fix CVE-2022-0907

2022-03-28 16:49:33 +08:00 · 2022-03-28 16:49:33 +08:00 · ba5854f669
commit ba5854f669
parent b9e50e07ef
2 changed files with 95 additions and 2 deletions
--- a/backport-CVE-2022-0907.patch
+++ b/backport-CVE-2022-0907.patch
@ -0,0 +1,89 @@
 From 10b4736669928673cc9a5c5f2a88ffdc92f1b560 Mon Sep 17 00:00:00 2001
 From: Augustus <wangdw.augustus@qq.com>
 Date: Mon, 7 Mar 2022 18:21:49 +0800
 Subject: [PATCH 1/3] add checks for return value of limitMalloc (#392)
 ---
 tools/tiffcrop.c | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)
 diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
 index 302a7e9..e407bf5 100644
 --- a/tools/tiffcrop.c
 +++ b/tools/tiffcrop.c
@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
   if (!sect_buff)
     {
     sect_buff = (unsigned char *)limitMalloc(sectsize);
 -    *sect_buff_ptr = sect_buff;
 +    if (!sect_buff)
 +    {
 +        TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
 +        return (-1);
 +    }
     _TIFFmemset(sect_buff, 0, sectsize);
     }
   else
@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
       else
         sect_buff = new_buff;
 +      if (!sect_buff)
 +      {
 +          TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
 +          return (-1);
 +      }
       _TIFFmemset(sect_buff, 0, sectsize);
       }
     }
 -  if (!sect_buff)
 -    {
 -    TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
 -    return (-1);
 -    }
   prev_sectsize = sectsize;
   *sect_buff_ptr = sect_buff;
@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
   if (!crop_buff)
     {
     crop_buff = (unsigned char *)limitMalloc(cropsize);
 -    *crop_buff_ptr = crop_buff;
 +    if (!crop_buff)
 +    {
 +        TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
 +        return (-1);
 +    }
     _TIFFmemset(crop_buff, 0, cropsize);
     prev_cropsize = cropsize;
     }
@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
         }
       else
         crop_buff = new_buff;
 +      if (!crop_buff)
 +      {
 +          TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
 +          return (-1);
 +      }
       _TIFFmemset(crop_buff, 0, cropsize);
       }
     }
 -  if (!crop_buff)
 -    {
 -    TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
 -    return (-1);
 -    }
   *crop_buff_ptr = crop_buff;
   if (crop->crop_mode & CROP_INVERT)
@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
  * fill-column: 78
  * End:
  */
 +
 -- 
 2.35.1
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.3.0
-Release:        6
+Release:        7
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@ -12,7 +12,8 @@ Patch6002:	backport-0001-CVE-2022-22844.patch
 Patch6003:	backport-0002-CVE-2022-22844.patch
 Patch6004:	backport-0003-CVE-2022-22844.patch
 Patch6005:	backport-CVE-2022-0891.patch
-Patch6006:      backport-CVE-2022-0908.patch
+Patch6006:      backport-CVE-2022-0907.patch
 Patch6007:      backport-CVE-2022-0908.patch
 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires:  libtool automake autoconf pkgconfig 
@ -133,6 +134,9 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html
 %changelog
 * Mon Mar 28 2022 yangcheng <yangcheng87@h-partners.com> - 4.3.0-7
 - fix CVE-2022-0907
 * Tue Mar 22 2022 yangcheng <yangcheng87@h-partners.com> - 4.3.0-6
 - Type:cve
 - ID:CVE-2022-0908