diff --git a/backport-CVE-2022-0907.patch b/backport-CVE-2022-0907.patch new file mode 100644 index 0000000..ce1af73 --- /dev/null +++ b/backport-CVE-2022-0907.patch @@ -0,0 +1,89 @@ +From 10b4736669928673cc9a5c5f2a88ffdc92f1b560 Mon Sep 17 00:00:00 2001 +From: Augustus +Date: Mon, 7 Mar 2022 18:21:49 +0800 +Subject: [PATCH 1/3] add checks for return value of limitMalloc (#392) + +--- + tools/tiffcrop.c | 33 +++++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 12 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 302a7e9..e407bf5 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + if (!sect_buff) + { + sect_buff = (unsigned char *)limitMalloc(sectsize); +- *sect_buff_ptr = sect_buff; ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + else +@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + else + sect_buff = new_buff; + ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + } + +- if (!sect_buff) +- { +- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); +- return (-1); +- } + prev_sectsize = sectsize; + *sect_buff_ptr = sect_buff; + +@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (!crop_buff) + { + crop_buff = (unsigned char *)limitMalloc(cropsize); +- *crop_buff_ptr = crop_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + prev_cropsize = cropsize; + } +@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + } + else + crop_buff = new_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + } + } + +- if (!crop_buff) +- { +- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); +- return (-1); +- } + *crop_buff_ptr = crop_buff; + + if (crop->crop_mode & CROP_INVERT) +@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui + * fill-column: 78 + * End: + */ ++ +-- +2.35.1 + diff --git a/libtiff.spec b/libtiff.spec index a69c493..88ba576 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,6 +1,6 @@ Name: libtiff Version: 4.3.0 -Release: 6 +Release: 7 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ @@ -12,7 +12,8 @@ Patch6002: backport-0001-CVE-2022-22844.patch Patch6003: backport-0002-CVE-2022-22844.patch Patch6004: backport-0003-CVE-2022-22844.patch Patch6005: backport-CVE-2022-0891.patch -Patch6006: backport-CVE-2022-0908.patch +Patch6006: backport-CVE-2022-0907.patch +Patch6007: backport-CVE-2022-0908.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: libtool automake autoconf pkgconfig @@ -133,6 +134,9 @@ find html -name 'Makefile*' | xargs rm %exclude %{_datadir}/html/man/tiffgt.1.html %changelog +* Mon Mar 28 2022 yangcheng - 4.3.0-7 +- fix CVE-2022-0907 + * Tue Mar 22 2022 yangcheng - 4.3.0-6 - Type:cve - ID:CVE-2022-0908