packages/libtiff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!130 update to 4.5.0

Browse Source 
From: @zhouwenpei 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
This commit is contained in:
openeuler-ci-bot 2023-02-08 01:21:28 +00:00 committed by Gitee
commit 9a029319b1
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
30 changed files with 21 additions and 4001 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

772
backport-0001-CVE-2022-1622-CVE-2022-1623.patch
View File

@ -1,772 +0,0 @@
From 189d65779275132c86abd1e06cdab8a080645b32 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 10 Mar 2022 12:14:31 +0100
Subject: [PATCH 1/3] tif_lzw.c: make LZW_CHECKEOS non-optional
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/318/diffs
this is pre-patch for CVE-2022-1622 and CVE-2022-1623
---
libtiff/tif_lzw.c | 551 ++++++++++++++++++++++++++++++----------------
1 file changed, 356 insertions(+), 195 deletions(-)
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index c06aec4..c28366b 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -1,6 +1,7 @@
/*
* Copyright (c) 1988-1997 Sam Leffler
* Copyright (c) 1991-1997 Silicon Graphics, Inc.
+ * Copyright (c) 2022 Even Rouault
*
* Permission to use, copy, modify, distribute, and sell this software and
* its documentation for any purpose is hereby granted without fee, provided
@@ -36,8 +37,13 @@
*/
#include "tif_predict.h"
+#include <stdbool.h>
#include <stdio.h>
+/* Select the plausible largest natural integer type for the architecture */
+#define SIZEOF_WORDTYPE SIZEOF_SIZE_T
+typedef size_t WordType;
+
/*
* NB: The 5.0 spec describes a different algorithm than Aldus
* implements. Specifically, Aldus does code length transitions
@@ -52,13 +58,6 @@
* Future revisions to the TIFF spec are expected to "clarify this issue".
*/
#define LZW_COMPAT /* include backwards compatibility code */
-/*
- * Each strip of data is supposed to be terminated by a CODE_EOI.
- * If the following #define is included, the decoder will also
- * check for end-of-strip w/o seeing this code. This makes the
- * library more robust, but also slower.
- */
-#define LZW_CHECKEOS /* include checks for strips w/o EOI code */
#define MAXCODE(n) ((1L<<(n))-1)
/*
@@ -92,7 +91,7 @@ typedef struct {
unsigned short nbits; /* # of bits/code */
unsigned short maxcode; /* maximum code for lzw_nbits */
unsigned short free_ent; /* next free entry in hash table */
- unsigned long nextdata; /* next bits of i/o */
+ WordType nextdata; /* next bits of i/o */
long nextbits; /* # of valid bits in lzw_nextdata */
int rw_mode; /* preserve rw_mode from init */
@@ -119,8 +118,10 @@ typedef struct {
typedef struct code_ent {
struct code_ent *next;
unsigned short length; /* string len, including this token */
- unsigned char value; /* data value */
+ /* firstchar should be placed immediately before value in this structure */
unsigned char firstchar; /* first token of string */
+ unsigned char value; /* data value */
+ bool repeated;
} code_t;
typedef int (*decodeFunc)(TIFF*, uint8_t*, tmsize_t, uint16_t);
@@ -131,10 +132,8 @@ typedef struct {
/* Decoding specific data */
long dec_nbitsmask; /* lzw_nbits 1 bits, right adjusted */
long dec_restart; /* restart count */
-#ifdef LZW_CHECKEOS
uint64_t dec_bitsleft; /* available bits in raw data */
tmsize_t old_tif_rawcc; /* value of tif_rawcc at the end of the previous TIFLZWDecode() call */
-#endif
decodeFunc dec_decode; /* regular or backwards compatible */
code_t* dec_codep; /* current recognized code */
code_t* dec_oldcodep; /* previously recognized code */
@@ -167,26 +166,6 @@ static void cl_hash(LZWCodecState*);
* LZW Decoder.
*/
-#ifdef LZW_CHECKEOS
-/*
- * This check shouldn't be necessary because each
- * strip is suppose to be terminated with CODE_EOI.
- */
-#define NextCode(_tif, _sp, _bp, _code, _get) { \
- if ((_sp)->dec_bitsleft < (uint64_t)nbits) { \
- TIFFWarningExt(_tif->tif_clientdata, module, \
- "LZWDecode: Strip %"PRIu32" not terminated with EOI code", \
- _tif->tif_curstrip); \
- _code = CODE_EOI; \
- } else { \
- _get(_sp,_bp,_code); \
- (_sp)->dec_bitsleft -= nbits; \
- } \
-}
-#else
-#define NextCode(tif, sp, bp, code, get) get(sp, bp, code)
-#endif
-
static int
LZWFixupTags(TIFF* tif)
{
@@ -236,17 +215,17 @@ LZWSetupDecode(TIFF* tif)
*/
code = 255;
do {
- sp->dec_codetab[code].value = (unsigned char)code;
sp->dec_codetab[code].firstchar = (unsigned char)code;
+ sp->dec_codetab[code].value = (unsigned char)code;
+ sp->dec_codetab[code].repeated = true;
sp->dec_codetab[code].length = 1;
sp->dec_codetab[code].next = NULL;
} while (code--);
/*
- * Zero-out the unused entries
- */
- /* Silence false positive */
- /* coverity[overrun-buffer-arg] */
- _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
+ * Zero-out the unused entries */
+ /* Silence false positive */
+ /* coverity[overrun-buffer-arg] */
+ memset(&sp->dec_codetab[CODE_CLEAR], 0,
(CODE_FIRST - CODE_CLEAR) * sizeof (code_t));
}
return (1);
@@ -316,11 +295,9 @@ LZWPreDecode(TIFF* tif, uint16_t s)
sp->dec_restart = 0;
sp->dec_nbitsmask = MAXCODE(BITS_MIN);
-#ifdef LZW_CHECKEOS
sp->dec_bitsleft = 0;
- sp->old_tif_rawcc = 0;
-#endif
- sp->dec_free_entp = sp->dec_codetab + CODE_FIRST;
+ sp->old_tif_rawcc = 0;
+ sp->dec_free_entp = sp->dec_codetab - 1 ; // + CODE_FIRST;
/*
* Zero entries that are not yet filled in. We do
* this to guard against bogus input data that causes
@@ -328,8 +305,7 @@ LZWPreDecode(TIFF* tif, uint16_t s)
* come up with a way to safely bounds-check input codes
* while decoding then you can remove this operation.
*/
- _TIFFmemset(sp->dec_free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
- sp->dec_oldcodep = &sp->dec_codetab[-1];
+ sp->dec_oldcodep = &sp->dec_codetab[0];
sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1];
return (1);
}
@@ -337,24 +313,77 @@ LZWPreDecode(TIFF* tif, uint16_t s)
/*
* Decode a "hunk of data".
*/
-#define GetNextCode(sp, bp, code) { \
- nextdata = (nextdata<<8) | *(bp)++; \
- nextbits += 8; \
- if (nextbits < nbits) { \
- nextdata = (nextdata<<8) | *(bp)++; \
- nextbits += 8; \
- } \
- code = (hcode_t)((nextdata >> (nextbits-nbits)) & nbitsmask); \
- nextbits -= nbits; \
-}
+/* Get the next 32 or 64-bit from the input data */
+
+#ifdef WORDS_BIGENDIAN
+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata))
+#elif SIZEOF_WORDTYPE == 8
+# if defined(__GNUC__) && defined(__x86_64__)
+# define GetNextData(nextdata, bp) nextdata = __builtin_bswap64(*(uint64_t*)(bp))
+# elif defined(_M_X64)
+# define GetNextData(nextdata, bp) nextdata = _byteswap_uint64(*(uint64_t*)(bp))
+# elif defined(__GNUC__)
+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \
+ nextdata = __builtin_bswap64(nextdata)
+# else
+# define GetNextData(nextdata, bp) nextdata = (((uint64_t)bp[0]) << 56) | \
+ (((uint64_t)bp[1]) << 48) | \
+ (((uint64_t)bp[2]) << 40) | \
+ (((uint64_t)bp[3]) << 32) | \
+ (((uint64_t)bp[4]) << 24) | \
+ (((uint64_t)bp[5]) << 16) | \
+ (((uint64_t)bp[6]) << 8) | \
+ (((uint64_t)bp[7]))
+# endif
+#elif SIZEOF_WORDTYPE == 4
+# if defined(__GNUC__) && defined(__i386__)
+# define GetNextData(nextdata, bp) nextdata = __builtin_bswap32(*(uint32_t*)(bp))
+# elif defined(_M_X86)
+# define GetNextData(nextdata, bp) nextdata = _byteswap_ulong(*(unsigned long*)(bp))
+# elif defined(__GNUC__)
+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \
+ nextdata = __builtin_bswap32(nextdata)
+# else
+# define GetNextData(nextdata, bp) nextdata = (((uint32_t)bp[0]) << 24) | \
+ (((uint32_t)bp[1]) << 16) | \
+ (((uint32_t)bp[2]) << 8) | \
+ (((uint32_t)bp[3]))
+# endif
+#else
+# error "Unhandled SIZEOF_WORDTYPE"
+#endif
-static void
-codeLoop(TIFF* tif, const char* module)
-{
- TIFFErrorExt(tif->tif_clientdata, module,
- "Bogus encoding, loop in the code table; scanline %"PRIu32,
- tif->tif_row);
-}
+#define GetNextCodeLZW() do { \
+ nextbits -= nbits; \
+ if (nextbits < 0) { \
+ if (dec_bitsleft >= 8 * SIZEOF_WORDTYPE) { \
+ unsigned codetmp = (unsigned)(nextdata << (-nextbits)); \
+ GetNextData(nextdata, bp); \
+ bp += SIZEOF_WORDTYPE; \
+ nextbits += 8 * SIZEOF_WORDTYPE; \
+ dec_bitsleft -= 8 * SIZEOF_WORDTYPE; \
+ code = (WordType)((codetmp | (nextdata >> nextbits)) & nbitsmask); \
+ break; \
+ } \
+ else {\
+ if( dec_bitsleft < 8) { \
+ goto no_eoi; \
+ }\
+ nextdata = (nextdata<<8) | *(bp)++; \
+ nextbits += 8; \
+ dec_bitsleft -= 8; \
+ if( nextbits < 0 ) { \
+ if( dec_bitsleft < 8) { \
+ goto no_eoi; \
+ }\
+ nextdata = (nextdata<<8) | *(bp)++; \
+ nextbits += 8; \
+ dec_bitsleft -= 8; \
+ } \
+ } \
+ } \
+ code = (WordType)((nextdata >> nextbits) & nbitsmask); \
+} while(0)
static int
LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
@@ -363,13 +392,10 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
LZWCodecState *sp = DecoderState(tif);
char *op = (char*) op0;
long occ = (long) occ0;
- char *tp;
unsigned char *bp;
- hcode_t code;
- int len;
long nbits, nextbits, nbitsmask;
- unsigned long nextdata;
- code_t *codep, *free_entp, *maxcodep, *oldcodep;
+ WordType nextdata;
+ code_t *free_entp, *maxcodep, *oldcodep;
(void) s;
assert(sp != NULL);
@@ -386,7 +412,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
if (sp->dec_restart) {
long residue;
- codep = sp->dec_codep;
+ code_t* codep = sp->dec_codep;
residue = codep->length - sp->dec_restart;
if (residue > occ) {
/*
@@ -400,7 +426,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
codep = codep->next;
} while (--residue > occ && codep);
if (codep) {
- tp = op + occ;
+ uint8_t* tp = op + occ;
do {
*--tp = codep->value;
codep = codep->next;
@@ -413,7 +439,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
*/
op += residue;
occ -= residue;
- tp = op;
+ uint8_t* tp = op;
do {
int t;
--tp;
@@ -425,9 +451,8 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
}
bp = (unsigned char *)tif->tif_rawcp;
-#ifdef LZW_CHECKEOS
sp->dec_bitsleft += (((uint64_t)tif->tif_rawcc - sp->old_tif_rawcc) << 3);
-#endif
+ uint64_t dec_bitsleft = sp->dec_bitsleft;
nbits = sp->lzw_nbits;
nextdata = sp->lzw_nextdata;
nextbits = sp->lzw_nextbits;
@@ -435,128 +460,235 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
oldcodep = sp->dec_oldcodep;
free_entp = sp->dec_free_entp;
maxcodep = sp->dec_maxcodep;
+ code_t* const dec_codetab = sp->dec_codetab;
+ code_t* codep;
+
+ if (occ == 0) {
+ goto after_loop;
+ }
+
+begin:
+ {
+ WordType code;
+ GetNextCodeLZW();
+ codep = dec_codetab + code;
+ if (code >= CODE_FIRST)
+ goto code_above_or_equal_to_258;
+ if (code < 256)
+ goto code_below_256;
+ if (code == CODE_EOI)
+ goto after_loop;
+ goto code_clear;
+
+code_below_256:
+ {
+ if (codep > free_entp)
+ goto error_code;
+ free_entp->next = oldcodep;
+ free_entp->firstchar = oldcodep->firstchar;
+ free_entp->length = oldcodep->length+1;
+ free_entp->value = (uint8_t)code;
+ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - code));
+ if (++free_entp > maxcodep) {
+ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */
+ nbits = BITS_MAX;
+ nbitsmask = MAXCODE(nbits);
+ maxcodep = dec_codetab + nbitsmask-1;
+ if( free_entp >= &dec_codetab[CSIZE] )
+ {
+ /* At that point, the next valid states are either EOI or a */
+ /* CODE_CLEAR. If a regular code is read, at the next */
+ /* attempt at registering a new entry, we will error out */
+ /* due to setting free_entp before any valid code */
+ free_entp = dec_codetab - 1;
+ }
+ }
+ oldcodep = codep;
+ *op++ = (uint8_t)code;
+ occ--;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
- while (occ > 0) {
- NextCode(tif, sp, bp, code, GetNextCode);
- if (code == CODE_EOI)
- break;
- if (code == CODE_CLEAR) {
- do {
- free_entp = sp->dec_codetab + CODE_FIRST;
- _TIFFmemset(free_entp, 0,
- (CSIZE - CODE_FIRST) * sizeof (code_t));
- nbits = BITS_MIN;
- nbitsmask = MAXCODE(BITS_MIN);
- maxcodep = sp->dec_codetab + nbitsmask-1;
- NextCode(tif, sp, bp, code, GetNextCode);
- } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */
- if (code == CODE_EOI)
- break;
- if (code > CODE_CLEAR) {
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "LZWDecode: Corrupted LZW table at scanline %"PRIu32,
- tif->tif_row);
- return (0);
- }
- *op++ = (char)code;
- occ--;
- oldcodep = sp->dec_codetab + code;
- continue;
- }
- codep = sp->dec_codetab + code;
-
- /*
- * Add the new entry to the code table.
- */
- if (free_entp < &sp->dec_codetab[0] ||
- free_entp >= &sp->dec_codetab[CSIZE]) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "Corrupted LZW table at scanline %"PRIu32,
- tif->tif_row);
- return (0);
- }
+code_above_or_equal_to_258:
+ {
+ /*
+ * Add the new entry to the code table.
+ */
+
+ if (codep >= free_entp)
+ {
+ if (codep != free_entp)
+ goto error_code;
+ free_entp->value = oldcodep->firstchar;
+ }
+ else
+ {
+ free_entp->value = codep->firstchar;
+ }
+ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - free_entp->value));
+ free_entp->next = oldcodep;
+
+ free_entp->firstchar = oldcodep->firstchar;
+ free_entp->length = oldcodep->length+1;
+ if (++free_entp > maxcodep) {
+ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */
+ nbits = BITS_MAX;
+ nbitsmask = MAXCODE(nbits);
+ maxcodep = dec_codetab + nbitsmask-1;
+ if (free_entp >= &dec_codetab[CSIZE])
+ {
+ /* At that point, the next valid states are either EOI or a */
+ /* CODE_CLEAR. If a regular code is read, at the next */
+ /* attempt at registering a new entry, we will error out */
+ /* due to setting free_entp before any valid code */
+ free_entp = dec_codetab - 1;
+ }
+ }
+ oldcodep = codep;
+
+ /*
+ * Code maps to a string, copy string
+ * value to output (written in reverse).
+ */
+ /* tiny bit faster on x86_64 to store in unsigned short than int */
+ unsigned short len = codep->length;
+
+ if (len < 3) /* equivalent to len == 2 given all other conditions */
+ {
+ if (occ <= 2)
+ {
+ if (occ == 2)
+ {
+ memcpy(op, &(codep->firstchar), 2);
+ op += 2;
+ occ -= 2;
+ goto after_loop;
+ }
+ goto too_short_buffer;
+ }
- free_entp->next = oldcodep;
- if (free_entp->next < &sp->dec_codetab[0] ||
- free_entp->next >= &sp->dec_codetab[CSIZE]) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "Corrupted LZW table at scanline %"PRIu32,
- tif->tif_row);
- return (0);
- }
- free_entp->firstchar = free_entp->next->firstchar;
- free_entp->length = free_entp->next->length+1;
- free_entp->value = (codep < free_entp) ?
- codep->firstchar : free_entp->firstchar;
- if (++free_entp > maxcodep) {
- if (++nbits > BITS_MAX) /* should not happen */
- nbits = BITS_MAX;
- nbitsmask = MAXCODE(nbits);
- maxcodep = sp->dec_codetab + nbitsmask-1;
- }
- oldcodep = codep;
- if (code >= 256) {
- /*
- * Code maps to a string, copy string
- * value to output (written in reverse).
- */
- if(codep->length == 0) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "Wrong length of decoded string: "
- "data probably corrupted at scanline %"PRIu32,
- tif->tif_row);
- return (0);
- }
- if (codep->length > occ) {
- /*
- * String is too long for decode buffer,
- * locate portion that will fit, copy to
- * the decode buffer, and setup restart
- * logic for the next decoding call.
- */
- sp->dec_codep = codep;
- do {
- codep = codep->next;
- } while (codep && codep->length > occ);
- if (codep) {
- sp->dec_restart = (long)occ;
- tp = op + occ;
- do {
- *--tp = codep->value;
- codep = codep->next;
- } while (--occ && codep);
- if (codep)
- codeLoop(tif, module);
- }
- break;
- }
- len = codep->length;
- tp = op + len;
- do {
- int t;
- --tp;
- t = codep->value;
- codep = codep->next;
- *tp = (char)t;
- } while (codep && tp > op);
- if (codep) {
- codeLoop(tif, module);
- break;
- }
- assert(occ >= len);
- op += len;
- occ -= len;
- } else {
- *op++ = (char)code;
- occ--;
- }
- }
+ memcpy(op, &(codep->firstchar), 2);
+ op += 2;
+ occ -= 2;
+ goto begin; /* we can save the comparison occ > 0 */
+ }
+
+ if (len == 3)
+ {
+ if (occ <= 3)
+ {
+ if (occ == 3)
+ {
+ op[0] = codep->firstchar;
+ op[1] = codep->next->value;
+ op[2] = codep->value;
+ op += 3;
+ occ -= 3;
+ goto after_loop;
+ }
+ goto too_short_buffer;
+ }
+ op[0] = codep->firstchar;
+ op[1] = codep->next->value;
+ op[2] = codep->value;
+ op += 3;
+ occ -= 3;
+ goto begin; /* we can save the comparison occ > 0 */
+ }
+
+ if (len > occ)
+ {
+ goto too_short_buffer;
+ }
+
+ if (codep->repeated)
+ {
+ memset(op, codep->value, len);
+ op += len;
+ occ -= len;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
+
+ uint8_t* tp = op + len;
+
+ assert(len >= 4);
+
+ *--tp = codep->value;
+ codep = codep->next;
+ *--tp = codep->value;
+ codep = codep->next;
+ *--tp = codep->value;
+ codep = codep->next;
+ *--tp = codep->value;
+ if (tp > op)
+ {
+ do {
+ codep = codep->next;
+ *--tp = codep->value;
+ } while (tp > op);
+ }
+
+ assert(occ >= len);
+ op += len;
+ occ -= len;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
+code_clear:
+ {
+ free_entp = dec_codetab + CODE_FIRST;
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = dec_codetab + nbitsmask-1;
+ do {
+ GetNextCodeLZW();
+ } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */
+ if (code == CODE_EOI)
+ goto after_loop;
+ if (code > CODE_EOI) {
+ goto error_code;
+ }
+ *op++ = (uint8_t)code;
+ occ--;
+ oldcodep = dec_codetab + code;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
+ }
+
+too_short_buffer:
+ {
+ /*
+ * String is too long for decode buffer,
+ * locate portion that will fit, copy to
+ * the decode buffer, and setup restart
+ * logic for the next decoding call.
+ */
+ sp->dec_codep = codep;
+ do {
+ codep = codep->next;
+ } while (codep->length > occ);
+
+ sp->dec_restart = occ;
+ uint8_t* tp = op + occ;
+ do {
+ *--tp = codep->value;
+ codep = codep->next;
+ } while (--occ);
+ }
+
+after_loop:
tif->tif_rawcc -= (tmsize_t)((uint8_t*) bp - tif->tif_rawcp );
tif->tif_rawcp = (uint8_t*) bp;
-#ifdef LZW_CHECKEOS
sp->old_tif_rawcc = tif->tif_rawcc;
-#endif
+ sp->dec_bitsleft = dec_bitsleft;
sp->lzw_nbits = (unsigned short) nbits;
sp->lzw_nextdata = nextdata;
sp->lzw_nextbits = nextbits;
@@ -572,9 +704,35 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
return (0);
}
return (1);
+
+no_eoi:
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "LZWDecode: Strip %"PRIu32" not terminated with EOI code",
+ tif->tif_curstrip);
+ return 0;
+error_code:
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Using code not yet in table");
+ return 0;
}
#ifdef LZW_COMPAT
+
+/*
+ * This check shouldn't be necessary because each
+ * strip is suppose to be terminated with CODE_EOI.
+ */
+#define NextCode(_tif, _sp, _bp, _code, _get, dec_bitsleft) { \
+ if (dec_bitsleft < (uint64_t)nbits) { \
+ TIFFWarningExt(_tif->tif_clientdata, module, \
+ "LZWDecode: Strip %"PRIu32" not terminated with EOI code", \
+ _tif->tif_curstrip); \
+ _code = CODE_EOI; \
+ } else { \
+ _get(_sp,_bp,_code); \
+ dec_bitsleft -= nbits; \
+ } \
+}
+
/*
* Decode a "hunk of data" for old images.
*/
@@ -601,7 +759,8 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
unsigned char *bp;
int code, nbits;
int len;
- long nextbits, nextdata, nbitsmask;
+ long nextbits, nbitsmask;
+ WordType nextdata;
code_t *codep, *free_entp, *maxcodep, *oldcodep;
(void) s;
@@ -653,9 +812,10 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
}
bp = (unsigned char *)tif->tif_rawcp;
-#ifdef LZW_CHECKEOS
+
sp->dec_bitsleft += (((uint64_t)tif->tif_rawcc - sp->old_tif_rawcc) << 3);
-#endif
+ uint64_t dec_bitsleft = sp->dec_bitsleft;
+
nbits = sp->lzw_nbits;
nextdata = sp->lzw_nextdata;
nextbits = sp->lzw_nextbits;
@@ -665,7 +825,7 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
maxcodep = sp->dec_maxcodep;
while (occ > 0) {
- NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft);
if (code == CODE_EOI)
break;
if (code == CODE_CLEAR) {
@@ -676,7 +836,7 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask;
- NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft);
} while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */
if (code == CODE_EOI)
break;
@@ -772,9 +932,10 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
tif->tif_rawcc -= (tmsize_t)((uint8_t*) bp - tif->tif_rawcp );
tif->tif_rawcp = (uint8_t*) bp;
-#ifdef LZW_CHECKEOS
+
sp->old_tif_rawcc = tif->tif_rawcc;
-#endif
+ sp->dec_bitsleft = dec_bitsleft;
+
sp->lzw_nbits = (unsigned short)nbits;
sp->lzw_nextdata = nextdata;
sp->lzw_nextbits = nextbits;
@@ -893,7 +1054,7 @@ LZWEncode(TIFF* tif, uint8_t* bp, tmsize_t cc, uint16_t s)
hcode_t ent;
long disp;
long incount, outcount, checkpoint;
- unsigned long nextdata;
+ WordType nextdata;
long nextbits;
int free_ent, maxcode, nbits;
uint8_t* op;
@@ -1057,7 +1218,7 @@ LZWPostEncode(TIFF* tif)
register LZWCodecState *sp = EncoderState(tif);
uint8_t* op = tif->tif_rawcp;
long nextbits = sp->lzw_nextbits;
- unsigned long nextdata = sp->lzw_nextdata;
+ WordType nextdata = sp->lzw_nextdata;
long outcount = sp->enc_outcount;
int nbits = sp->lzw_nbits;
--
2.27.0

42
backport-0001-CVE-2022-22844.patch
View File

@ -1,42 +0,0 @@
From 49b81e99704bd199a24ccce65f974cc2d78cccc4 Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Tue, 4 Jan 2022 11:01:37 +0000
Subject: [PATCH] fixing global-buffer-overflow in tiffset
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/49b81e99704bd199a24ccce65f974cc2d78cccc4
---
tools/tiffset.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/tools/tiffset.c b/tools/tiffset.c
index 8c9e23c..b7badd9 100644
--- a/tools/tiffset.c
+++ b/tools/tiffset.c
@@ -146,9 +146,19 @@ main(int argc, char* argv[])
arg_index++;
if (TIFFFieldDataType(fip) == TIFF_ASCII) {
- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
- fprintf( stderr, "Failed to set %s=%s\n",
- TIFFFieldName(fip), argv[arg_index] );
+ if(TIFFFieldPassCount( fip )) {
+ size_t len;
+ len = (uint32_t)(strlen(argv[arg_index] + 1));
+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
+ (uint16_t)len, argv[arg_index]) != 1)
+ fprintf( stderr, "Failed to set %s=%s",
+ TIFFFieldName(fip), argv[arg_index] );
+ } else {
+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
+ argv[arg_index]) != 1)
+ fprintf( stderr, "Failed to set %s=%s",
+ TIFFFieldName(fip), argv[arg_index] );
+ }
} else if (TIFFFieldWriteCount(fip) > 0
|| TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
int ret = 1;
--
2.33.0

607
backport-0001-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch
View File

@ -1,607 +0,0 @@
From e319508023580e2f70e6e626f745b5b2a1707313 Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 10 May 2022 20:03:17 +0000
Subject: [PATCH] tiffcrop: Fix issue #330 and some more from 320 to 349
---
tools/tiffcrop.c | 282 +++++++++++++++++++++++++++++++++++------------
1 file changed, 210 insertions(+), 72 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 77cf6ed1..791ec5e7 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -63,20 +63,24 @@
* units when sectioning image into columns x rows
* using the -S cols:rows option.
* -X # Horizontal dimension of region to extract expressed in current
- * units
+ * units, relative to the specified origin reference 'edge' left (default for X) or right.
* -Y # Vertical dimension of region to extract expressed in current
- * units
+ * units, relative to the specified origin reference 'edge' top (default for Y) or bottom.
* -O orient Orientation for output image, portrait, landscape, auto
* -P page Page size for output image segments, eg letter, legal, tabloid,
* etc.
* -S cols:rows Divide the image into equal sized segments using cols across
* and rows down
- * -E t|l|r|b Edge to use as origin
+ * -E t|l|r|b Edge to use as origin (i.e. 'side' of the image not 'corner')
+ * top = width from left, zones from top to bottom (default)
+ * bottom = width from left, zones from bottom to top
+ * left = zones from left to right, length from top
+ * right = zones from right to left, length from top
* -m #,#,#,# Margins from edges for selection: top, left, bottom, right
* (commas separated)
* -Z #:#,#:# Zones of the image designated as zone X of Y,
* eg 1:3 would be first of three equal portions measured
- * from reference edge
+ * from reference edge (i.e. 'side' not corner)
* -N odd|even|#,#-#,#|last
* Select sequences and/or ranges of images within file
* to process. The words odd or even may be used to specify
@@ -103,10 +107,13 @@
* selects which functions dump data, with higher numbers selecting
* lower level, scanline level routines. Debug reports a limited set
* of messages to monitor progress without enabling dump logs.
+ *
+ * Note: The (-X|-Y), -Z and -z options are mutually exclusive.
+ * In no case should the options be applied to a given selection successively.
*/
-static char tiffcrop_version_id[] = "2.4.1";
-static char tiffcrop_rev_date[] = "03-03-2010";
+static char tiffcrop_version_id[] = "2.5";
+static char tiffcrop_rev_date[] = "02-09-2022";
#include "tif_config.h"
#include "libport.h"
@@ -774,6 +781,9 @@ static const char usage_info[] =
" The four debug/dump options are independent, though it makes little sense to\n"
" specify a dump file without specifying a detail level.\n"
"\n"
+"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
+" In no case should the options be applied to a given selection successively.\n"
+"\n"
;
/* This function could be modified to pass starting sample offset
@@ -2121,6 +2131,15 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
/*NOTREACHED*/
}
}
+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/
+ char XY, Z, R;
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
+ Z = (crop_data->crop_mode & CROP_ZONES);
+ R = (crop_data->crop_mode & CROP_REGIONS);
+ if ((XY && Z) || (XY && R) || (Z && R)) {
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit");
+ exit(EXIT_FAILURE);
+ }
} /* end process_command_opts */
/* Start a new output file if one has not been previously opened or
@@ -2746,7 +2765,7 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols,
tsample_t count, uint32_t start, uint32_t end)
{
int i, bytes_per_sample, sindex;
- uint32_t col, dst_rowsize, bit_offset;
+ uint32_t col, dst_rowsize, bit_offset, numcols;
uint32_t src_byte /*, src_bit */;
uint8_t *src = in;
uint8_t *dst = out;
@@ -2757,6 +2776,10 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
+ */
+ numcols = abs(end - start);
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamplesBytes",
@@ -2769,6 +2792,9 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
+ if (abs(end - start) > numcols) {
+ end = start + numcols;
+ }
dst_rowsize = (bps * (end - start) * count) / 8;
@@ -2812,7 +2838,7 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols,
tsample_t count, uint32_t start, uint32_t end)
{
int ready_bits = 0, sindex = 0;
- uint32_t col, src_byte, src_bit, bit_offset;
+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
uint8_t maskbits = 0, matchbits = 0;
uint8_t buff1 = 0, buff2 = 0;
uint8_t *src = in;
@@ -2824,6 +2850,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
+ */
+ numcols = abs(end - start);
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamples8bits",
@@ -2836,7 +2866,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
-
+ if (abs(end - start) > numcols) {
+ end = start + numcols;
+ }
+
ready_bits = 0;
maskbits = (uint8_t)-1 >> (8 - bps);
buff1 = buff2 = 0;
@@ -2889,7 +2922,7 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols,
tsample_t count, uint32_t start, uint32_t end)
{
int ready_bits = 0, sindex = 0;
- uint32_t col, src_byte, src_bit, bit_offset;
+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
uint16_t maskbits = 0, matchbits = 0;
uint16_t buff1 = 0, buff2 = 0;
uint8_t bytebuff = 0;
@@ -2902,6 +2935,10 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
+ */
+ numcols = abs(end - start);
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamples16bits",
@@ -2914,6 +2951,9 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
+ if (abs(end - start) > numcols) {
+ end = start + numcols;
+ }
ready_bits = 0;
maskbits = (uint16_t)-1 >> (16 - bps);
@@ -2978,7 +3018,7 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols,
tsample_t count, uint32_t start, uint32_t end)
{
int ready_bits = 0, sindex = 0;
- uint32_t col, src_byte, src_bit, bit_offset;
+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
uint32_t maskbits = 0, matchbits = 0;
uint32_t buff1 = 0, buff2 = 0;
uint8_t bytebuff1 = 0, bytebuff2 = 0;
@@ -2991,6 +3031,10 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
+ */
+ numcols = abs(end - start);
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamples24bits",
@@ -3003,6 +3047,9 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
+ if (abs(end - start) > numcols) {
+ end = start + numcols;
+ }
ready_bits = 0;
maskbits = (uint32_t)-1 >> (32 - bps);
@@ -3087,7 +3134,7 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
tsample_t count, uint32_t start, uint32_t end)
{
int ready_bits = 0, sindex = 0 /*, shift_width = 0 */;
- uint32_t col, src_byte, src_bit, bit_offset;
+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
uint32_t longbuff1 = 0, longbuff2 = 0;
uint64_t maskbits = 0, matchbits = 0;
uint64_t buff1 = 0, buff2 = 0, buff3 = 0;
@@ -3102,6 +3149,10 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
}
+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
+ */
+ numcols = abs(end - start);
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamples32bits",
@@ -3114,6 +3165,9 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
+ if (abs(end - start) > numcols) {
+ end = start + numcols;
+ }
/* shift_width = ((bps + 7) / 8) + 1; */
ready_bits = 0;
@@ -3193,7 +3247,7 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols,
int shift)
{
int ready_bits = 0, sindex = 0;
- uint32_t col, src_byte, src_bit, bit_offset;
+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
uint8_t maskbits = 0, matchbits = 0;
uint8_t buff1 = 0, buff2 = 0;
uint8_t *src = in;
@@ -3205,6 +3259,10 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
+ */
+ numcols = abs(end - start);
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamplesShifted8bits",
@@ -3217,6 +3275,9 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
+ if (abs(end - start) > numcols) {
+ end = start + numcols;
+ }
ready_bits = shift;
maskbits = (uint8_t)-1 >> (8 - bps);
@@ -3273,7 +3334,7 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols,
int shift)
{
int ready_bits = 0, sindex = 0;
- uint32_t col, src_byte, src_bit, bit_offset;
+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
uint16_t maskbits = 0, matchbits = 0;
uint16_t buff1 = 0, buff2 = 0;
uint8_t bytebuff = 0;
@@ -3286,6 +3347,10 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
+ */
+ numcols = abs(end - start);
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamplesShifted16bits",
@@ -3298,6 +3363,9 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
+ if (abs(end - start) > numcols) {
+ end = start + numcols;
+ }
ready_bits = shift;
maskbits = (uint16_t)-1 >> (16 - bps);
@@ -3363,7 +3431,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
int shift)
{
int ready_bits = 0, sindex = 0;
- uint32_t col, src_byte, src_bit, bit_offset;
+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
uint32_t maskbits = 0, matchbits = 0;
uint32_t buff1 = 0, buff2 = 0;
uint8_t bytebuff1 = 0, bytebuff2 = 0;
@@ -3376,6 +3444,16 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
return (1);
}
+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
+ */
+ /*--- Remark, which is true for all those functions extractCongigSamplesXXX() --
+ * The mitigation of the start/end test does not allways make sense, because the function is often called with e.g.:
+ * start = 31; end = 32; cols = 32 to extract the last column in a 32x32 sample image.
+ * If then, a worng parameter (e.g. cols = 10) is provided, the mitigated settings would be start=0; end=1.
+ * Therefore, an error message and no copy action might be the better reaction to wrong parameter configurations.
+ */
+ numcols = abs(end - start);
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamplesShifted24bits",
@@ -3388,6 +3466,9 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
+ if (abs(end - start) > numcols) {
+ end = start + numcols;
+ }
ready_bits = shift;
maskbits = (uint32_t)-1 >> (32 - bps);
@@ -3449,7 +3530,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols,
buff2 = (buff2 << 8);
bytebuff2 = bytebuff1;
ready_bits -= 8;
- }
+ }
return (0);
} /* end extractContigSamplesShifted24bits */
@@ -3461,7 +3542,7 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
int shift)
{
int ready_bits = 0, sindex = 0 /*, shift_width = 0 */;
- uint32_t col, src_byte, src_bit, bit_offset;
+ uint32_t col, src_byte, src_bit, bit_offset, numcols;
uint32_t longbuff1 = 0, longbuff2 = 0;
uint64_t maskbits = 0, matchbits = 0;
uint64_t buff1 = 0, buff2 = 0, buff3 = 0;
@@ -3476,6 +3557,10 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
}
+ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur.
+ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied!
+ */
+ numcols = abs(end - start);
if ((start > end) || (start > cols))
{
TIFFError ("extractContigSamplesShifted32bits",
@@ -3488,6 +3573,9 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
"Invalid end column value %"PRIu32" ignored", end);
end = cols;
}
+ if (abs(end - start) > numcols) {
+ end = start + numcols;
+ }
/* shift_width = ((bps + 7) / 8) + 1; */
ready_bits = shift;
@@ -5429,7 +5517,7 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
{
struct offset offsets;
int i;
- int32_t test;
+ uint32_t uaux;
uint32_t seg, total, need_buff = 0;
uint32_t buffsize;
uint32_t zwidth, zlength;
@@ -5510,8 +5598,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
seg = crop->zonelist[j].position;
total = crop->zonelist[j].total;
- /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
+ /* check for not allowed zone cases like 0:0; 4:3; or negative ones etc. and skip that input */
+ if (crop->zonelist[j].position < 0 || crop->zonelist[j].total < 0) {
+ TIFFError("getCropOffsets", "Negative crop zone values %d:%d are not allowed, thus skipped.", crop->zonelist[j].position, crop->zonelist[j].total);
+ continue;
+ }
if (seg == 0 || total == 0 || seg > total) {
+ TIFFError("getCropOffsets", "Crop zone %d:%d is out of specification, thus skipped.", seg, total);
continue;
}
@@ -5524,17 +5617,23 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
crop->regionlist[i].x1 = offsets.startx +
(uint32_t)(offsets.crop_width * 1.0 * (seg - 1) / total);
- test = (int32_t)offsets.startx +
- (int32_t)(offsets.crop_width * 1.0 * seg / total);
- if (test < 1 )
- crop->regionlist[i].x2 = 0;
- else
- {
- if (test > (int32_t)(image->width - 1))
+ /* FAULT: IMHO in the old code here, the calculation of x2 was based on wrong assumtions. The whole image was assumed and 'endy' and 'starty' are not respected anymore!*/
+ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */
+ if (crop->regionlist[i].x1 > offsets.endx) {
+ crop->regionlist[i].x1 = offsets.endx;
+ } else if (crop->regionlist[i].x1 >= image->width) {
+ crop->regionlist[i].x1 = image->width - 1;
+ }
+
+ crop->regionlist[i].x2 = offsets.startx + (uint32_t)(offsets.crop_width * 1.0 * seg / total);
+ if (crop->regionlist[i].x2 > 0) crop->regionlist[i].x2 = crop->regionlist[i].x2 - 1;
+ if (crop->regionlist[i].x2 < crop->regionlist[i].x1) {
+ crop->regionlist[i].x2 = crop->regionlist[i].x1;
+ } else if (crop->regionlist[i].x2 > offsets.endx) {
+ crop->regionlist[i].x2 = offsets.endx;
+ } else if (crop->regionlist[i].x2 >= image->width) {
crop->regionlist[i].x2 = image->width - 1;
- else
- crop->regionlist[i].x2 = test - 1;
- }
+ }
zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
/* This is passed to extractCropZone or extractCompositeZones */
@@ -5549,22 +5648,27 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
crop->regionlist[i].x1 = offsets.startx;
crop->regionlist[i].x2 = offsets.endx;
- test = offsets.endy - (uint32_t)(offsets.crop_length * 1.0 * seg / total);
- if (test < 1 )
- crop->regionlist[i].y1 = 0;
- else
- crop->regionlist[i].y1 = test + 1;
+ /* FAULT: IMHO in the old code here, the calculation of y1/y2 was based on wrong assumtions. The whole image was assumed and 'endy' and 'starty' are not respected anymore!*/
+ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */
+ uaux = (uint32_t)(offsets.crop_length * 1.0 * seg / total);
+ if (uaux <= offsets.endy + 1) {
+ crop->regionlist[i].y1 = offsets.endy - uaux + 1;
+ } else {
+ crop->regionlist[i].y1 = 0;
+ }
+ if (crop->regionlist[i].y1 < offsets.starty) {
+ crop->regionlist[i].y1 = offsets.starty;
+ }
- test = offsets.endy - (offsets.crop_length * 1.0 * (seg - 1) / total);
- if (test < 1 )
- crop->regionlist[i].y2 = 0;
- else
- {
- if (test > (int32_t)(image->length - 1))
- crop->regionlist[i].y2 = image->length - 1;
- else
- crop->regionlist[i].y2 = test;
- }
+ uaux = (uint32_t)(offsets.crop_length * 1.0 * (seg - 1) / total);
+ if (uaux <= offsets.endy) {
+ crop->regionlist[i].y2 = offsets.endy - uaux;
+ } else {
+ crop->regionlist[i].y2 = 0;
+ }
+ if (crop->regionlist[i].y2 < offsets.starty) {
+ crop->regionlist[i].y2 = offsets.starty;
+ }
zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
/* This is passed to extractCropZone or extractCompositeZones */
@@ -5575,32 +5679,42 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
crop->combined_width = (uint32_t)zwidth;
break;
case EDGE_RIGHT: /* zones from right to left, length from top */
- zlength = offsets.crop_length;
- crop->regionlist[i].y1 = offsets.starty;
- crop->regionlist[i].y2 = offsets.endy;
-
- crop->regionlist[i].x1 = offsets.startx +
- (uint32_t)(offsets.crop_width * (total - seg) * 1.0 / total);
- test = offsets.startx +
- (offsets.crop_width * (total - seg + 1) * 1.0 / total);
- if (test < 1 )
- crop->regionlist[i].x2 = 0;
- else
- {
- if (test > (int32_t)(image->width - 1))
- crop->regionlist[i].x2 = image->width - 1;
- else
- crop->regionlist[i].x2 = test - 1;
- }
- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ zlength = offsets.crop_length;
+ crop->regionlist[i].y1 = offsets.starty;
+ crop->regionlist[i].y2 = offsets.endy;
+
+ crop->regionlist[i].x1 = offsets.startx +
+ (uint32_t)(offsets.crop_width * (total - seg) * 1.0 / total);
+ /* FAULT: IMHO from here on, the calculation of y2 are based on wrong assumtions. The whole image is assumed and 'endy' and 'starty' are not respected anymore!*/
+ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */
+ uaux = (uint32_t)(offsets.crop_width * 1.0 * seg / total);
+ if (uaux <= offsets.endx + 1) {
+ crop->regionlist[i].x1 = offsets.endx - uaux + 1;
+ } else {
+ crop->regionlist[i].x1 = 0;
+ }
+ if (crop->regionlist[i].x1 < offsets.startx) {
+ crop->regionlist[i].x1 = offsets.startx;
+ }
- /* This is passed to extractCropZone or extractCompositeZones */
- crop->combined_length = (uint32_t)zlength;
- if (crop->exp_mode == COMPOSITE_IMAGES)
- crop->combined_width += (uint32_t)zwidth;
- else
- crop->combined_width = (uint32_t)zwidth;
- break;
+ uaux = (uint32_t)(offsets.crop_width * 1.0 * (seg - 1) / total);
+ if (uaux <= offsets.endx) {
+ crop->regionlist[i].x2 = offsets.endx - uaux;
+ } else {
+ crop->regionlist[i].x2 = 0;
+ }
+ if (crop->regionlist[i].x2 < offsets.startx) {
+ crop->regionlist[i].x2 = offsets.startx;
+ }
+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+
+ /* This is passed to extractCropZone or extractCompositeZones */
+ crop->combined_length = (uint32_t)zlength;
+ if (crop->exp_mode == COMPOSITE_IMAGES)
+ crop->combined_width += (uint32_t)zwidth;
+ else
+ crop->combined_width = (uint32_t)zwidth;
+ break;
case EDGE_TOP: /* width from left, zones from top to bottom */
default:
zwidth = offsets.crop_width;
@@ -5608,6 +5722,14 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
crop->regionlist[i].x2 = offsets.endx;
crop->regionlist[i].y1 = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * (seg - 1) / total);
+ if (crop->regionlist[i].y1 > offsets.endy) {
+ crop->regionlist[i].y1 = offsets.endy;
+ } else if (crop->regionlist[i].y1 >= image->length) {
+ crop->regionlist[i].y1 = image->length - 1;
+ }
+
+ /* FAULT: IMHO from here on, the calculation of y2 are based on wrong assumtions. The whole image is assumed and 'endy' and 'starty' are not respected anymore!*/
+ /* OLD Code:
test = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * seg / total);
if (test < 1 )
crop->regionlist[i].y2 = 0;
@@ -5618,6 +5740,18 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
else
crop->regionlist[i].y2 = test - 1;
}
+ */
+ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */
+ crop->regionlist[i].y2 = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * seg / total);
+ if (crop->regionlist[i].y2 > 0)crop->regionlist[i].y2 = crop->regionlist[i].y2 - 1;
+ if (crop->regionlist[i].y2 < crop->regionlist[i].y1) {
+ crop->regionlist[i].y2 = crop->regionlist[i].y1;
+ } else if (crop->regionlist[i].y2 > offsets.endy) {
+ crop->regionlist[i].y2 = offsets.endy;
+ } else if (crop->regionlist[i].y2 >= image->length) {
+ crop->regionlist[i].y2 = image->length - 1;
+ }
+
zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
/* This is passed to extractCropZone or extractCompositeZones */
@@ -7551,7 +7685,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
total_width = total_length = 0;
for (i = 0; i < crop->selections; i++)
{
- cropsize = crop->bufftotal;
+
+ cropsize = crop->bufftotal;
crop_buff = seg_buffs[i].buffer;
if (!crop_buff)
crop_buff = (unsigned char *)limitMalloc(cropsize);
@@ -7640,6 +7775,9 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
+ /* rotateImage() changes image->width, ->length, ->xres and ->yres, what it schouldn't do here, when more than one section is processed.
+ * ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !!
+ */
if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
&crop->regionlist[i].length, &crop_buff))
{
@@ -7655,8 +7793,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
* image->spp) * crop->regionlist[i].length;
}
- }
- }
+ } /* for crop->selections loop */
+ } /* Separated Images (else case) */
return (0);
} /* end processCropSelections */
--
GitLab

49
backport-0001-CVE-2022-3570-CVE-2022-3598.patch
View File

@ -1,49 +0,0 @@
From fc3e3a202d65e4b0f42a63c8001324b2a7fae88b Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Mon, 27 Sep 2021 18:42:22 +0200
Subject: [PATCH] tiffcrop.c: remove useless 'set but not read' variables
---
tools/tiffcrop.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index b85c2ce7..0da31577 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -1177,7 +1177,6 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
tstrip_t strip = 0;
tsize_t stripsize = TIFFStripSize(out);
tsize_t rowstripsize, scanlinesize = TIFFScanlineSize(out);
- tsize_t total_bytes = 0;
tdata_t obuf;
(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
@@ -1215,7 +1214,6 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
stripsize = TIFFVStripSize(out, nrows);
src = buf + (row * rowsize);
- total_bytes += stripsize;
memset (obuf, '\0', rowstripsize);
if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
{
@@ -2710,7 +2708,7 @@ static void dump_info(FILE *dumpfile, int format, char *prefix, char *msg, ...)
static int dump_buffer (FILE* dumpfile, int format, uint32_t rows, uint32_t width,
uint32_t row, unsigned char *buff)
{
- int j, k;
+ int k;
uint32_t i;
unsigned char * dump_ptr;
@@ -2728,7 +2726,7 @@ static int dump_buffer (FILE* dumpfile, int format, uint32_t rows, uint32_t widt
"Row %4"PRIu32", %"PRIu32" bytes at offset %"PRIu32,
row + i + 1u, width, row * width);
- for (j = 0, k = width; k >= 10; j += 10, k -= 10, dump_ptr += 10)
+ for (k = width; k >= 10; k -= 10, dump_ptr += 10)
dump_data (dumpfile, format, "", dump_ptr, 10);
if (k > 0)
dump_data (dumpfile, format, "", dump_ptr, k);
--
GitLab

56
backport-0002-CVE-2022-1622-CVE-2022-1623.patch
View File

@ -1,56 +0,0 @@
From b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 22 Apr 2022 18:58:52 +0200
Subject: [PATCH] tif_lzw.c: fix potential out-of-bounds error when trying to
read in the same tile/strip after an error has occured (fixes #410)
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a
---
libtiff/tif_lzw.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index c28366b..1f255d9 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -140,6 +140,7 @@ typedef struct {
code_t* dec_free_entp; /* next free entry */
code_t* dec_maxcodep; /* max available entry */
code_t* dec_codetab; /* kept separate for small machines */
+ int read_error; /* whether a read error has occured, and which should cause further reads in the same strip/tile to be aborted */
/* Encoding specific data */
int enc_oldcode; /* last code encountered */
@@ -307,6 +308,7 @@ LZWPreDecode(TIFF* tif, uint16_t s)
*/
sp->dec_oldcodep = &sp->dec_codetab[0];
sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1];
+ sp->read_error = 0;
return (1);
}
@@ -399,7 +401,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
(void) s;
assert(sp != NULL);
- assert(sp->dec_codetab != NULL);
+ assert(sp->dec_codetab != NULL);
+
+ if (sp->read_error) {
+ return 0;
+ }
/*
Fail if value does not fit in long.
@@ -711,6 +717,7 @@ no_eoi:
tif->tif_curstrip);
return 0;
error_code:
+ sp->read_error = 1;
TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Using code not yet in table");
return 0;
}
--
2.27.0

39
backport-0002-CVE-2022-22844.patch
View File

@ -1,39 +0,0 @@
From 0cf67888e32e36b45828dd467920684c93f2b22d Mon Sep 17 00:00:00 2001
From: Timothy Lyanguzov <theta682@gmail.com>
Date: Tue, 25 Jan 2022 04:27:28 +0000
Subject: [PATCH] Apply 4 suggestion(s) to 1 file(s)
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/0cf67888e32e36b45828dd467920684c93f2b22d
---
tools/tiffset.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/tiffset.c b/tools/tiffset.c
index b7badd9..b8b52c0 100644
--- a/tools/tiffset.c
+++ b/tools/tiffset.c
@@ -148,15 +148,15 @@ main(int argc, char* argv[])
if (TIFFFieldDataType(fip) == TIFF_ASCII) {
if(TIFFFieldPassCount( fip )) {
size_t len;
- len = (uint32_t)(strlen(argv[arg_index] + 1));
- if (TIFFSetField(tiff, TIFFFieldTag(fip),
+ len = strlen(argv[arg_index] + 1);
+ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
(uint16_t)len, argv[arg_index]) != 1)
- fprintf( stderr, "Failed to set %s=%s",
+ fprintf( stderr, "Failed to set %s=%s\n",
TIFFFieldName(fip), argv[arg_index] );
} else {
if (TIFFSetField(tiff, TIFFFieldTag(fip),
argv[arg_index]) != 1)
- fprintf( stderr, "Failed to set %s=%s",
+ fprintf( stderr, "Failed to set %s=%s\n",
TIFFFieldName(fip), argv[arg_index] );
}
} else if (TIFFFieldWriteCount(fip) > 0
--
2.33.0

131
backport-0002-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch
View File

@ -1,131 +0,0 @@
From 8fe3735942ea1d90d8cef843b55b3efe8ab6feaf Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Mon, 15 Aug 2022 22:11:03 +0200
Subject: [PATCH 1/2] =?UTF-8?q?According=20to=20Richard=20Nolde=20https://?=
=?UTF-8?q?gitlab.com/libtiff/libtiff/-/issues/401#note=5F877637400=20the?=
=?UTF-8?q?=20tiffcrop=20option=20=E2=80=9E-S=E2=80=9C=20is=20also=20mutua?=
=?UTF-8?q?lly=20exclusive=20to=20the=20other=20crop=20options=20(-X|-Y),?=
=?UTF-8?q?=20-Z=20and=20-z.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is now checked and ends tiffcrop if those arguments are not mutually exclusive.
This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424
---
tools/tiffcrop.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 90286a5e..c3b758ec 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -108,12 +108,12 @@
* lower level, scanline level routines. Debug reports a limited set
* of messages to monitor progress without enabling dump logs.
*
- * Note: The (-X|-Y), -Z and -z options are mutually exclusive.
+ * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
* In no case should the options be applied to a given selection successively.
*/
-static char tiffcrop_version_id[] = "2.5";
-static char tiffcrop_rev_date[] = "02-09-2022";
+static char tiffcrop_version_id[] = "2.5.1";
+static char tiffcrop_rev_date[] = "15-08-2022";
#include "tif_config.h"
#include "libport.h"
@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022";
#define ROTATECW_270 32
#define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
-#define CROP_NONE 0
-#define CROP_MARGINS 1
-#define CROP_WIDTH 2
-#define CROP_LENGTH 4
-#define CROP_ZONES 8
-#define CROP_REGIONS 16
+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
+#define CROP_MARGINS 1 /* "-m" */
+#define CROP_WIDTH 2 /* "-X" */
+#define CROP_LENGTH 4 /* "-Y" */
+#define CROP_ZONES 8 /* "-Z" */
+#define CROP_REGIONS 16 /* "-z" */
#define CROP_ROTATE 32
#define CROP_MIRROR 64
#define CROP_INVERT 128
@@ -316,7 +316,7 @@ struct crop_mask {
#define PAGE_MODE_RESOLUTION 1
#define PAGE_MODE_PAPERSIZE 2
#define PAGE_MODE_MARGINS 4
-#define PAGE_MODE_ROWSCOLS 8
+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
#define INVERT_DATA_ONLY 10
#define INVERT_DATA_AND_TAG 11
@@ -781,7 +781,7 @@ static const char usage_info[] =
" The four debug/dump options are independent, though it makes little sense to\n"
" specify a dump file without specifying a detail level.\n"
"\n"
-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n"
+"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
" In no case should the options be applied to a given selection successively.\n"
"\n"
;
@@ -2131,13 +2131,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
/*NOTREACHED*/
}
}
- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/
- char XY, Z, R;
+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
+ char XY, Z, R, S;
XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
Z = (crop_data->crop_mode & CROP_ZONES);
R = (crop_data->crop_mode & CROP_REGIONS);
- if ((XY && Z) || (XY && R) || (Z && R)) {
- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit");
+ S = (page->mode & PAGE_MODE_ROWSCOLS);
+ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
exit(EXIT_FAILURE);
}
} /* end process_command_opts */
--
GitLab
From bad48e90b410df32172006c7876da449ba62cdba Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sat, 20 Aug 2022 23:35:26 +0200
Subject: [PATCH 2/2] tiffcrop -S option: Make decision simpler.
---
tools/tiffcrop.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index c3b758ec..8fd856dc 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
}
/*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
char XY, Z, R, S;
- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
- Z = (crop_data->crop_mode & CROP_ZONES);
- R = (crop_data->crop_mode & CROP_REGIONS);
- S = (page->mode & PAGE_MODE_ROWSCOLS);
- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
+ if (XY + Z + R + S > 1) {
TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
exit(EXIT_FAILURE);
}
--
GitLab

34
backport-0002-CVE-2022-3570-CVE-2022-3598.patch
View File

@ -1,34 +0,0 @@
From aac006e5796437f1729b1284fbfa506b2b730aff Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Sat, 19 Feb 2022 16:08:15 +0000
Subject: [PATCH] tiffcrop: buffsize check formula in loadImage() amended
(fixes #273,#275)
---
tools/tiffcrop.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index e4a08ca9..f2e5474a 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -6153,9 +6153,15 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFError("loadImage", "Integer overflow detected.");
exit(EXIT_FAILURE);
}
- if (buffsize < (uint32_t) (((length * width * spp * bps) + 7) / 8))
+ /* The buffsize_check and the possible adaptation of buffsize
+ * has to account also for padding of each line to a byte boundary.
+ * This is assumed by mirrorImage() and rotateImage().
+ * Otherwise buffer-overflow might occur there.
+ */
+ buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8);
+ if (buffsize < buffsize_check)
{
- buffsize = ((length * width * spp * bps) + 7) / 8;
+ buffsize = buffsize_check;
#ifdef DEBUG2
TIFFError("loadImage",
"Stripsize %"PRIu32" is too small, using imagelength * width * spp * bps / 8 = %"PRIu32,
--
GitLab

28
backport-0003-CVE-2022-22844.patch
View File

@ -1,28 +0,0 @@
From 0a827a985f891d6df481a6f581c723640fad7874 Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Tue, 25 Jan 2022 04:30:38 +0000
Subject: [PATCH] fix a small typo in strlen
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/0a827a985f891d6df481a6f581c723640fad7874
---
tools/tiffset.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/tiffset.c b/tools/tiffset.c
index b8b52c0..e7a88c0 100644
--- a/tools/tiffset.c
+++ b/tools/tiffset.c
@@ -148,7 +148,7 @@ main(int argc, char* argv[])
if (TIFFFieldDataType(fip) == TIFF_ASCII) {
if(TIFFFieldPassCount( fip )) {
size_t len;
- len = strlen(argv[arg_index] + 1);
+ len = strlen(argv[arg_index]) + 1;
if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
(uint16_t)len, argv[arg_index]) != 1)
fprintf( stderr, "Failed to set %s=%s\n",
--
2.33.0

659
backport-0003-CVE-2022-3570-CVE-2022-3598.patch
View File

@ -1,659 +0,0 @@
From afd7086090dafd3949afd172822cbcec4ed17d56 Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Thu, 13 Oct 2022 14:33:27 +0000
Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271,
#381, #386, #388, #389, #435)
---
tools/tiffcrop.c | 209 ++++++++++++++++++++++++++---------------------
1 file changed, 118 insertions(+), 91 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 41a2ea36..deab5feb 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -114,8 +114,8 @@
* such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
*/
-static char tiffcrop_version_id[] = "2.5.3";
-static char tiffcrop_rev_date[] = "26-08-2022";
+static char tiffcrop_version_id[] = "2.5.4";
+static char tiffcrop_rev_date[] = "27-08-2022";
#include "tif_config.h"
#include "libport.h"
@@ -212,6 +212,10 @@ static char tiffcrop_rev_date[] = "26-08-2022";
#define TIFF_DIR_MAX 65534
+/* Some conversion subroutines require image buffers, which are at least 3 bytes
+ * larger than the necessary size for the image itself. */
+#define NUM_BUFF_OVERSIZE_BYTES 3
+
/* Offsets into buffer for margins and fixed width and length segments */
struct offset {
uint32_t tmargin;
@@ -233,7 +237,7 @@ struct offset {
*/
struct buffinfo {
- uint32_t size; /* size of this buffer */
+ size_t size; /* size of this buffer */
unsigned char *buffer; /* address of the allocated buffer */
};
@@ -810,8 +814,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
uint32_t dst_rowsize, shift_width;
uint32_t bytes_per_sample, bytes_per_pixel;
uint32_t trailing_bits, prev_trailing_bits;
- uint32_t tile_rowsize = TIFFTileRowSize(in);
- uint32_t src_offset, dst_offset;
+ tmsize_t tile_rowsize = TIFFTileRowSize(in);
+ tmsize_t src_offset, dst_offset;
uint32_t row_offset, col_offset;
uint8_t *bufp = (uint8_t*) buf;
unsigned char *src = NULL;
@@ -861,7 +865,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
exit(EXIT_FAILURE);
}
- tilebuf = limitMalloc(tile_buffsize + 3);
+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (tilebuf == 0)
return 0;
tilebuf[tile_buffsize] = 0;
@@ -1024,7 +1028,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf,
for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++)
{
srcbuffs[sample] = NULL;
- tbuff = (unsigned char *)limitMalloc(tilesize + 8);
+ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES);
if (!tbuff)
{
TIFFError ("readSeparateTilesIntoBuffer",
@@ -1217,7 +1221,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
}
rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
- obuf = limitMalloc (rowstripsize);
+ /* Add 3 padding bytes for extractContigSamples32bits */
+ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
if (obuf == NULL)
return 1;
@@ -1229,7 +1234,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
stripsize = TIFFVStripSize(out, nrows);
src = buf + (row * rowsize);
- memset (obuf, '\0', rowstripsize);
+ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
{
_TIFFfree(obuf);
@@ -1237,10 +1242,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
}
if ((dump->outfile != NULL) && (dump->level == 1))
{
- dump_info(dump->outfile, dump->format,"",
+ if (scanlinesize > 0x0ffffffffULL) {
+ dump_info(dump->infile, dump->format, "loadImage",
+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
+ scanlinesize);
+ }
+ dump_info(dump->outfile, dump->format,"",
"Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d",
- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf);
- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf);
+ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf);
+ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf);
}
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0)
@@ -1267,7 +1277,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
uint32_t tl, tw;
uint32_t row, col, nrow, ncol;
uint32_t src_rowsize, col_offset;
- uint32_t tile_rowsize = TIFFTileRowSize(out);
+ tmsize_t tile_rowsize = TIFFTileRowSize(out);
uint8_t* bufp = (uint8_t*) buf;
tsize_t tile_buffsize = 0;
tsize_t tilesize = TIFFTileSize(out);
@@ -1310,9 +1320,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
}
src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
- tilebuf = limitMalloc(tile_buffsize);
+ /* Add 3 padding bytes for extractContigSamples32bits */
+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (tilebuf == 0)
return 1;
+ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
for (row = 0; row < imagelength; row += tl)
{
nrow = (row + tl > imagelength) ? imagelength - row : tl;
@@ -1358,7 +1370,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
uint32_t imagewidth, tsample_t spp,
struct dump_opts * dump)
{
- tdata_t obuf = limitMalloc(TIFFTileSize(out));
+ /* Add 3 padding bytes for extractContigSamples32bits */
+ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
uint32_t tl, tw;
uint32_t row, col, nrow, ncol;
uint32_t src_rowsize, col_offset;
@@ -1368,6 +1381,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
if (obuf == NULL)
return 1;
+ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
!TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
@@ -1793,14 +1807,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
*opt_offset = '\0';
/* convert option to lowercase */
- end = strlen (opt_ptr);
+ end = (unsigned int)strlen (opt_ptr);
for (i = 0; i < end; i++)
*(opt_ptr + i) = tolower((int) *(opt_ptr + i));
/* Look for dump format specification */
if (strncmp(opt_ptr, "for", 3) == 0)
{
/* convert value to lowercase */
- end = strlen (opt_offset + 1);
+ end = (unsigned int)strlen (opt_offset + 1);
for (i = 1; i <= end; i++)
*(opt_offset + i) = tolower((int) *(opt_offset + i));
/* check dump format value */
@@ -2273,6 +2287,8 @@ main(int argc, char* argv[])
size_t length;
char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */
+ assert(NUM_BUFF_OVERSIZE_BYTES >= 3);
+
little_endian = *((unsigned char *)&little_endian) & '1';
initImageData(&image);
@@ -3227,13 +3243,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
/* If we have a full buffer's worth, write it out */
if (ready_bits >= 32)
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -3642,13 +3658,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
}
else /* If we have a full buffer's worth, write it out */
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -3825,10 +3841,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3
static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
{
uint8_t* bufp = buf;
- int32_t bytes_read = 0;
+ tmsize_t bytes_read = 0;
uint32_t strip, nstrips = TIFFNumberOfStrips(in);
- uint32_t stripsize = TIFFStripSize(in);
- uint32_t rows = 0;
+ tmsize_t stripsize = TIFFStripSize(in);
+ tmsize_t rows = 0;
uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
tsize_t scanline_size = TIFFScanlineSize(in);
@@ -3841,11 +3857,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1);
rows = bytes_read / scanline_size;
if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize))
- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32,
+ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64,
strip + 1, bytes_read, stripsize);
if (bytes_read < 0 && !ignore) {
- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows",
+ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows",
strip, rows);
return 0;
}
@@ -4310,13 +4326,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
/* If we have a full buffer's worth, write it out */
if (ready_bits >= 32)
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -4359,10 +4375,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
"Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
row + 1, col + 1, src_byte, src_bit, dst - out);
- dump_long (dumpfile, format, "Match bits ", matchbits);
+ dump_wide (dumpfile, format, "Match bits ", matchbits);
dump_data (dumpfile, format, "Src bits ", src, 4);
- dump_long (dumpfile, format, "Buff1 bits ", buff1);
- dump_long (dumpfile, format, "Buff2 bits ", buff2);
+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
dump_byte (dumpfile, format, "Write bits1", bytebuff1);
dump_byte (dumpfile, format, "Write bits2", bytebuff2);
dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
@@ -4835,13 +4851,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
/* If we have a full buffer's worth, write it out */
if (ready_bits >= 32)
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -4884,10 +4900,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
"Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
row + 1, col + 1, src_byte, src_bit, dst - out);
- dump_long (dumpfile, format, "Match bits ", matchbits);
+ dump_wide (dumpfile, format, "Match bits ", matchbits);
dump_data (dumpfile, format, "Src bits ", src, 4);
- dump_long (dumpfile, format, "Buff1 bits ", buff1);
- dump_long (dumpfile, format, "Buff2 bits ", buff2);
+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
dump_byte (dumpfile, format, "Write bits1", bytebuff1);
dump_byte (dumpfile, format, "Write bits2", bytebuff2);
dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
@@ -4910,7 +4926,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
{
int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
uint32_t j;
- int32_t bytes_read = 0;
+ tmsize_t bytes_read = 0;
uint16_t bps = 0, planar;
uint32_t nstrips;
uint32_t strips_per_sample;
@@ -4976,7 +4992,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
srcbuffs[s] = NULL;
- buff = limitMalloc(stripsize + 3);
+ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES);
if (!buff)
{
TIFFError ("readSeparateStripsIntoBuffer",
@@ -4999,7 +5015,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
buff = srcbuffs[s];
strip = (s * strips_per_sample) + j;
bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
- rows_this_strip = bytes_read / src_rowsize;
+ rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
if (bytes_read < 0 && !ignore)
{
TIFFError(TIFFFileName(in),
@@ -6062,13 +6078,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
uint16_t input_compression = 0, input_photometric = 0;
uint16_t subsampling_horiz, subsampling_vert;
uint32_t width = 0, length = 0;
- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0;
+ tmsize_t stsize = 0, tlsize = 0, buffsize = 0;
+ tmsize_t scanlinesize = 0;
uint32_t tw = 0, tl = 0; /* Tile width and length */
- uint32_t tile_rowsize = 0;
+ tmsize_t tile_rowsize = 0;
unsigned char *read_buff = NULL;
unsigned char *new_buff = NULL;
int readunit = 0;
- static uint32_t prev_readsize = 0;
+ static tmsize_t prev_readsize = 0;
TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -6325,6 +6342,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
/* The buffsize_check and the possible adaptation of buffsize
* has to account also for padding of each line to a byte boundary.
* This is assumed by mirrorImage() and rotateImage().
+ * Furthermore, functions like extractContigSamplesShifted32bits()
+ * need a buffer, which is at least 3 bytes larger than the actual image.
* Otherwise buffer-overflow might occur there.
*/
buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8);
@@ -6376,7 +6395,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
return (-1);
}
- read_buff = (unsigned char *)limitMalloc(buffsize+3);
+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
{
@@ -6387,11 +6406,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
return (-1);
}
- new_buff = _TIFFrealloc(read_buff, buffsize+3);
+ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
if (!new_buff)
{
free (read_buff);
- read_buff = (unsigned char *)limitMalloc(buffsize+3);
+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
read_buff = new_buff;
@@ -6464,8 +6483,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
dump_info (dump->infile, dump->format, "",
"Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp);
+ if (scanlinesize > 0x0ffffffffULL) {
+ dump_info(dump->infile, dump->format, "loadImage",
+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
+ scanlinesize);
+ }
for (i = 0; i < length; i++)
- dump_buffer(dump->infile, dump->format, 1, scanlinesize,
+ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize,
i, read_buff + (i * scanlinesize));
}
return (0);
@@ -7485,13 +7509,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image,
if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
- int inknameslen = strlen(inknames) + 1;
+ int inknameslen = (int)strlen(inknames) + 1;
const char* cp = inknames;
while (ninks > 1) {
cp = strchr(cp, '\0');
if (cp) {
cp++;
- inknameslen += (strlen(cp) + 1);
+ inknameslen += ((int)strlen(cp) + 1);
}
ninks--;
}
@@ -7554,23 +7578,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
if (!sect_buff)
{
- sect_buff = (unsigned char *)limitMalloc(sectsize);
+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
if (!sect_buff)
{
TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
return (-1);
}
- _TIFFmemset(sect_buff, 0, sectsize);
+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
{
if (prev_sectsize < sectsize)
{
- new_buff = _TIFFrealloc(sect_buff, sectsize);
+ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES);
if (!new_buff)
{
_TIFFfree (sect_buff);
- sect_buff = (unsigned char *)limitMalloc(sectsize);
+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
sect_buff = new_buff;
@@ -7580,7 +7604,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
return (-1);
}
- _TIFFmemset(sect_buff, 0, sectsize);
+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
}
}
@@ -7611,17 +7635,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
cropsize = crop->bufftotal;
crop_buff = seg_buffs[0].buffer;
if (!crop_buff)
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
prev_cropsize = seg_buffs[0].size;
if (prev_cropsize < cropsize)
{
- next_buff = _TIFFrealloc(crop_buff, cropsize);
+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (! next_buff)
{
_TIFFfree (crop_buff);
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
crop_buff = next_buff;
@@ -7634,7 +7658,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
seg_buffs[0].buffer = crop_buff;
seg_buffs[0].size = cropsize;
@@ -7714,17 +7738,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
cropsize = crop->bufftotal;
crop_buff = seg_buffs[i].buffer;
if (!crop_buff)
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
prev_cropsize = seg_buffs[0].size;
if (prev_cropsize < cropsize)
{
- next_buff = _TIFFrealloc(crop_buff, cropsize);
+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (! next_buff)
{
_TIFFfree (crop_buff);
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
crop_buff = next_buff;
@@ -7737,7 +7761,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
seg_buffs[i].buffer = crop_buff;
seg_buffs[i].size = cropsize;
@@ -7853,24 +7877,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
crop_buff = *crop_buff_ptr;
if (!crop_buff)
{
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (!crop_buff)
{
TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
prev_cropsize = cropsize;
}
else
{
if (prev_cropsize < cropsize)
{
- new_buff = _TIFFrealloc(crop_buff, cropsize);
+ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
if (!new_buff)
{
free (crop_buff);
- crop_buff = (unsigned char *)limitMalloc(cropsize);
+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
else
crop_buff = new_buff;
@@ -7879,7 +7903,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
return (-1);
}
- _TIFFmemset(crop_buff, 0, cropsize);
+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
}
}
@@ -8177,13 +8201,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
- int inknameslen = strlen(inknames) + 1;
+ int inknameslen = (int)strlen(inknames) + 1;
const char* cp = inknames;
while (ninks > 1) {
cp = strchr(cp, '\0');
if (cp) {
cp++;
- inknameslen += (strlen(cp) + 1);
+ inknameslen += ((int)strlen(cp) + 1);
}
ninks--;
}
@@ -8568,13 +8592,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
}
else /* If we have a full buffer's worth, write it out */
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -8643,12 +8667,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
return (-1);
}
- if (!(rbuff = (unsigned char *)limitMalloc(buffsize)))
+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
+ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
{
- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize);
+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
return (-1);
}
- _TIFFmemset(rbuff, '\0', buffsize);
+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
ibuff = *ibuff_ptr;
switch (rotation)
@@ -9176,13 +9201,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width,
}
else /* If we have a full buffer's worth, write it out */
{
- bytebuff1 = (buff2 >> 56);
+ bytebuff1 = (uint8_t)(buff2 >> 56);
*dst++ = bytebuff1;
- bytebuff2 = (buff2 >> 48);
+ bytebuff2 = (uint8_t)(buff2 >> 48);
*dst++ = bytebuff2;
- bytebuff3 = (buff2 >> 40);
+ bytebuff3 = (uint8_t)(buff2 >> 40);
*dst++ = bytebuff3;
- bytebuff4 = (buff2 >> 32);
+ bytebuff4 = (uint8_t)(buff2 >> 32);
*dst++ = bytebuff4;
ready_bits -= 32;
@@ -9273,12 +9298,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
{
case MIRROR_BOTH:
case MIRROR_VERT:
- line_buff = (unsigned char *)limitMalloc(rowsize);
+ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES);
if (line_buff == NULL)
{
- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize);
+ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES);
return (-1);
}
+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
dst = ibuff + (rowsize * (length - 1));
for (row = 0; row < length / 2; row++)
@@ -9310,11 +9336,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
}
else
{ /* non 8 bit per sample data */
- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1)))
+ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES)))
{
TIFFError("mirrorImage", "Unable to allocate mirror line buffer");
return (-1);
}
+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
bytes_per_sample = (bps + 7) / 8;
bytes_per_pixel = ((bps * spp) + 7) / 8;
if (bytes_per_pixel < (bytes_per_sample + 1))
@@ -9326,7 +9353,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
{
row_offset = row * rowsize;
src = ibuff + row_offset;
- _TIFFmemset (line_buff, '\0', rowsize);
+ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
switch (shift_width)
{
case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))
--
GitLab

28
backport-CVE-2022-0561.patch
View File

@ -1,28 +0,0 @@
From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 6 Feb 2022 13:08:38 +0100
Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
source pointer and size of zero (fixes #362)
---
libtiff/tif_dirread.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 23194ced..50ebf8ac 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
_TIFFfree(data);
return(0);
}
- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
+ if( dir->tdir_count )
+ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
+ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
_TIFFfree(data);
data=resizeddata;
}
--
GitLab

26
backport-CVE-2022-0562.patch
View File

@ -1,26 +0,0 @@
From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 5 Feb 2022 20:36:41 +0100
Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
source pointer and size of zero (fixes #362)
---
libtiff/tif_dirread.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 2bbc4585..23194ced 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif)
goto bad;
}
- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
+ if (old_extrasamples > 0)
+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
_TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
_TIFFfree(new_sampleinfo);
}
--
GitLab

34
backport-CVE-2022-0865.patch
View File

@ -1,34 +0,0 @@
From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 24 Feb 2022 22:26:02 +0100
Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD
in memory-mapped mode and when bit reversal is needed (fixes #385)
---
libtiff/tif_jbig.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
index 7408633..8bfa4ce 100644
--- a/libtiff/tif_jbig.c
+++ b/libtiff/tif_jbig.c
@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
*/
tif->tif_flags |= TIFF_NOBITREV;
tif->tif_flags &= ~TIFF_MAPPED;
+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
+ * value to be consistent with the state of a non-memory mapped file.
+ */
+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
+ tif->tif_rawdata = NULL;
+ tif->tif_rawdatasize = 0;
+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
+ tif->tif_flags |= TIFF_MYBUFFER;
+ }
/* Setup the function pointers for encode, decode, and cleanup. */
tif->tif_setupdecode = JBIGSetupDecode;
--
2.35.1

215
backport-CVE-2022-0891.patch
View File

@ -1,215 +0,0 @@
From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 8 Mar 2022 17:02:44 +0000
Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in
extractImageSection
Conflict:NA
Reference:https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c
---
tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------
1 file changed, 36 insertions(+), 56 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index f2e5474a..e62bcc71 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -105,8 +105,8 @@
* of messages to monitor progress without enabling dump logs.
*/
-static char tiffcrop_version_id[] = "2.4";
-static char tiffcrop_rev_date[] = "12-13-2010";
+static char tiffcrop_version_id[] = "2.4.1";
+static char tiffcrop_rev_date[] = "03-03-2010";
#include "tif_config.h"
#include "libport.h"
@@ -6739,10 +6739,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
uint32_t img_length;
#endif
- uint32_t j, shift1, shift2, trailing_bits;
+ uint32_t j, shift1, trailing_bits;
uint32_t row, first_row, last_row, first_col, last_col;
uint32_t src_offset, dst_offset, row_offset, col_offset;
- uint32_t offset1, offset2, full_bytes;
+ uint32_t offset1, full_bytes;
uint32_t sect_width;
#ifdef DEVELMODE
uint32_t sect_length;
@@ -6752,7 +6752,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
int k;
unsigned char bitset;
- static char *bitarray = NULL;
#endif
img_width = image->width;
@@ -6770,17 +6769,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
dst_offset = 0;
#ifdef DEVELMODE
- if (bitarray == NULL)
- {
- if ((bitarray = (char *)malloc(img_width)) == NULL)
- {
- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
- return (-1);
- }
- }
+ char bitarray[39];
#endif
- /* rows, columns, width, length are expressed in pixels */
+ /* rows, columns, width, length are expressed in pixels
+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
+ * last_col shall be also extracted. */
first_row = section->y1;
last_row = section->y2;
first_col = section->x1;
@@ -6790,9 +6784,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
sect_length = last_row - first_row + 1;
#endif
- img_rowsize = ((img_width * bps + 7) / 8) * spp;
- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
- trailing_bits = (sect_width * bps) % 8;
+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
+ * samples rather than separate planes so the same logic works to extract regions
+ * regardless of the way the data are organized in the input file.
+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
+ */
+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
#ifdef DEVELMODE
TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
@@ -6805,10 +6804,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if ((bps % 8) == 0)
{
- col_offset = first_col * spp * bps / 8;
+ col_offset = (first_col * spp * bps) / 8;
for (row = first_row; row <= last_row; row++)
{
- /* row_offset = row * img_width * spp * bps / 8; */
row_offset = row * img_rowsize;
src_offset = row_offset + col_offset;
@@ -6821,14 +6819,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
}
else
{ /* bps != 8 */
- shift1 = spp * ((first_col * bps) % 8);
- shift2 = spp * ((last_col * bps) % 8);
+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
for (row = first_row; row <= last_row; row++)
{
/* pull out the first byte */
row_offset = row * img_rowsize;
- offset1 = row_offset + (first_col * bps / 8);
- offset2 = row_offset + (last_col * bps / 8);
+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
#ifdef DEVELMODE
for (j = 0, k = 7; j < 8; j++, k--)
@@ -6840,12 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
sprintf(&bitarray[9], " ");
for (j = 10, k = 7; j < 18; j++, k--)
{
- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
sprintf(&bitarray[j], (bitset) ? "1" : "0");
}
bitarray[18] = '\0';
- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n",
- row, offset1, shift1, offset2, shift2);
+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n",
+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
#endif
bytebuff1 = bytebuff2 = 0;
@@ -6869,11 +6865,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if (trailing_bits != 0)
{
- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
sect_buff[dst_offset] = bytebuff2;
#ifdef DEVELMODE
TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n",
- offset2, dst_offset);
+ offset1 + full_bytes, dst_offset);
for (j = 30, k = 7; j < 38; j++, k--)
{
bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
@@ -6892,8 +6889,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#endif
for (j = 0; j <= full_bytes; j++)
{
- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
}
#ifdef DEVELMODE
@@ -6909,36 +6908,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#endif
dst_offset += full_bytes;
+ /* Copy the trailing_bits for the last byte in the destination buffer.
+ Could come from one ore two bytes of the source buffer. */
if (trailing_bits != 0)
{
#ifdef DEVELMODE
- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);
-#endif
- if (shift2 > shift1)
- {
- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
- sect_buff[dst_offset] = bytebuff2;
-#ifdef DEVELMODE
- TIFFError ("", " Shift2 > Shift1\n");
+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
#endif
+ /* More than necessary bits are already copied into last destination buffer,
+ * only masking of last byte in destination buffer is necessary.*/
+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
}
- else
- {
- if (shift2 < shift1)
- {
- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
- sect_buff[dst_offset] &= bytebuff2;
-#ifdef DEVELMODE
- TIFFError ("", " Shift2 < Shift1\n");
-#endif
- }
-#ifdef DEVELMODE
- else
- TIFFError ("", " Shift2 == Shift1\n");
-#endif
- }
- }
#ifdef DEVELMODE
sprintf(&bitarray[28], " ");
sprintf(&bitarray[29], " ");
@@ -7091,7 +7071,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
width = sections[i].x2 - sections[i].x1 + 1;
length = sections[i].y2 - sections[i].y1 + 1;
sectsize = (uint32_t)
- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
/* allocate a buffer if we don't have one already */
if (createImageSection(sectsize, sect_buff_ptr))
{
--
GitLab

89
backport-CVE-2022-0907.patch
View File

@ -1,89 +0,0 @@
From 10b4736669928673cc9a5c5f2a88ffdc92f1b560 Mon Sep 17 00:00:00 2001
From: Augustus <wangdw.augustus@qq.com>
Date: Mon, 7 Mar 2022 18:21:49 +0800
Subject: [PATCH 1/3] add checks for return value of limitMalloc (#392)
---
tools/tiffcrop.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 302a7e9..e407bf5 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
if (!sect_buff)
{
sect_buff = (unsigned char *)limitMalloc(sectsize);
- *sect_buff_ptr = sect_buff;
+ if (!sect_buff)
+ {
+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+ return (-1);
+ }
_TIFFmemset(sect_buff, 0, sectsize);
}
else
@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
else
sect_buff = new_buff;
+ if (!sect_buff)
+ {
+ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+ return (-1);
+ }
_TIFFmemset(sect_buff, 0, sectsize);
}
}
- if (!sect_buff)
- {
- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
- return (-1);
- }
prev_sectsize = sectsize;
*sect_buff_ptr = sect_buff;
@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (!crop_buff)
{
crop_buff = (unsigned char *)limitMalloc(cropsize);
- *crop_buff_ptr = crop_buff;
+ if (!crop_buff)
+ {
+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+ return (-1);
+ }
_TIFFmemset(crop_buff, 0, cropsize);
prev_cropsize = cropsize;
}
@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
}
else
crop_buff = new_buff;
+ if (!crop_buff)
+ {
+ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+ return (-1);
+ }
_TIFFmemset(crop_buff, 0, cropsize);
}
}
- if (!crop_buff)
- {
- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
- return (-1);
- }
*crop_buff_ptr = crop_buff;
if (crop->crop_mode & CROP_INVERT)
@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
* fill-column: 78
* End:
*/
+
--
2.35.1

29
backport-CVE-2022-0908.patch
View File

@ -1,29 +0,0 @@
From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 17 Feb 2022 15:28:43 +0100
Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null
source pointer and size of zero (fixes #383)
---
libtiff/tif_dirread.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index d654a1c..a31109a 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5080,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
_TIFFfree(data);
return(0);
}
- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
+ if (dp->tdir_count > 0 )
+ {
+ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
+ }
o[(uint32_t)dp->tdir_count]=0;
if (data!=0)
_TIFFfree(data);
--
2.27.0

35
backport-CVE-2022-0909.patch
View File

@ -1,35 +0,0 @@
From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Tue, 8 Mar 2022 16:22:04 +0000
Subject: [PATCH] fix the FPE in tiffcrop (#393)
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/32ea0722ee68f503b7a3f9b2d557acb293fc8cde
---
libtiff/tif_dir.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index a6c254f..77da6ea 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
break;
case TIFFTAG_XRESOLUTION:
dblval = va_arg(ap, double);
- if( dblval < 0 )
+ if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
break;
case TIFFTAG_YRESOLUTION:
dblval = va_arg(ap, double);
- if( dblval < 0 )
+ if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
break;
--
2.27.0

56
backport-CVE-2022-0924.patch
View File

@ -1,56 +0,0 @@
From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Thu, 10 Mar 2022 08:48:00 +0000
Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/88d79a45a31c74cba98c697892fed5f7db8b963a
---
tools/tiffcp.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 1f88951..552d8fa 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
tdata_t obuf;
tstrip_t strip = 0;
tsample_t s;
+ uint16_t bps = 0, bytes_per_sample;
obuf = limitMalloc(stripsize);
if (obuf == NULL)
return (0);
_TIFFmemset(obuf, 0, stripsize);
(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+ if( bps == 0 )
+ {
+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
+ _TIFFfree(obuf);
+ return 0;
+ }
+ if( (bps % 8) != 0 )
+ {
+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
+ _TIFFfree(obuf);
+ return 0;
+ }
+ bytes_per_sample = bps/8;
for (s = 0; s < spp; s++) {
uint32_t row;
for (row = 0; row < imagelength; row += rowsperstrip) {
@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
cpContigBufToSeparateBuf(
obuf, (uint8_t*) buf + row * rowsize + s,
- nrows, imagewidth, 0, 0, spp, 1);
+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
TIFFError(TIFFFileName(out),
"Error, can't write strip %"PRIu32,
--
2.27.0

207
backport-CVE-2022-1354.patch
View File

@ -1,207 +0,0 @@
From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 5 Dec 2021 14:37:46 +0100
Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319)
to avoid having the size of the strip arrays inconsistent with the
number of strips returned by TIFFNumberOfStrips(), which may cause
out-ouf-bounds array read afterwards.
One of the OJPEG hack that alters SamplesPerPixel may influence the
number of strips. Hence compute tif_dir.td_nstrips only afterwards.
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798
---
libtiff/tif_dirread.c | 162 ++++++++++++++++++++++--------------------
1 file changed, 83 insertions(+), 79 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index a31109a..707b3e2 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -3794,50 +3794,6 @@ TIFFReadDirectory(TIFF* tif)
MissingRequired(tif,"ImageLength");
goto bad;
}
- /*
- * Setup appropriate structures (by strip or by tile)
- */
- if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
- tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
- tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
- tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
- tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
- tif->tif_flags &= ~TIFF_ISTILED;
- } else {
- tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
- tif->tif_flags |= TIFF_ISTILED;
- }
- if (!tif->tif_dir.td_nstrips) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "Cannot handle zero number of %s",
- isTiled(tif) ? "tiles" : "strips");
- goto bad;
- }
- tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
- if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
- tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
- if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
-#ifdef OJPEG_SUPPORT
- if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
- (isTiled(tif)==0) &&
- (tif->tif_dir.td_nstrips==1)) {
- /*
- * XXX: OJPEG hack.
- * If a) compression is OJPEG, b) it's not a tiled TIFF,
- * and c) the number of strips is 1,
- * then we tolerate the absence of stripoffsets tag,
- * because, presumably, all required data is in the
- * JpegInterchangeFormat stream.
- */
- TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
- } else
-#endif
- {
- MissingRequired(tif,
- isTiled(tif) ? "TileOffsets" : "StripOffsets");
- goto bad;
- }
- }
/*
* Second pass: extract other information.
*/
@@ -4042,41 +3998,6 @@ TIFFReadDirectory(TIFF* tif)
} /* -- if (!dp->tdir_ignore) */
} /* -- for-loop -- */
- if( tif->tif_mode == O_RDWR &&
- tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
- tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
- tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
- tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
- tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
- tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
- tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
- tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
- {
- /* Directory typically created with TIFFDeferStrileArrayWriting() */
- TIFFSetupStrips(tif);
- }
- else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
- {
- if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
- {
- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
- tif->tif_dir.td_nstrips,
- &tif->tif_dir.td_stripoffset_p))
- {
- goto bad;
- }
- }
- if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
- {
- if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
- tif->tif_dir.td_nstrips,
- &tif->tif_dir.td_stripbytecount_p))
- {
- goto bad;
- }
- }
- }
-
/*
* OJPEG hack:
* - If a) compression is OJPEG, and b) photometric tag is missing,
@@ -4147,6 +4068,88 @@ TIFFReadDirectory(TIFF* tif)
}
}
+ /*
+ * Setup appropriate structures (by strip or by tile)
+ * We do that only after the above OJPEG hack which alters SamplesPerPixel
+ * and thus influences the number of strips in the separate planarconfig.
+ */
+ if (!TIFFFieldSet(tif, FIELD_TILEDIMENSIONS)) {
+ tif->tif_dir.td_nstrips = TIFFNumberOfStrips(tif);
+ tif->tif_dir.td_tilewidth = tif->tif_dir.td_imagewidth;
+ tif->tif_dir.td_tilelength = tif->tif_dir.td_rowsperstrip;
+ tif->tif_dir.td_tiledepth = tif->tif_dir.td_imagedepth;
+ tif->tif_flags &= ~TIFF_ISTILED;
+ } else {
+ tif->tif_dir.td_nstrips = TIFFNumberOfTiles(tif);
+ tif->tif_flags |= TIFF_ISTILED;
+ }
+ if (!tif->tif_dir.td_nstrips) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Cannot handle zero number of %s",
+ isTiled(tif) ? "tiles" : "strips");
+ goto bad;
+ }
+ tif->tif_dir.td_stripsperimage = tif->tif_dir.td_nstrips;
+ if (tif->tif_dir.td_planarconfig == PLANARCONFIG_SEPARATE)
+ tif->tif_dir.td_stripsperimage /= tif->tif_dir.td_samplesperpixel;
+ if (!TIFFFieldSet(tif, FIELD_STRIPOFFSETS)) {
+#ifdef OJPEG_SUPPORT
+ if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG) &&
+ (isTiled(tif)==0) &&
+ (tif->tif_dir.td_nstrips==1)) {
+ /*
+ * XXX: OJPEG hack.
+ * If a) compression is OJPEG, b) it's not a tiled TIFF,
+ * and c) the number of strips is 1,
+ * then we tolerate the absence of stripoffsets tag,
+ * because, presumably, all required data is in the
+ * JpegInterchangeFormat stream.
+ */
+ TIFFSetFieldBit(tif, FIELD_STRIPOFFSETS);
+ } else
+#endif
+ {
+ MissingRequired(tif,
+ isTiled(tif) ? "TileOffsets" : "StripOffsets");
+ goto bad;
+ }
+ }
+
+ if( tif->tif_mode == O_RDWR &&
+ tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 &&
+ tif->tif_dir.td_stripoffset_entry.tdir_count == 0 &&
+ tif->tif_dir.td_stripoffset_entry.tdir_type == 0 &&
+ tif->tif_dir.td_stripoffset_entry.tdir_offset.toff_long8 == 0 &&
+ tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 &&
+ tif->tif_dir.td_stripbytecount_entry.tdir_count == 0 &&
+ tif->tif_dir.td_stripbytecount_entry.tdir_type == 0 &&
+ tif->tif_dir.td_stripbytecount_entry.tdir_offset.toff_long8 == 0 )
+ {
+ /* Directory typically created with TIFFDeferStrileArrayWriting() */
+ TIFFSetupStrips(tif);
+ }
+ else if( !(tif->tif_flags&TIFF_DEFERSTRILELOAD) )
+ {
+ if( tif->tif_dir.td_stripoffset_entry.tdir_tag != 0 )
+ {
+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripoffset_entry),
+ tif->tif_dir.td_nstrips,
+ &tif->tif_dir.td_stripoffset_p))
+ {
+ goto bad;
+ }
+ }
+ if( tif->tif_dir.td_stripbytecount_entry.tdir_tag != 0 )
+ {
+ if (!TIFFFetchStripThing(tif,&(tif->tif_dir.td_stripbytecount_entry),
+ tif->tif_dir.td_nstrips,
+ &tif->tif_dir.td_stripbytecount_p))
+ {
+ goto bad;
+ }
+ }
+ }
+
/*
* Make sure all non-color channels are extrasamples.
* If it's not the case, define them as such.
--
2.33.0

58
backport-CVE-2022-1355.patch
View File

@ -1,58 +0,0 @@
From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sat, 2 Apr 2022 22:33:31 +0200
Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
Conflict:NA
Reference:https://gitlab.com/gitlab-org/build/omnibus-mirror/libtiff/-/commit/fb1db384959698edd6caeea84e28253d272a0f96
---
tools/tiffcp.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 552d8fa..57eef90 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -274,19 +274,34 @@ main(int argc, char* argv[])
deftilewidth = atoi(optarg);
break;
case 'B':
- *mp++ = 'b'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'b'; *mp = '\0';
+ }
break;
case 'L':
- *mp++ = 'l'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'l'; *mp = '\0';
+ }
break;
case 'M':
- *mp++ = 'm'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'm'; *mp = '\0';
+ }
break;
case 'C':
- *mp++ = 'c'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'c'; *mp = '\0';
+ }
break;
case '8':
- *mp++ = '8'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode)-1))
+ {
+ *mp++ = '8'; *mp = '\0';
+ }
break;
case 'x':
pageInSeq = 1;
--
2.27.0

179
backport-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch
View File

@ -1,179 +0,0 @@
From dd1bcc7abb26094e93636e85520f0d8f81ab0fab Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Sat, 11 Jun 2022 09:31:43 +0000
Subject: [PATCH] fix the FPE in tiffcrop (#415, #427, and #428)
---
libtiff/tif_aux.c | 9 +++++++
libtiff/tiffiop.h | 1 +
tools/tiffcrop.c | 62 ++++++++++++++++++++++++++---------------------
3 files changed, 44 insertions(+), 28 deletions(-)
diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
index 140f26c7..5b88c8d0 100644
--- a/libtiff/tif_aux.c
+++ b/libtiff/tif_aux.c
@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double val )
return (float)val;
}
+uint32_t _TIFFClampDoubleToUInt32(double val)
+{
+ if( val < 0 )
+ return 0;
+ if( val > 0xFFFFFFFFU || val != val )
+ return 0xFFFFFFFFU;
+ return (uint32_t)val;
+}
+
int _TIFFSeekOK(TIFF* tif, toff_t off)
{
/* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
index e3af461d..4e8bdac2 100644
--- a/libtiff/tiffiop.h
+++ b/libtiff/tiffiop.h
@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64_t);
extern float _TIFFUInt64ToFloat(uint64_t);
extern float _TIFFClampDoubleToFloat(double);
+extern uint32_t _TIFFClampDoubleToUInt32(double);
extern tmsize_t
_TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip,
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 1f827b2b..90286a5e 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
{
- x1 = (uint32_t) (crop->corners[i].X1 * scale * xres);
- x2 = (uint32_t) (crop->corners[i].X2 * scale * xres);
- y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres);
- y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
}
else
{
- x1 = (uint32_t) (crop->corners[i].X1);
- x2 = (uint32_t) (crop->corners[i].X2);
- y1 = (uint32_t) (crop->corners[i].Y1);
- y2 = (uint32_t) (crop->corners[i].Y2);
+ x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
+ x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
+ y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+ y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
}
/* a) Region needs to be within image sizes 0.. width-1; 0..length-1
* b) Corners are expected to be submitted as top-left to bottom-right.
@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
{
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{ /* User has specified pixels as reference unit */
- tmargin = (uint32_t)(crop->margins[0]);
- lmargin = (uint32_t)(crop->margins[1]);
- bmargin = (uint32_t)(crop->margins[2]);
- rmargin = (uint32_t)(crop->margins[3]);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
}
else
{ /* inches or centimeters specified */
- tmargin = (uint32_t)(crop->margins[0] * scale * yres);
- lmargin = (uint32_t)(crop->margins[1] * scale * xres);
- bmargin = (uint32_t)(crop->margins[2] * scale * yres);
- rmargin = (uint32_t)(crop->margins[3] * scale * xres);
+ tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
+ lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
+ bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
}
if ((lmargin + rmargin) > image->width)
@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32_t)crop->width;
+ width = _TIFFClampDoubleToUInt32(crop->width);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32_t)crop->length;
+ length = _TIFFClampDoubleToUInt32(crop->length);
else
length = image->length - tmargin - bmargin;
}
else
{
if (crop->crop_mode & CROP_WIDTH)
- width = (uint32_t)(crop->width * scale * image->xres);
+ width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
else
width = image->width - lmargin - rmargin;
if (crop->crop_mode & CROP_LENGTH)
- length = (uint32_t)(crop->length * scale * image->yres);
+ length = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
else
length = image->length - tmargin - bmargin;
}
@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
{ /* inches or centimeters specified */
- hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
- vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
}
else
{ /* Otherwise user has specified pixels as reference unit */
- hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8));
- vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8));
+ hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
}
if ((hmargin * 2.0) > (pwidth * page->hres))
@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
{
if (page->mode & PAGE_MODE_PAPERSIZE )
{
- owidth = (uint32_t)((pwidth * page->hres) - (hmargin * 2));
- olength = (uint32_t)((plength * page->vres) - (vmargin * 2));
+ owidth = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
+ olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
}
else
{
- owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres));
- olength = (uint32_t)(ilength - (vmargin * 2 * page->vres));
+ owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
+ olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
}
}
@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
if (olength > ilength)
olength = ilength;
+ if (owidth == 0 || olength == 0)
+ {
+ TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
+ exit(EXIT_FAILURE);
+ }
+
/* Compute the number of pages required for Portrait or Landscape */
switch (page->orient)
{
--
GitLab

146
backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
View File

@ -1,146 +0,0 @@
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 0da3157743aaabc2f874fdaeb9f46e94cb00efd8..e4a08ca96c03923a49a71aab0f0cfba906ffdf29 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5192,29 +5192,45 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
y1 = (uint32_t) (crop->corners[i].Y1);
y2 = (uint32_t) (crop->corners[i].Y2);
}
- if (x1 < 1)
- crop->regionlist[i].x1 = 0;
- else
- crop->regionlist[i].x1 = (uint32_t) (x1 - 1);
+ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
+ * b) Corners are expected to be submitted as top-left to bottom-right.
+ * Therefore, check that and reorder input.
+ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
+ */
+ uint32_t aux;
+ if (x1 > x2) {
+ aux = x1;
+ x1 = x2;
+ x2 = aux;
+ }
+ if (y1 > y2) {
+ aux = y1;
+ y1 = y2;
+ y2 = aux;
+ }
+ if (x1 > image->width - 1)
+ crop->regionlist[i].x1 = image->width - 1;
+ else if (x1 > 0)
+ crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
if (x2 > image->width - 1)
crop->regionlist[i].x2 = image->width - 1;
- else
- crop->regionlist[i].x2 = (uint32_t) (x2 - 1);
- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ else if (x2 > 0)
+ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
- if (y1 < 1)
- crop->regionlist[i].y1 = 0;
- else
- crop->regionlist[i].y1 = (uint32_t) (y1 - 1);
+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+
+ if (y1 > image->length - 1)
+ crop->regionlist[i].y1 = image->length - 1;
+ else if (y1 > 0)
+ crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
if (y2 > image->length - 1)
crop->regionlist[i].y2 = image->length - 1;
- else
- crop->regionlist[i].y2 = (uint32_t) (y2 - 1);
-
- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ else if (y2 > 0)
+ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
+ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
if (zwidth > max_width)
max_width = zwidth;
if (zlength > max_length)
@@ -5244,7 +5260,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
}
}
return (0);
- }
+ } /* crop_mode == CROP_REGIONS */
/* Convert crop margins into offsets into image
* Margins are expressed as pixel rows and columns, not bytes
@@ -5280,7 +5296,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
bmargin = (uint32_t) 0;
return (-1);
}
- }
+ } /* crop_mode == CROP_MARGINS */
else
{ /* no margins requested */
tmargin = (uint32_t) 0;
@@ -5371,24 +5387,23 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
off->endx = endx;
off->endy = endy;
- crop_width = endx - startx + 1;
- crop_length = endy - starty + 1;
-
- if (crop_width <= 0)
+ if (endx + 1 <= startx)
{
TIFFError("computeInputPixelOffsets",
"Invalid left/right margins and /or image crop width requested");
return (-1);
}
+ crop_width = endx - startx + 1;
if (crop_width > image->width)
crop_width = image->width;
- if (crop_length <= 0)
+ if (endy + 1 <= starty)
{
TIFFError("computeInputPixelOffsets",
"Invalid top/bottom margins and /or image crop length requested");
return (-1);
}
+ crop_length = endy - starty + 1;
if (crop_length > image->length)
crop_length = image->length;
@@ -5488,10 +5503,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
else
crop->selections = crop->zones;
- for (i = 0; i < crop->zones; i++)
+ /* Initialize regions iterator i */
+ i = 0;
+ for (int j = 0; j < crop->zones; j++)
{
- seg = crop->zonelist[i].position;
- total = crop->zonelist[i].total;
+ seg = crop->zonelist[j].position;
+ total = crop->zonelist[j].total;
+
+ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
+ if (seg == 0 || total == 0 || seg > total) {
+ continue;
+ }
switch (crop->edge_ref)
{
@@ -5620,8 +5642,11 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
i + 1, zwidth, zlength,
crop->regionlist[i].x1, crop->regionlist[i].x2,
crop->regionlist[i].y1, crop->regionlist[i].y2);
+ /* increment regions iterator */
+ i++;
}
-
+ /* set number of generated regions out of given zones */
+ crop->selections = i;
return (0);
} /* end getCropOffsets */

104
backport-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627.patch
View File

@ -1,104 +0,0 @@
From 4746f16253b784287bc8a5003990c1c3b9a03a62 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Thu, 25 Aug 2022 16:11:41 +0200
Subject: [PATCH] tiffcrop: disable incompatibility of -Z, -X, -Y, -z options
with any PAGE_MODE_x option (fixes #411 and #413)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
tiffcrop does not support 鈥揨, -z, -X and 鈥揧 options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or 鈥揝.
Code analysis:
With the options 鈥揨, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[].
In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) .
Execution of the else-clause often leads to buffer-overflows.
Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows.
The MR solves issues #411 and #413.
---
tools/tiffcrop.c | 32 +++++++++++++++++++++++++-------
1 files changed, 25 insertions(+), 7 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 8fd856dc..41a2ea36 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -107,13 +107,15 @@
* selects which functions dump data, with higher numbers selecting
* lower level, scanline level routines. Debug reports a limited set
* of messages to monitor progress without enabling dump logs.
- *
- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
+ *
+ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
* In no case should the options be applied to a given selection successively.
- */
+ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
+ */
-static char tiffcrop_version_id[] = "2.5.1";
-static char tiffcrop_rev_date[] = "15-08-2022";
+static char tiffcrop_version_id[] = "2.5.3";
+static char tiffcrop_rev_date[] = "26-08-2022";
#include "tif_config.h"
#include "libport.h"
@@ -781,9 +783,12 @@ static const char usage_info[] =
" The four debug/dump options are independent, though it makes little sense to\n"
" specify a dump file without specifying a detail level.\n"
"\n"
-"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n"
" In no case should the options be applied to a given selection successively.\n"
"\n"
+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options\n"
+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.\n"
+"\n"
;
/* This function could be modified to pass starting sample offset
@@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
if (XY + Z + R + S > 1) {
- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
exit(EXIT_FAILURE);
}
+
+ /* Check for not allowed combination:
+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
+. */
+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
+ TIFFError("tiffcrop input error",
+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
+ exit(EXIT_FAILURE);
+ }
+
} /* end process_command_opts */
/* Start a new output file if one has not been previously opened or
@@ -2411,6 +2427,7 @@ main(int argc, char* argv[])
exit (EXIT_FAILURE);
}
+ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */
if (crop.selections > 0)
{
if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
@@ -2427,6 +2444,7 @@ main(int argc, char* argv[])
exit (EXIT_FAILURE);
}
}
+ /* Format and write selected image parts to output file(s). */
if (page.mode == PAGE_MODE_NONE)
{ /* Whole image or sections not based on output page size */
if (crop.selections > 0)
--
GitLab

261
backport-CVE-2022-3599.patch
View File

@ -1,261 +0,0 @@
From f00484b9519df933723deb38fff943dc291a793d Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Tue, 30 Aug 2022 16:56:48 +0200
Subject: [PATCH] Revised handling of TIFFTAG_INKNAMES and related
TIFFTAG_NUMBEROFINKS value
In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
Behaviour for writing:
`NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
`NumberOfInks` is automatically set when `InkNames` is set.
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
Behaviour for reading:
When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
---
libtiff/tif_dir.c | 119 ++++++++++++++++++++++++-----------------
libtiff/tif_dir.h | 2 +
libtiff/tif_dirinfo.c | 2 +-
libtiff/tif_dirwrite.c | 5 ++
libtiff/tif_print.c | 4 ++
5 files changed, 82 insertions(+), 50 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 793e8a79..816f7756 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v)
}
/*
- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
+ * Count ink names separated by \0. Returns
* zero if the ink names are not as expected.
*/
-static uint32_t
-checkInkNamesString(TIFF* tif, uint32_t slen, const char* s)
+static uint16_t
+countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
{
- TIFFDirectory* td = &tif->tif_dir;
- uint16_t i = td->td_samplesperpixel;
+ uint16_t i = 0;
+ const char *ep = s + slen;
+ const char *cp = s;
if (slen > 0) {
- const char* ep = s+slen;
- const char* cp = s;
- for (; i > 0; i--) {
+ do {
for (; cp < ep && *cp != '\0'; cp++) {}
if (cp >= ep)
goto bad;
cp++; /* skip \0 */
- }
- return ((uint32_t)(cp - s));
+ i++;
+ } while (cp < ep);
+ return (i);
}
bad:
TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
- "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16,
- tif->tif_name,
- td->td_samplesperpixel,
- (uint16_t)(td->td_samplesperpixel-i));
+ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink",
+ tif->tif_name, slen, i);
return (0);
}
@@ -478,13 +476,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
_TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
break;
case TIFFTAG_INKNAMES:
- v = (uint16_t) va_arg(ap, uint16_vap);
- s = va_arg(ap, char*);
- v = checkInkNamesString(tif, v, s);
- status = v > 0;
- if( v > 0 ) {
- _TIFFsetNString(&td->td_inknames, s, v);
- td->td_inknameslen = v;
+ {
+ v = (uint16_t) va_arg(ap, uint16_vap);
+ s = va_arg(ap, char*);
+ uint16_t ninksinstring;
+ ninksinstring = countInkNamesString(tif, v, s);
+ status = ninksinstring > 0;
+ if(ninksinstring > 0 ) {
+ _TIFFsetNString(&td->td_inknames, s, v);
+ td->td_inknameslen = v;
+ /* Set NumberOfInks to the value ninksinstring */
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
+ {
+ if (td->td_numberofinks != ninksinstring) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"",
+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
+ td->td_numberofinks = ninksinstring;
+ }
+ } else {
+ td->td_numberofinks = ninksinstring;
+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
+ }
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
+ {
+ if (td->td_numberofinks != td->td_samplesperpixel) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
+ }
+ }
+ }
+ }
+ break;
+ case TIFFTAG_NUMBEROFINKS:
+ v = (uint16_t)va_arg(ap, uint16_vap);
+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
+ if (TIFFFieldSet(tif, FIELD_INKNAMES))
+ {
+ if (v != td->td_numberofinks) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")",
+ tif->tif_name, fip->field_name, v, td->td_numberofinks);
+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
+ status = 0;
+ }
+ } else {
+ td->td_numberofinks = (uint16_t)v;
+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
+ {
+ if (td->td_numberofinks != td->td_samplesperpixel) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
+ }
+ }
}
break;
case TIFFTAG_PERSAMPLE:
@@ -986,34 +1032,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
if (fip->field_bit == FIELD_CUSTOM) {
standard_tag = 0;
}
-
- if( standard_tag == TIFFTAG_NUMBEROFINKS )
- {
- int i;
- for (i = 0; i < td->td_customValueCount; i++) {
- uint16_t val;
- TIFFTagValue *tv = td->td_customValues + i;
- if (tv->info->field_tag != standard_tag)
- continue;
- if( tv->value == NULL )
- return 0;
- val = *(uint16_t *)tv->value;
- /* Truncate to SamplesPerPixel, since the */
- /* setting code for INKNAMES assume that there are SamplesPerPixel */
- /* inknames. */
- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
- if( val > td->td_samplesperpixel )
- {
- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
- "Truncating NumberOfInks from %u to %"PRIu16,
- val, td->td_samplesperpixel);
- val = td->td_samplesperpixel;
- }
- *va_arg(ap, uint16_t*) = val;
- return 1;
- }
- return 0;
- }
switch (standard_tag) {
case TIFFTAG_SUBFILETYPE:
@@ -1195,6 +1213,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
case TIFFTAG_INKNAMES:
*va_arg(ap, const char**) = td->td_inknames;
break;
+ case TIFFTAG_NUMBEROFINKS:
+ *va_arg(ap, uint16_t *) = td->td_numberofinks;
+ break;
default:
{
int i;
diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
index 09065648..0c251c9e 100644
--- a/libtiff/tif_dir.h
+++ b/libtiff/tif_dir.h
@@ -117,6 +117,7 @@ typedef struct {
/* CMYK parameters */
int td_inknameslen;
char* td_inknames;
+ uint16_t td_numberofinks; /* number of inks in InkNames string */
int td_customValueCount;
TIFFTagValue *td_customValues;
@@ -174,6 +175,7 @@ typedef struct {
#define FIELD_TRANSFERFUNCTION 44
#define FIELD_INKNAMES 46
#define FIELD_SUBIFD 49
+#define FIELD_NUMBEROFINKS 50
/* FIELD_CUSTOM (see tiffio.h) 65 */
/* end of support for well-known tags; codec-private tags follow */
#define FIELD_CODEC 66 /* base of codec-private tags */
diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
index 3371cb5c..3b4bcd33 100644
--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
@@ -114,7 +114,7 @@ tiffFields[] = {
{ TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
{ TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
{ TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
{ TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
{ TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
{ TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
index 6c86fdca..062e4610 100644
--- a/libtiff/tif_dirwrite.c
+++ b/libtiff/tif_dirwrite.c
@@ -626,6 +626,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64_t* pdiroff)
if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
goto bad;
}
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
+ {
+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
+ goto bad;
+ }
if (TIFFFieldSet(tif,FIELD_SUBIFD))
{
if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
index 16ce5780..a91b9e7b 100644
--- a/libtiff/tif_print.c
+++ b/libtiff/tif_print.c
@@ -397,6 +397,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
}
fputs("\n", fd);
}
+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
+ fprintf(fd, " NumberOfInks: %d\n",
+ td->td_numberofinks);
+ }
if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
fprintf(fd, " Thresholding: ");
switch (td->td_threshholding) {
--
GitLab

37
backport-CVE-2022-3970.patch
View File

@ -1,37 +0,0 @@
From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 8 Nov 2022 15:16:58 +0100
Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
strips/tiles > 2 GB
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
---
libtiff/tif_getimage.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index a4d0c1d6..60b94d8e 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -3016,15 +3016,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
return( ok );
for( i_row = 0; i_row < read_ysize; i_row++ ) {
- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
- raster + (read_ysize - i_row - 1) * read_xsize,
+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
read_xsize * sizeof(uint32_t) );
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
}
for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
0, sizeof(uint32_t) * tile_xsize );
}
--
GitLab

11
backport-CVE-2022-48281.patch
View File

@ -8,17 +8,18 @@ Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488.
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 92f8d09..20b9c23 100644
index 14fa18da..7db69883 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7638,7 +7638,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image,
cropsize + NUM_BUFF_OVERSIZE_BYTES);
else
{
- prev_cropsize = seg_buffs[0].size;
+ prev_cropsize = seg_buffs[i].size;
if (prev_cropsize < cropsize)
{
next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
next_buff = _TIFFrealloc(
--
2.33.0
GitLab

34
fix-raw2tiff-floating-point-exception.patch
View File

@ -1,34 +0,0 @@
From 42f499986d3c8a1dce55db7d97d501f8e9dfc8f6 Mon Sep 17 00:00:00 2001
From: t.feng <fengtao40@huawei.com>
Date: Mon, 13 Dec 2021 21:03:13 +0800
Subject: [PATCH] fix raw2tiff floating point exception
if we input illegal nbands, like:
raw2tiff -b :2 test.raw test.tif
we got:
Floating point exception (core dumped)
so, check nbands before guessSize
---
tools/raw2tiff.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
index dfee715..3a6f00e 100644
--- a/tools/raw2tiff.c
+++ b/tools/raw2tiff.c
@@ -209,6 +209,11 @@ main(int argc, char* argv[])
return (EXIT_FAILURE);
}
+ if (nbands == 0) {
+ fprintf(stderr, "The number of bands is illegal.\n");
+ return (-1);
+ }
+
if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
return EXIT_FAILURE;
--
2.27.0

44
libtiff.spec
View File

@ -1,40 +1,12 @@
Name: libtiff
Version: 4.3.0
Release: 22
Version: 4.5.0
Release: 1
Summary: TIFF Library and Utilities
License: libtiff
URL: https://www.simplesystems.org/libtiff/
Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
Patch6000: backport-CVE-2022-0561.patch
Patch6001: backport-CVE-2022-0562.patch
Patch6002: backport-0001-CVE-2022-22844.patch
Patch6003: backport-0002-CVE-2022-22844.patch
Patch6004: backport-0003-CVE-2022-22844.patch
Patch6005: backport-CVE-2022-0891.patch
Patch6006: backport-CVE-2022-0907.patch
Patch6007: backport-CVE-2022-0908.patch
Patch6008: backport-CVE-2022-0865.patch
Patch6009: backport-CVE-2022-0909.patch
Patch6010: backport-CVE-2022-0924.patch
Patch6011: backport-CVE-2022-1355.patch
Patch6012: backport-0001-CVE-2022-1622-CVE-2022-1623.patch
Patch6013: backport-0002-CVE-2022-1622-CVE-2022-1623.patch
Patch6014: backport-CVE-2022-1354.patch
Patch6015: backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
Patch6016: backport-0001-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch
Patch6017: backport-0002-CVE-2022-2953-CVE-2022-2519-CVE-2022-2520-CVE-2022-2521.patch
Patch6018: backport-CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch
Patch6019: backport-CVE-2022-3597-CVE-2022-3626-CVE-2022-3627.patch
Patch6020: backport-0001-CVE-2022-3570-CVE-2022-3598.patch
Patch6021: backport-0002-CVE-2022-3570-CVE-2022-3598.patch
Patch6022: backport-0003-CVE-2022-3570-CVE-2022-3598.patch
Patch6023: backport-CVE-2022-3599.patch
Patch6024: backport-CVE-2022-3970.patch
Patch6025: backport-CVE-2022-48281.patch
Patch9000: fix-raw2tiff-floating-point-exception.patch
Patch6000: backport-CVE-2022-48281.patch
BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: libtool automake autoconf pkgconfig
@ -125,11 +97,11 @@ fi
%check
make check
find html -name 'Makefile*' | xargs rm
find doc -name 'Makefile*' | xargs rm
%files
%defattr(-,root,root)
%license COPYRIGHT
%license LICENSE.md
%doc README.md
%{_libdir}/*.so.*
@ -150,11 +122,13 @@ find html -name 'Makefile*' | xargs rm
%defattr(-,root,root)
%{_mandir}/man*
%doc RELEASE-DATE VERSION
%doc TODO ChangeLog html
%doc TODO ChangeLog doc
%exclude %{_mandir}/man1/*
%exclude %{_datadir}/html/man/tiffgt.1.html
%changelog
* Tue Feb 07 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 4.5.0-1
- update to 4.5.0
* Sun Jan 29 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 4.3.0-22
- Type:cve
- ID:CVE-2022-48281

BIN
tiff-4.3.0.tar.gz
View File

Binary file not shown.

BIN
tiff-4.5.0.tar.gz Normal file
View File

Binary file not shown.