Mon, 7 Mar 2022 18:21:49 +0800 -Subject: [PATCH 1/3] add checks for return value of limitMalloc (#392) - ---- - tools/tiffcrop.c | 33 +++++++++++++++++++++------------ - 1 file changed, 21 insertions(+), 12 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 302a7e9..e407bf5 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) - if (!sect_buff) - { - sect_buff = (unsigned char *)limitMalloc(sectsize); -- *sect_buff_ptr = sect_buff; -+ if (!sect_buff) -+ { -+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); -+ return (-1); -+ } - _TIFFmemset(sect_buff, 0, sectsize); - } - else -@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) - else - sect_buff = new_buff; - -+ if (!sect_buff) -+ { -+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); -+ return (-1); -+ } - _TIFFmemset(sect_buff, 0, sectsize); - } - } - -- if (!sect_buff) -- { -- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); -- return (-1); -- } - prev_sectsize = sectsize; - *sect_buff_ptr = sect_buff; - -@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, - if (!crop_buff) - { - crop_buff = (unsigned char *)limitMalloc(cropsize); -- *crop_buff_ptr = crop_buff; -+ if (!crop_buff) -+ { -+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); -+ return (-1); -+ } - _TIFFmemset(crop_buff, 0, cropsize); - prev_cropsize = cropsize; - } -@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, - } - else - crop_buff = new_buff; -+ if (!crop_buff) -+ { -+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); -+ return (-1); -+ } - _TIFFmemset(crop_buff, 0, cropsize); - } - } - -- if (!crop_buff) -- { -- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); -- return (-1); -- } - *crop_buff_ptr = crop_buff; - - if (crop->crop_mode & CROP_INVERT) -@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui - * fill-column: 78 - * End: - */ -+ --- -2.35.1 - diff --git a/backport-CVE-2022-0908.patch b/backport-CVE-2022-0908.patch deleted file mode 100644 index 446c9f6..0000000 --- a/backport-CVE-2022-0908.patch +++ /dev/null @@ -1,29 +0,0 @@ -From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Thu, 17 Feb 2022 15:28:43 +0100 -Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null - source pointer and size of zero (fixes #383) - ---- - libtiff/tif_dirread.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index d654a1c..a31109a 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5080,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) - _TIFFfree(data); - return(0); - } -- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); -+ if (dp->tdir_count > 0 ) -+ { -+ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); -+ } - o[(uint32_t)dp->tdir_count]=0; - if (data!=0) - _TIFFfree(data); --- -2.27.0 - diff --git a/backport-CVE-2022-0909.patch b/backport-CVE-2022-0909.patch deleted file mode 100644 index 9d33170..0000000 --- a/backport-CVE-2022-0909.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Tue, 8 Mar 2022 16:22:04 +0000 -Subject: [PATCH] fix the FPE in tiffcrop (#393) - -Conflict:NA -Reference:https://gitlab.com/libtiff/libtiff/-/commit/32ea0722ee68f503b7a3f9b2d557acb293fc8cde - ---- - libtiff/tif_dir.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index a6c254f..77da6ea 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) - break; - case TIFFTAG_XRESOLUTION: - dblval = va_arg(ap, double); -- if( dblval < 0 ) -+ if( dblval != dblval || dblval < 0 ) - goto badvaluedouble; - td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); - break; - case TIFFTAG_YRESOLUTION: - dblval = va_arg(ap, double); -- if( dblval < 0 ) -+ if( dblval != dblval || dblval < 0 ) - goto badvaluedouble; - td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); - break; --- -2.27.0 - diff --git a/backport-CVE-2022-0924.patch b/backport-CVE-2022-0924.patch deleted file mode 100644 index 4eff659..0000000 --- a/backport-CVE-2022-0924.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Thu, 10 Mar 2022 08:48:00 +0000 -Subject: [PATCH] fix heap buffer overflow in tiffcp (#278) - -Conflict:NA -Reference:https://gitlab.com/libtiff/libtiff/-/commit/88d79a45a31c74cba98c697892fed5f7db8b963a - ---- - tools/tiffcp.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 1f88951..552d8fa 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) - tdata_t obuf; - tstrip_t strip = 0; - tsample_t s; -+ uint16_t bps = 0, bytes_per_sample; - - obuf = limitMalloc(stripsize); - if (obuf == NULL) - return (0); - _TIFFmemset(obuf, 0, stripsize); - (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); -+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( bps == 0 ) -+ { -+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); -+ _TIFFfree(obuf); -+ return 0; -+ } -+ if( (bps % 8) != 0 ) -+ { -+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); -+ _TIFFfree(obuf); -+ return 0; -+ } -+ bytes_per_sample = bps/8; - for (s = 0; s < spp; s++) { - uint32_t row; - for (row = 0; row < imagelength; row += rowsperstrip) { -@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) - - cpContigBufToSeparateBuf( - obuf, (uint8_t*) buf + row * rowsize + s, -- nrows, imagewidth, 0, 0, spp, 1); -+ nrows, imagewidth, 0, 0, spp, bytes_per_sample); - if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { - TIFFError(TIFFFileName(out), - "Error, can't write strip %"PRIu32, --- -2.27.0 - diff --git a/backport-CVE-2022-1354.patch b/backport-CVE-2022-1354.patch deleted file mode 100644 index 45f836c..0000000 --- a/backport-CVE-2022-1354.patch +++ /dev/null @@ -1,207 +0,0 @@ -From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sun, 5 Dec 2021 14:37:46 +0100 -Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319) - -to avoid having the size of the strip arrays inconsistent with the -number of strips returned by TIFFNumberOfStrips(), which may cause -out-ouf-bounds array read afterwards. - -One of the OJPEG hack that alters SamplesPerPixel may influence the -number of strips. Hence compute tif_dir.td_nstrips only afterwards. - -Conflict:NA -Reference:https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798 ---- - libtiff/tif_dirread.c | 162 ++++++++++++++++++++++-------------------- - 1 file changed, 83 insertions(+), 79 deletions(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index a31109a..707b3e2 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -3794,50 +3794,6 @@ TIFFReadDirectory(TIFF* tif) - MissingRequired(tif,"ImageLength"); - goto bad; - } -- /* -- * Setup appropriate structures (by strip or by tile) -- */ -- if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) { -- tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif); -- tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth; -- tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip; -- tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth; -- tif->tif_flags &= ~TIFF_ISTILED; -- } else { -- tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif); -- tif->tif_flags |= TIFF_ISTILED; -- } -- if (!tif->tif_dir.td_nstrips) { -- TIFFErrorExt(tif->tif_clientdata, module, -- "Cannot handle zero number of %s", -- isTiled(tif) ? "tiles" : "strips"); -- goto bad; -- } -- tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; -- if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) -- tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; -- if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) { --#ifdef OJPEG_SUPPORT -- if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) && -- (isTiled(tif)==0) && -- (tif->tif_dir.td_nstrips==1)) { -- /* -- * XXX: OJPEG hack. -- * If a) compression is OJPEG, b) it's not a tiled TIFF, -- * and c) the number of strips is 1, -- * then we tolerate the absence of stripoffsets tag, -- * because, presumably, all required data is in the -- * JpegInterchangeFormat stream. -- */ -- TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS); -- } else --#endif -- { -- MissingRequired(tif, -- isTiled(tif) ? "TileOffsets" : "StripOffsets"); -- goto bad; -- } -- } - /* - * Second pass: extract other information. - */ -@@ -4042,41 +3998,6 @@ TIFFReadDirectory(TIFF* tif) - } /* -- if (!dp->tdir_ignore) */ - } /* -- for-loop -- */ - -- if( tif->tif_mode == O_RDWR && -- tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 && -- tif->tif_dir.td_stripoffset_entry.tdir_count == 0 && -- tif->tif_dir.td_stripoffset_entry.tdir_type == 0 && -- tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 && -- tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 && -- tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 && -- tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 && -- tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 ) -- { -- /* Directory typically created with TIFFDeferStrileArrayWriting() */ -- TIFFSetupStrips(tif); -- } -- else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) ) -- { -- if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 ) -- { -- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry), -- tif->tif_dir.td_nstrips, -- &tif->tif_dir.td_stripoffset_p)) -- { -- goto bad; -- } -- } -- if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 ) -- { -- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry), -- tif->tif_dir.td_nstrips, -- &tif->tif_dir.td_stripbytecount_p)) -- { -- goto bad; -- } -- } -- } -- - /* - * OJPEG hack: - * - If a) compression is OJPEG, and b) photometric tag is missing, -@@ -4147,6 +4068,88 @@ TIFFReadDirectory(TIFF* tif) - } - } - -+ /* -+ * Setup appropriate structures (by strip or by tile) -+ * We do that only after the above OJPEG hack which alters SamplesPerPixel -+ * and thus influences the number of strips in the separate planarconfig. -+ */ -+ if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) { -+ tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif); -+ tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth; -+ tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip; -+ tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth; -+ tif->tif_flags &= ~TIFF_ISTILED; -+ } else { -+ tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif); -+ tif->tif_flags |= TIFF_ISTILED; -+ } -+ if (!tif->tif_dir.td_nstrips) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Cannot handle zero number of %s", -+ isTiled(tif) ? "tiles" : "strips"); -+ goto bad; -+ } -+ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips; -+ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE) -+ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel; -+ if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) { -+#ifdef OJPEG_SUPPORT -+ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) && -+ (isTiled(tif)==0) && -+ (tif->tif_dir.td_nstrips==1)) { -+ /* -+ * XXX: OJPEG hack. -+ * If a) compression is OJPEG, b) it's not a tiled TIFF, -+ * and c) the number of strips is 1, -+ * then we tolerate the absence of stripoffsets tag, -+ * because, presumably, all required data is in the -+ * JpegInterchangeFormat stream. -+ */ -+ TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS); -+ } else -+#endif -+ { -+ MissingRequired(tif, -+ isTiled(tif) ? "TileOffsets" : "StripOffsets"); -+ goto bad; -+ } -+ } -+ -+ if( tif->tif_mode == O_RDWR && -+ tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 && -+ tif->tif_dir.td_stripoffset_entry.tdir_count == 0 && -+ tif->tif_dir.td_stripoffset_entry.tdir_type == 0 && -+ tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 && -+ tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 && -+ tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 && -+ tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 && -+ tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 ) -+ { -+ /* Directory typically created with TIFFDeferStrileArrayWriting() */ -+ TIFFSetupStrips(tif); -+ } -+ else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) ) -+ { -+ if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 ) -+ { -+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry), -+ tif->tif_dir.td_nstrips, -+ &tif->tif_dir.td_stripoffset_p)) -+ { -+ goto bad; -+ } -+ } -+ if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 ) -+ { -+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry), -+ tif->tif_dir.td_nstrips, -+ &tif->tif_dir.td_stripbytecount_p)) -+ { -+ goto bad; -+ } -+ } -+ } -+ - /* - * Make sure all non-color channels are extrasamples. - * If it's not the case, define them as such. --- -2.33.0 - diff --git a/backport-CVE-2022-1355.patch b/backport-CVE-2022-1355.patch deleted file mode 100644 index 8118a04..0000000 --- a/backport-CVE-2022-1355.patch +++ /dev/null @@ -1,58 +0,0 @@ -From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Sat, 2 Apr 2022 22:33:31 +0200 -Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400) - -Conflict:NA -Reference:https://gitlab.com/gitlab-org/build/omnibus-mirror/libtiff/-/commit/fb1db384959698edd6caeea84e28253d272a0f96 ---- - tools/tiffcp.c | 25 ++++++++++++++++++++----- - 1 file changed, 20 insertions(+), 5 deletions(-) - -diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 552d8fa..57eef90 100644 ---- a/tools/tiffcp.c -+++ b/tools/tiffcp.c -@@ -274,19 +274,34 @@ main(int argc, char* argv[]) - deftilewidth = atoi(optarg); - break; - case 'B': -- *mp++ = 'b'; *mp = '\0'; -+ if (strlen(mode) < (sizeof(mode) - 1)) -+ { -+ *mp++ = 'b'; *mp = '\0'; -+ } - break; - case 'L': -- *mp++ = 'l'; *mp = '\0'; -+ if (strlen(mode) < (sizeof(mode) - 1)) -+ { -+ *mp++ = 'l'; *mp = '\0'; -+ } - break; - case 'M': -- *mp++ = 'm'; *mp = '\0'; -+ if (strlen(mode) < (sizeof(mode) - 1)) -+ { -+ *mp++ = 'm'; *mp = '\0'; -+ } - break; - case 'C': -- *mp++ = 'c'; *mp = '\0'; -+ if (strlen(mode) < (sizeof(mode) - 1)) -+ { -+ *mp++ = 'c'; *mp = '\0'; -+ } - break; - case '8': -- *mp++ = '8'; *mp = '\0'; -+ if (strlen(mode) < (sizeof(mode)-1)) -+ { -+ *mp++ = '8'; *mp = '\0'; -+ } - break; - case 'x': - pageInSeq = 1; --- -2.27.0 - diff --git a/backport-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch b/backport-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch deleted file mode 100644 index 455212d..0000000 --- a/backport-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch +++ /dev/null @@ -1,179 +0,0 @@ -From dd1bcc7abb26094e93636e85520f0d8f81ab0fab Mon Sep 17 00:00:00 2001 -From: 4ugustus -Date: Sat, 11 Jun 2022 09:31:43 +0000 -Subject: [PATCH] fix the FPE in tiffcrop (#415, #427, and #428) - ---- - libtiff/tif_aux.c | 9 +++++++ - libtiff/tiffiop.h | 1 + - tools/tiffcrop.c | 62 ++++++++++++++++++++++++++--------------------- - 3 files changed, 44 insertions(+), 28 deletions(-) - -diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c -index 140f26c7..5b88c8d0 100644 ---- a/libtiff/tif_aux.c -+++ b/libtiff/tif_aux.c -@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val ) - return (float)val; - } - -+uint32_t _TIFFClampDoubleToUInt32(double val) -+{ -+ if( val < 0 ) -+ return 0; -+ if( val > 0xFFFFFFFFU || val != val ) -+ return 0xFFFFFFFFU; -+ return (uint32_t)val; -+} -+ - int _TIFFSeekOK(TIFF* tif, toff_t off) - { - /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */ -diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h -index e3af461d..4e8bdac2 100644 ---- a/libtiff/tiffiop.h -+++ b/libtiff/tiffiop.h -@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64_t); - extern float _TIFFUInt64ToFloat(uint64_t); - - extern float _TIFFClampDoubleToFloat(double); -+extern uint32_t _TIFFClampDoubleToUInt32(double); - - extern tmsize_t - _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip, -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 1f827b2b..90286a5e 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - { - if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER)) - { -- x1 = (uint32_t) (crop->corners[i].X1 * scale * xres); -- x2 = (uint32_t) (crop->corners[i].X2 * scale * xres); -- y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres); -- y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres); -+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres); -+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres); -+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres); -+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres); - } - else - { -- x1 = (uint32_t) (crop->corners[i].X1); -- x2 = (uint32_t) (crop->corners[i].X2); -- y1 = (uint32_t) (crop->corners[i].Y1); -- y2 = (uint32_t) (crop->corners[i].Y2); -+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1); -+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2); -+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); -+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); - } - /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 - * b) Corners are expected to be submitted as top-left to bottom-right. -@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - { - if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) - { /* User has specified pixels as reference unit */ -- tmargin = (uint32_t)(crop->margins[0]); -- lmargin = (uint32_t)(crop->margins[1]); -- bmargin = (uint32_t)(crop->margins[2]); -- rmargin = (uint32_t)(crop->margins[3]); -+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]); -+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]); -+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]); -+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]); - } - else - { /* inches or centimeters specified */ -- tmargin = (uint32_t)(crop->margins[0] * scale * yres); -- lmargin = (uint32_t)(crop->margins[1] * scale * xres); -- bmargin = (uint32_t)(crop->margins[2] * scale * yres); -- rmargin = (uint32_t)(crop->margins[3] * scale * xres); -+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres); -+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres); -+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres); -+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres); - } - - if ((lmargin + rmargin) > image->width) -@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER) - { - if (crop->crop_mode & CROP_WIDTH) -- width = (uint32_t)crop->width; -+ width = _TIFFClampDoubleToUInt32(crop->width); - else - width = image->width - lmargin - rmargin; - - if (crop->crop_mode & CROP_LENGTH) -- length = (uint32_t)crop->length; -+ length = _TIFFClampDoubleToUInt32(crop->length); - else - length = image->length - tmargin - bmargin; - } - else - { - if (crop->crop_mode & CROP_WIDTH) -- width = (uint32_t)(crop->width * scale * image->xres); -+ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres); - else - width = image->width - lmargin - rmargin; - - if (crop->crop_mode & CROP_LENGTH) -- length = (uint32_t)(crop->length * scale * image->yres); -+ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres); - else - length = image->length - tmargin - bmargin; - } -@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, - { - if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER) - { /* inches or centimeters specified */ -- hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); -- vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); -+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8)); -+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8)); - } - else - { /* Otherwise user has specified pixels as reference unit */ -- hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8)); -- vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8)); -+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8)); -+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8)); - } - - if ((hmargin * 2.0) > (pwidth * page->hres)) -@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, - { - if (page->mode & PAGE_MODE_PAPERSIZE ) - { -- owidth = (uint32_t)((pwidth * page->hres) - (hmargin * 2)); -- olength = (uint32_t)((plength * page->vres) - (vmargin * 2)); -+ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2)); -+ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2)); - } - else - { -- owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres)); -- olength = (uint32_t)(ilength - (vmargin * 2 * page->vres)); -+ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres)); -+ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres)); - } - } - -@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image, - if (olength > ilength) - olength = ilength; - -+ if (owidth == 0 || olength == 0) -+ { -+ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages"); -+ exit(EXIT_FAILURE); -+ } -+ - /* Compute the number of pages required for Portrait or Landscape */ - switch (page->orient) - { --- -GitLab diff --git a/backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch deleted file mode 100644 index f930929..0000000 --- a/backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch +++ /dev/null @@ -1,146 +0,0 @@ -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 0da3157743aaabc2f874fdaeb9f46e94cb00efd8..e4a08ca96c03923a49a71aab0f0cfba906ffdf29 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -5192,29 +5192,45 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - y1 = (uint32_t) (crop->corners[i].Y1); - y2 = (uint32_t) (crop->corners[i].Y2); - } -- if (x1 < 1) -- crop->regionlist[i].x1 = 0; -- else -- crop->regionlist[i].x1 = (uint32_t) (x1 - 1); -+ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 -+ * b) Corners are expected to be submitted as top-left to bottom-right. -+ * Therefore, check that and reorder input. -+ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) -+ */ -+ uint32_t aux; -+ if (x1 > x2) { -+ aux = x1; -+ x1 = x2; -+ x2 = aux; -+ } -+ if (y1 > y2) { -+ aux = y1; -+ y1 = y2; -+ y2 = aux; -+ } -+ if (x1 > image->width - 1) -+ crop->regionlist[i].x1 = image->width - 1; -+ else if (x1 > 0) -+ crop->regionlist[i].x1 = (uint32_t)(x1 - 1); - - if (x2 > image->width - 1) - crop->regionlist[i].x2 = image->width - 1; -- else -- crop->regionlist[i].x2 = (uint32_t) (x2 - 1); -- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; -+ else if (x2 > 0) -+ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); - -- if (y1 < 1) -- crop->regionlist[i].y1 = 0; -- else -- crop->regionlist[i].y1 = (uint32_t) (y1 - 1); -+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; -+ -+ if (y1 > image->length - 1) -+ crop->regionlist[i].y1 = image->length - 1; -+ else if (y1 > 0) -+ crop->regionlist[i].y1 = (uint32_t)(y1 - 1); - - if (y2 > image->length - 1) - crop->regionlist[i].y2 = image->length - 1; -- else -- crop->regionlist[i].y2 = (uint32_t) (y2 - 1); -- -- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; -+ else if (y2 > 0) -+ crop->regionlist[i].y2 = (uint32_t)(y2 - 1); - -+ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; - if (zwidth > max_width) - max_width = zwidth; - if (zlength > max_length) -@@ -5244,7 +5260,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - } - } - return (0); -- } -+ } /* crop_mode == CROP_REGIONS */ - - /* Convert crop margins into offsets into image - * Margins are expressed as pixel rows and columns, not bytes -@@ -5280,7 +5296,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - bmargin = (uint32_t) 0; - return (-1); - } -- } -+ } /* crop_mode == CROP_MARGINS */ - else - { /* no margins requested */ - tmargin = (uint32_t) 0; -@@ -5371,24 +5387,23 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, - off->endx = endx; - off->endy = endy; - -- crop_width = endx - startx + 1; -- crop_length = endy - starty + 1; -- -- if (crop_width <= 0) -+ if (endx + 1 <= startx) - { - TIFFError("computeInputPixelOffsets", - "Invalid left/right margins and /or image crop width requested"); - return (-1); - } -+ crop_width = endx - startx + 1; - if (crop_width > image->width) - crop_width = image->width; - -- if (crop_length <= 0) -+ if (endy + 1 <= starty) - { - TIFFError("computeInputPixelOffsets", - "Invalid top/bottom margins and /or image crop length requested"); - return (-1); - } -+ crop_length = endy - starty + 1; - if (crop_length > image->length) - crop_length = image->length; - -@@ -5488,10 +5503,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt - else - crop->selections = crop->zones; - -- for (i = 0; i < crop->zones; i++) -+ /* Initialize regions iterator i */ -+ i = 0; -+ for (int j = 0; j < crop->zones; j++) - { -- seg = crop->zonelist[i].position; -- total = crop->zonelist[i].total; -+ seg = crop->zonelist[j].position; -+ total = crop->zonelist[j].total; -+ -+ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ -+ if (seg == 0 || total == 0 || seg > total) { -+ continue; -+ } - - switch (crop->edge_ref) - { -@@ -5620,8 +5642,11 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt - i + 1, zwidth, zlength, - crop->regionlist[i].x1, crop->regionlist[i].x2, - crop->regionlist[i].y1, crop->regionlist[i].y2); -+ /* increment regions iterator */ -+ i++; - } -- -+ /* set number of generated regions out of given zones */ -+ crop->selections = i; - return (0); - } /* end getCropOffsets */ - \ No newline at end of file diff --git a/backport-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627.patch b/backport-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627.patch deleted file mode 100644 index 203d54a..0000000 --- a/backport-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 4746f16253b784287bc8a5003990c1c3b9a03a62 Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Thu, 25 Aug 2022 16:11:41 +0200 -Subject: [PATCH] tiffcrop: disable incompatibility of -Z, -X, -Y, -z options - with any PAGE_MODE_x option (fixes #411 and #413) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -tiffcrop does not support 鈥揨, -z, -X and 鈥揧 options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or 鈥揝. - -Code analysis: - -With the options 鈥揨, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[]. -In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) . - -Execution of the else-clause often leads to buffer-overflows. - -Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows. - -The MR solves issues #411 and #413. ---- - tools/tiffcrop.c | 32 +++++++++++++++++++++++++------- - 1 files changed, 25 insertions(+), 7 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 8fd856dc..41a2ea36 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -107,13 +107,15 @@ - * selects which functions dump data, with higher numbers selecting - * lower level, scanline level routines. Debug reports a limited set - * of messages to monitor progress without enabling dump logs. -- * -- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive. -+ * -+ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive. - * In no case should the options be applied to a given selection successively. -- */ -+ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options -+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. -+ */ - --static char tiffcrop_version_id[] = "2.5.1"; --static char tiffcrop_rev_date[] = "15-08-2022"; -+static char tiffcrop_version_id[] = "2.5.3"; -+static char tiffcrop_rev_date[] = "26-08-2022"; - - #include "tif_config.h" - #include "libport.h" -@@ -781,9 +783,12 @@ static const char usage_info[] = - " The four debug/dump options are independent, though it makes little sense to\n" - " specify a dump file without specifying a detail level.\n" - "\n" --"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n" -+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n" - " In no case should the options be applied to a given selection successively.\n" - "\n" -+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options\n" -+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.\n" -+"\n" - ; - - /* This function could be modified to pass starting sample offset -@@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 - R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; - S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; - if (XY + Z + R + S > 1) { -- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); -+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit"); - exit(EXIT_FAILURE); - } -+ -+ /* Check for not allowed combination: -+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options -+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. -+. */ -+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) { -+ TIFFError("tiffcrop input error", -+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit"); -+ exit(EXIT_FAILURE); -+ } -+ - } /* end process_command_opts */ - - /* Start a new output file if one has not been previously opened or -@@ -2411,6 +2427,7 @@ main(int argc, char* argv[]) - exit (EXIT_FAILURE); - } - -+ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */ - if (crop.selections > 0) - { - if (processCropSelections(&image, &crop, &read_buff, seg_buffs)) -@@ -2427,6 +2444,7 @@ main(int argc, char* argv[]) - exit (EXIT_FAILURE); - } - } -+ /* Format and write selected image parts to output file(s). */ - if (page.mode == PAGE_MODE_NONE) - { /* Whole image or sections not based on output page size */ - if (crop.selections > 0) --- -GitLab diff --git a/backport-CVE-2022-3599.patch b/backport-CVE-2022-3599.patch deleted file mode 100644 index 57dabb0..0000000 --- a/backport-CVE-2022-3599.patch +++ /dev/null @@ -1,261 +0,0 @@ -From f00484b9519df933723deb38fff943dc291a793d Mon Sep 17 00:00:00 2001 -From: Su_Laus -Date: Tue, 30 Aug 2022 16:56:48 +0200 -Subject: [PATCH] Revised handling of TIFFTAG_INKNAMES and related - TIFFTAG_NUMBEROFINKS value - -In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed: - -Behaviour for writing: - `NumberOfInks` MUST fit to the number of inks in the `InkNames` string. - `NumberOfInks` is automatically set when `InkNames` is set. - If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. - If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. - -Behaviour for reading: - When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string. - If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. - If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. - -This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow - -This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456. - -It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue. ---- - libtiff/tif_dir.c | 119 ++++++++++++++++++++++++----------------- - libtiff/tif_dir.h | 2 + - libtiff/tif_dirinfo.c | 2 +- - libtiff/tif_dirwrite.c | 5 ++ - libtiff/tif_print.c | 4 ++ - 5 files changed, 82 insertions(+), 50 deletions(-) - -diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index 793e8a79..816f7756 100644 ---- a/libtiff/tif_dir.c -+++ b/libtiff/tif_dir.c -@@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v) - } - - /* -- * Confirm we have "samplesperpixel" ink names separated by \0. Returns -+ * Count ink names separated by \0. Returns - * zero if the ink names are not as expected. - */ --static uint32_t --checkInkNamesString(TIFF* tif, uint32_t slen, const char* s) -+static uint16_t -+countInkNamesString(TIFF *tif, uint32_t slen, const char *s) - { -- TIFFDirectory* td = &tif->tif_dir; -- uint16_t i = td->td_samplesperpixel; -+ uint16_t i = 0; -+ const char *ep = s + slen; -+ const char *cp = s; - - if (slen > 0) { -- const char* ep = s+slen; -- const char* cp = s; -- for (; i > 0; i--) { -+ do { - for (; cp < ep && *cp != '\0'; cp++) {} - if (cp >= ep) - goto bad; - cp++; /* skip \0 */ -- } -- return ((uint32_t)(cp - s)); -+ i++; -+ } while (cp < ep); -+ return (i); - } - bad: - TIFFErrorExt(tif->tif_clientdata, "TIFFSetField", -- "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16, -- tif->tif_name, -- td->td_samplesperpixel, -- (uint16_t)(td->td_samplesperpixel-i)); -+ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink", -+ tif->tif_name, slen, i); - return (0); - } - -@@ -478,13 +476,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) - _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); - break; - case TIFFTAG_INKNAMES: -- v = (uint16_t) va_arg(ap, uint16_vap); -- s = va_arg(ap, char*); -- v = checkInkNamesString(tif, v, s); -- status = v > 0; -- if( v > 0 ) { -- _TIFFsetNString(&td->td_inknames, s, v); -- td->td_inknameslen = v; -+ { -+ v = (uint16_t) va_arg(ap, uint16_vap); -+ s = va_arg(ap, char*); -+ uint16_t ninksinstring; -+ ninksinstring = countInkNamesString(tif, v, s); -+ status = ninksinstring > 0; -+ if(ninksinstring > 0 ) { -+ _TIFFsetNString(&td->td_inknames, s, v); -+ td->td_inknameslen = v; -+ /* Set NumberOfInks to the value ninksinstring */ -+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) -+ { -+ if (td->td_numberofinks != ninksinstring) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"", -+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring); -+ td->td_numberofinks = ninksinstring; -+ } -+ } else { -+ td->td_numberofinks = ninksinstring; -+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS); -+ } -+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) -+ { -+ if (td->td_numberofinks != td->td_samplesperpixel) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", -+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel); -+ } -+ } -+ } -+ } -+ break; -+ case TIFFTAG_NUMBEROFINKS: -+ v = (uint16_t)va_arg(ap, uint16_vap); -+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */ -+ if (TIFFFieldSet(tif, FIELD_INKNAMES)) -+ { -+ if (v != td->td_numberofinks) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")", -+ tif->tif_name, fip->field_name, v, td->td_numberofinks); -+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */ -+ status = 0; -+ } -+ } else { -+ td->td_numberofinks = (uint16_t)v; -+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) -+ { -+ if (td->td_numberofinks != td->td_samplesperpixel) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", -+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel); -+ } -+ } - } - break; - case TIFFTAG_PERSAMPLE: -@@ -986,34 +1032,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap) - if (fip->field_bit == FIELD_CUSTOM) { - standard_tag = 0; - } -- -- if( standard_tag == TIFFTAG_NUMBEROFINKS ) -- { -- int i; -- for (i = 0; i < td->td_customValueCount; i++) { -- uint16_t val; -- TIFFTagValue *tv = td->td_customValues + i; -- if (tv->info->field_tag != standard_tag) -- continue; -- if( tv->value == NULL ) -- return 0; -- val = *(uint16_t *)tv->value; -- /* Truncate to SamplesPerPixel, since the */ -- /* setting code for INKNAMES assume that there are SamplesPerPixel */ -- /* inknames. */ -- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ -- if( val > td->td_samplesperpixel ) -- { -- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", -- "Truncating NumberOfInks from %u to %"PRIu16, -- val, td->td_samplesperpixel); -- val = td->td_samplesperpixel; -- } -- *va_arg(ap, uint16_t*) = val; -- return 1; -- } -- return 0; -- } - - switch (standard_tag) { - case TIFFTAG_SUBFILETYPE: -@@ -1195,6 +1213,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap) - case TIFFTAG_INKNAMES: - *va_arg(ap, const char**) = td->td_inknames; - break; -+ case TIFFTAG_NUMBEROFINKS: -+ *va_arg(ap, uint16_t *) = td->td_numberofinks; -+ break; - default: - { - int i; -diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h -index 09065648..0c251c9e 100644 ---- a/libtiff/tif_dir.h -+++ b/libtiff/tif_dir.h -@@ -117,6 +117,7 @@ typedef struct { - /* CMYK parameters */ - int td_inknameslen; - char* td_inknames; -+ uint16_t td_numberofinks; /* number of inks in InkNames string */ - - int td_customValueCount; - TIFFTagValue *td_customValues; -@@ -174,6 +175,7 @@ typedef struct { - #define FIELD_TRANSFERFUNCTION 44 - #define FIELD_INKNAMES 46 - #define FIELD_SUBIFD 49 -+#define FIELD_NUMBEROFINKS 50 - /* FIELD_CUSTOM (see tiffio.h) 65 */ - /* end of support for well-known tags; codec-private tags follow */ - #define FIELD_CODEC 66 /* base of codec-private tags */ -diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c -index 3371cb5c..3b4bcd33 100644 ---- a/libtiff/tif_dirinfo.c -+++ b/libtiff/tif_dirinfo.c -@@ -114,7 +114,7 @@ tiffFields[] = { - { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray }, - { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, - { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, -- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL }, -+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL }, - { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL }, - { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL }, - { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL }, -diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c -index 6c86fdca..062e4610 100644 ---- a/libtiff/tif_dirwrite.c -+++ b/libtiff/tif_dirwrite.c -@@ -626,6 +626,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64_t* pdiroff) - if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames)) - goto bad; - } -+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) -+ { -+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks)) -+ goto bad; -+ } - if (TIFFFieldSet(tif,FIELD_SUBIFD)) - { - if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir)) -diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c -index 16ce5780..a91b9e7b 100644 ---- a/libtiff/tif_print.c -+++ b/libtiff/tif_print.c -@@ -397,6 +397,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) - } - fputs("\n", fd); - } -+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) { -+ fprintf(fd, " NumberOfInks: %d\n", -+ td->td_numberofinks); -+ } - if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) { - fprintf(fd, " Thresholding: "); - switch (td->td_threshholding) { --- -GitLab diff --git a/backport-CVE-2022-3970.patch b/backport-CVE-2022-3970.patch deleted file mode 100644 index b83a539..0000000 --- a/backport-CVE-2022-3970.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Tue, 8 Nov 2022 15:16:58 +0100 -Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on - strips/tiles > 2 GB - -Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 ---- - libtiff/tif_getimage.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index a4d0c1d6..60b94d8e 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -3016,15 +3016,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in - return( ok ); - - for( i_row = 0; i_row < read_ysize; i_row++ ) { -- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize, -- raster + (read_ysize - i_row - 1) * read_xsize, -+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, -+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize, - read_xsize * sizeof(uint32_t) ); -- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize, -+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize, - 0, sizeof(uint32_t) * (tile_xsize - read_xsize) ); - } - - for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) { -- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize, -+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, - 0, sizeof(uint32_t) * tile_xsize ); - } - --- -GitLab \ No newline at end of file diff --git a/backport-CVE-2022-48281.patch b/backport-CVE-2022-48281.patch index 159b30d..d3cf3cc 100644 --- a/backport-CVE-2022-48281.patch +++ b/backport-CVE-2022-48281.patch @@ -8,17 +8,18 @@ Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 92f8d09..20b9c23 100644 +index 14fa18da..7db69883 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c -@@ -7638,7 +7638,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, - crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); - else - { -- prev_cropsize = seg_buffs[0].size; -+ prev_cropsize = seg_buffs[i].size; - if (prev_cropsize < cropsize) - { - next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); +@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image, + cropsize + NUM_BUFF_OVERSIZE_BYTES); + else + { +- prev_cropsize = seg_buffs[0].size; ++ prev_cropsize = seg_buffs[i].size; + if (prev_cropsize < cropsize) + { + next_buff = _TIFFrealloc( -- -2.33.0 +GitLab + diff --git a/fix-raw2tiff-floating-point-exception.patch b/fix-raw2tiff-floating-point-exception.patch deleted file mode 100644 index ca217c8..0000000 --- a/fix-raw2tiff-floating-point-exception.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 42f499986d3c8a1dce55db7d97d501f8e9dfc8f6 Mon Sep 17 00:00:00 2001 -From: t.feng -Date: Mon, 13 Dec 2021 21:03:13 +0800 -Subject: [PATCH] fix raw2tiff floating point exception - -if we input illegal nbands, like: -raw2tiff -b :2 test.raw test.tif -we got: -Floating point exception (core dumped) -so, check nbands before guessSize - ---- - tools/raw2tiff.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c -index dfee715..3a6f00e 100644 ---- a/tools/raw2tiff.c -+++ b/tools/raw2tiff.c -@@ -209,6 +209,11 @@ main(int argc, char* argv[]) - return (EXIT_FAILURE); - } - -+ if (nbands == 0) { -+ fprintf(stderr, "The number of bands is illegal.\n"); -+ return (-1); -+ } -+ - if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0) - return EXIT_FAILURE; - --- -2.27.0 - diff --git a/libtiff.spec b/libtiff.spec index 814e1a4..b1bc3c8 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,40 +1,12 @@ Name: libtiff -Version: 4.3.0 -Release: 22 +Version: 4.5.0 +Release: 1 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz -Patch6000: backport-CVE-2022-0561.patch -Patch6001: backport-CVE-2022-0562.patch -Patch6002: backport-0001-CVE-2022-22844.patch -Patch6003: backport-0002-CVE-2022-22844.patch -Patch6004: backport-0003-CVE-2022-22844.patch -Patch6005: backport-CVE-2022-0891.patch -Patch6006: backport-CVE-2022-0907.patch -Patch6007: backport-CVE-2022-0908.patch -Patch6008: backport-CVE-2022-0865.patch -Patch6009: backport-CVE-2022-0909.patch -Patch6010: backport-CVE-2022-0924.patch -Patch6011: backport-CVE-2022-1355.patch -Patch6012: backport-0001-CVE-2022-1622-CVE-2022-1623.patch -Patch6013: backport-0002-CVE-2022-1622-CVE-2022-1623.patch -Patch6014: backport-CVE-2022-1354.patch -Patch6015: backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch -Patch6016: backport-0001-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch -Patch6017: backport-0002-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch -Patch6018: backport-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch -Patch6019: backport-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627.patch -Patch6020: backport-0001-CVE-2022-3570-CVE-2022-3598.patch -Patch6021: backport-0002-CVE-2022-3570-CVE-2022-3598.patch -Patch6022: backport-0003-CVE-2022-3570-CVE-2022-3598.patch -Patch6023: backport-CVE-2022-3599.patch -Patch6024: backport-CVE-2022-3970.patch -Patch6025: backport-CVE-2022-48281.patch - -Patch9000: fix-raw2tiff-floating-point-exception.patch - +Patch6000: backport-CVE-2022-48281.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -125,11 +97,11 @@ fi %check make check -find html -name 'Makefile*' | xargs rm +find doc -name 'Makefile*' | xargs rm %files %defattr(-,root,root) -%license COPYRIGHT +%license LICENSE.md %doc README.md %{_libdir}/*.so.* @@ -150,11 +122,13 @@ find html -name 'Makefile*' | xargs rm %defattr(-,root,root) %{_mandir}/man* %doc RELEASE-DATE VERSION -%doc TODO ChangeLog html +%doc TODO ChangeLog doc %exclude %{_mandir}/man1/* -%exclude %{_datadir}/html/man/tiffgt.1.html %changelog +* Tue Feb 07 2023 zhouwenpei - 4.5.0-1 +- update to 4.5.0 + * Sun Jan 29 2023 zhouwenpei - 4.3.0-22 - Type:cve - ID:CVE-2022-48281 diff --git a/tiff-4.3.0.tar.gz b/tiff-4.3.0.tar.gz deleted file mode 100644 index e0468fa..0000000 Binary files a/tiff-4.3.0.tar.gz and /dev/null differ diff --git a/tiff-4.5.0.tar.gz b/tiff-4.5.0.tar.gz new file mode 100644 index 0000000..2a73f47 Binary files /dev/null and b/tiff-4.5.0.tar.gz differ