packages/libtiff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!63 fix CVE-2022-0909,CVE-2022-0924

Browse Source 
From: @dongyuzhen 
Reviewed-by: @zzm_567, @t_feng 
Signed-off-by: @t_feng
This commit is contained in:
openeuler-ci-bot 2022-04-02 06:50:22 +00:00 committed by Gitee
commit ddfae92625
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 97 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
backport-CVE-2022-0909.patch Normal file
View File

@ -0,0 +1,35 @@
From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Tue, 8 Mar 2022 16:22:04 +0000
Subject: [PATCH] fix the FPE in tiffcrop (#393)
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/32ea0722ee68f503b7a3f9b2d557acb293fc8cde
---
libtiff/tif_dir.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index a6c254f..77da6ea 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
break;
case TIFFTAG_XRESOLUTION:
dblval = va_arg(ap, double);
- if( dblval < 0 )
+ if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
break;
case TIFFTAG_YRESOLUTION:
dblval = va_arg(ap, double);
- if( dblval < 0 )
+ if( dblval != dblval || dblval < 0 )
goto badvaluedouble;
td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
break;
--
2.27.0

56
backport-CVE-2022-0924.patch Normal file
View File

@ -0,0 +1,56 @@
From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Thu, 10 Mar 2022 08:48:00 +0000
Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/88d79a45a31c74cba98c697892fed5f7db8b963a
---
tools/tiffcp.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 1f88951..552d8fa 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
tdata_t obuf;
tstrip_t strip = 0;
tsample_t s;
+ uint16_t bps = 0, bytes_per_sample;
obuf = limitMalloc(stripsize);
if (obuf == NULL)
return (0);
_TIFFmemset(obuf, 0, stripsize);
(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+ if( bps == 0 )
+ {
+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
+ _TIFFfree(obuf);
+ return 0;
+ }
+ if( (bps % 8) != 0 )
+ {
+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
+ _TIFFfree(obuf);
+ return 0;
+ }
+ bytes_per_sample = bps/8;
for (s = 0; s < spp; s++) {
uint32_t row;
for (row = 0; row < imagelength; row += rowsperstrip) {
@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
cpContigBufToSeparateBuf(
obuf, (uint8_t*) buf + row * rowsize + s,
- nrows, imagewidth, 0, 0, spp, 1);
+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
TIFFError(TIFFFileName(out),
"Error, can't write strip %"PRIu32,
--
2.27.0

7
libtiff.spec
View File

@ -1,6 +1,6 @@
Name: libtiff Name: libtiff
Version: 4.3.0 Version: 4.3.0
Release: 8 Release: 9
Summary: TIFF Library and Utilities Summary: TIFF Library and Utilities
License: libtiff License: libtiff
URL: https://www.simplesystems.org/libtiff/ URL: https://www.simplesystems.org/libtiff/
@ -15,6 +15,8 @@ Patch6005: backport-CVE-2022-0891.patch
Patch6006: backport-CVE-2022-0907.patch Patch6006: backport-CVE-2022-0907.patch
Patch6007: backport-CVE-2022-0908.patch Patch6007: backport-CVE-2022-0908.patch
Patch6008: backport-CVE-2022-0865.patch Patch6008: backport-CVE-2022-0865.patch
Patch6009: backport-CVE-2022-0909.patch
Patch6010: backport-CVE-2022-0924.patch
BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: libtool automake autoconf pkgconfig BuildRequires: libtool automake autoconf pkgconfig
@ -135,6 +137,9 @@ find html -name 'Makefile*' | xargs rm
%exclude %{_datadir}/html/man/tiffgt.1.html %exclude %{_datadir}/html/man/tiffgt.1.html
%changelog %changelog
* Fri Apr 01 2022 dongyuzhen <dongyuzhen@h-partners.com> - 4.3.0-9
- fix CVE-2022-0909,CVE-2022-0924
* Tue Mar 29 2022 yangcheng <yangcheng87@h-partners.com> - 4.3.0-8 * Tue Mar 29 2022 yangcheng <yangcheng87@h-partners.com> - 4.3.0-8
- fix CVE-2022-0865 - fix CVE-2022-0865