packages/libtiff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:d5525bac82e84eb296c4e8c7f5c39c48938b667c
Branches Tags
packages:main
..
compare: packages:fb641b48dd23f0f739e493d7f37b7982dc46b9f9
Branches Tags
packages:main

No commits in common. "d5525bac82e84eb296c4e8c7f5c39c48938b667c" and "fb641b48dd23f0f739e493d7f37b7982dc46b9f9" have entirely different histories.
d5525bac82 ... fb641b48dd

10 changed files with 96 additions and 525 deletions
Show Stats Expand all files Collapse all files

170
backport-0001-CVE-2023-6277.patch
View File

@ -1,170 +0,0 @@
From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 31 Oct 2023 15:43:29 +0000
Subject: [PATCH] Prevent some out-of-memory attacks
Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
---
libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 90 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 2c49dc6a..58a42760 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1308,6 +1308,21 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
datasize = (*count) * typesize;
assert((tmsize_t)datasize > 0);
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of requested memory is not greater than file size.
+ */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ if (datasize > filesize)
+ {
+ TIFFWarningExtR(tif, "ReadDirEntryArray",
+ "Requested memory size for tag %d (0x%x) %" PRIu32
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, tag not read",
+ direntry->tdir_tag, direntry->tdir_tag, datasize,
+ filesize);
+ return (TIFFReadDirEntryErrAlloc);
+ }
+
if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
return TIFFReadDirEntryErrIo;
@@ -5266,6 +5281,20 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
if (!_TIFFFillStrilesInternal(tif, 0))
return -1;
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(tif, module,
+ "Requested memory size for StripByteCounts of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return -1;
+ }
+
if (td->td_stripbytecount_p)
_TIFFfreeExt(tif, td->td_stripbytecount_p);
td->td_stripbytecount_p = (uint64_t *)_TIFFCheckMalloc(
@@ -5276,9 +5305,7 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
if (td->td_compression != COMPRESSION_NONE)
{
uint64_t space;
- uint64_t filesize;
uint16_t n;
- filesize = TIFFGetFileSize(tif);
if (!(tif->tif_flags & TIFF_BIGTIFF))
space = sizeof(TIFFHeaderClassic) + 2 + dircount * 12 + 4;
else
@@ -5807,6 +5834,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
dircount16 = (uint16_t)dircount64;
dirsize = 20;
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(
+ tif, module,
+ "Requested memory size for TIFF directory of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, TIFF directory not read",
+ allocsize, filesize);
+ return 0;
+ }
origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
"to read TIFF directory");
if (origdir == NULL)
@@ -5921,6 +5962,20 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
"directories not supported");
return 0;
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(
+ tif, module,
+ "Requested memory size for TIFF directory of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, TIFF directory not read",
+ allocsize, filesize);
+ return 0;
+ }
origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
"to read TIFF directory");
if (origdir == NULL)
@@ -5968,6 +6023,8 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
}
}
}
+ /* No check against filesize needed here because "dir" should have same size
+ * than "origdir" checked above. */
dir = (TIFFDirEntry *)_TIFFCheckMalloc(
tif, dircount16, sizeof(TIFFDirEntry), "to read TIFF directory");
if (dir == 0)
@@ -7164,6 +7221,20 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
return (0);
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(tif, module,
+ "Requested memory size for StripArray of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ _TIFFfreeExt(tif, data);
+ return (0);
+ }
resizeddata = (uint64_t *)_TIFFCheckMalloc(
tif, nstrips, sizeof(uint64_t), "for strip array");
if (resizeddata == 0)
@@ -7263,6 +7334,23 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips,
}
bytecount = last_offset + last_bytecount - offset;
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of StripByteCount and StripOffset tags is not greater than
+ * file size.
+ */
+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+ uint64_t filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
+ "Requested memory size for StripByteCount and "
+ "StripOffsets %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return;
+ }
+
newcounts =
(uint64_t *)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t),
"for chopped \"StripByteCounts\" array");
--
2.33.0

46
backport-0002-CVE-2023-6277.patch
View File

@ -1,46 +0,0 @@
From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 31 Oct 2023 15:58:41 +0100
Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
col/row (fixes #622)
---
libtiff/tif_getimage.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 41f7dfd7..6fee35db 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint32_t row, uint32_t *raster,
if (TIFFRGBAImageOK(tif, emsg) &&
TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
{
+ if (row >= img.height)
+ {
+ TIFFErrorExtR(tif, TIFFFileName(tif),
+ "Invalid row passed to TIFFReadRGBAStrip().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
img.row_offset = row;
img.col_offset = 0;
@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint32_t col, uint32_t row, uint32_t *raster,
return (0);
}
+ if (col >= img.width || row >= img.height)
+ {
+ TIFFErrorExtR(tif, TIFFFileName(tif),
+ "Invalid row/col passed to TIFFReadRGBATile().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
+
/*
* The TIFFRGBAImageGet() function doesn't allow us to get off the
* edge of the image, even to fill an otherwise valid tile. So we
--
2.33.0

194
backport-0003-CVE-2023-6277.patch
View File

@ -1,194 +0,0 @@
From 38f5b5b9f95891d2616f1df70ebcfb53690cb67c Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 29 Nov 2023 18:10:25 +0800
Subject: [PATCH] backport patch for fix CVE-2023-6277 issue
---
libtiff/tif_dirread.c | 129 +++++++++++++++++++++---------------------
1 file changed, 66 insertions(+), 63 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index a98ea1f..b38060f 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1308,19 +1308,22 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
datasize = (*count) * typesize;
assert((tmsize_t)datasize > 0);
- /* Before allocating a huge amount of memory for corrupted files, check if
- * size of requested memory is not greater than file size.
- */
- uint64_t filesize = TIFFGetFileSize(tif);
- if (datasize > filesize)
- {
- TIFFWarningExtR(tif, "ReadDirEntryArray",
- "Requested memory size for tag %d (0x%x) %" PRIu32
- " is greather than filesize %" PRIu64
- ". Memory not allocated, tag not read",
- direntry->tdir_tag, direntry->tdir_tag, datasize,
- filesize);
- return (TIFFReadDirEntryErrAlloc);
+ if (datasize > 100 * 1024 * 1024)
+ {
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size.
+ */
+ const uint64_t filesize = TIFFGetFileSize(tif);
+ if (datasize > filesize)
+ {
+ TIFFWarningExtR(tif, "ReadDirEntryArray",
+ "Requested memory size for tag %d (0x%x) %" PRIu32
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated, tag not read",
+ direntry->tdir_tag, direntry->tdir_tag, datasize,
+ filesize);
+ return (TIFFReadDirEntryErrAlloc);
+ }
}
if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
@@ -5281,18 +5284,22 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
if (!_TIFFFillStrilesInternal(tif, 0))
return -1;
- /* Before allocating a huge amount of memory for corrupted files, check if
- * size of requested memory is not greater than file size. */
- uint64_t filesize = TIFFGetFileSize(tif);
- uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
- if (allocsize > filesize)
- {
- TIFFWarningExtR(tif, module,
- "Requested memory size for StripByteCounts of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- return -1;
+ const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+ uint64_t filesize = 0;
+ if (allocsize > 100 * 1024 * 1024)
+ {
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(
+ tif, module,
+ "Requested memory size for StripByteCounts of %" PRIu64
+ " is greater than filesize %" PRIu64 ". Memory not allocated",
+ allocsize, filesize);
+ return -1;
+ }
}
if (td->td_stripbytecount_p)
@@ -5341,6 +5348,8 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
return -1;
space += datasize;
}
+ if (filesize == 0)
+ filesize = TIFFGetFileSize(tif);
if (filesize < space)
/* we should perhaps return in error ? */
space = filesize;
@@ -5834,20 +5843,6 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
dircount16 = (uint16_t)dircount64;
dirsize = 20;
}
- /* Before allocating a huge amount of memory for corrupted files, check
- * if size of requested memory is not greater than file size. */
- uint64_t filesize = TIFFGetFileSize(tif);
- uint64_t allocsize = (uint64_t)dircount16 * dirsize;
- if (allocsize > filesize)
- {
- TIFFWarningExtR(
- tif, module,
- "Requested memory size for TIFF directory of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated, TIFF directory not read",
- allocsize, filesize);
- return 0;
- }
origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
"to read TIFF directory");
if (origdir == NULL)
@@ -5971,7 +5966,7 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
TIFFWarningExtR(
tif, module,
"Requested memory size for TIFF directory of %" PRIu64
- " is greather than filesize %" PRIu64
+ " is greater than filesize %" PRIu64
". Memory not allocated, TIFF directory not read",
allocsize, filesize);
return 0;
@@ -7221,19 +7216,24 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
return (0);
}
- /* Before allocating a huge amount of memory for corrupted files, check
- * if size of requested memory is not greater than file size. */
- uint64_t filesize = TIFFGetFileSize(tif);
- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
- if (allocsize > filesize)
+ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+ if (allocsize > 100 * 1024 * 1024)
{
- TIFFWarningExtR(tif, module,
- "Requested memory size for StripArray of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- _TIFFfreeExt(tif, data);
- return (0);
+ /* Before allocating a huge amount of memory for corrupted files,
+ * check if size of requested memory is not greater than file size.
+ */
+ const uint64_t filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(
+ tif, module,
+ "Requested memory size for StripArray of %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ _TIFFfreeExt(tif, data);
+ return (0);
+ }
}
resizeddata = (uint64_t *)_TIFFCheckMalloc(
tif, nstrips, sizeof(uint64_t), "for strip array");
@@ -7338,17 +7338,20 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips,
* size of StripByteCount and StripOffset tags is not greater than
* file size.
*/
- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
- uint64_t filesize = TIFFGetFileSize(tif);
- if (allocsize > filesize)
- {
- TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
- "Requested memory size for StripByteCount and "
- "StripOffsets %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- return;
+ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+ if (allocsize > 100 * 1024 * 1024)
+ {
+ const uint64_t filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
+ "Requested memory size for StripByteCount and "
+ "StripOffsets %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return;
+ }
}
newcounts =
--
2.27.0

61
backport-0004-CVE-2024-7006.patch
View File

@ -1,61 +0,0 @@
From 818fb8ce881cf839fbc710f6690aadb992aa0f9e Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Fri, 1 Dec 2023 20:12:25 +0100
Subject: [PATCH] Check return value of _TIFFCreateAnonField().
Fixes #624
---
libtiff/tif_dirinfo.c | 2 +-
libtiff/tif_dirread.c | 16 ++++++----------
2 files changed, 7 insertions(+), 11 deletions(-)
diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
index bff7592a..2338ca21 100644
--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag,
if (fld == NULL)
{
fld = _TIFFCreateAnonField(tif, tag, dt);
- if (!_TIFFMergeFields(tif, fld, 1))
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
return NULL;
}
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index c7969414..242912f3 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4278,11 +4278,9 @@ int TIFFReadDirectory(TIFF *tif)
dp->tdir_tag, dp->tdir_tag);
/* the following knowingly leaks the
anonymous field structure */
- if (!_TIFFMergeFields(
- tif,
- _TIFFCreateAnonField(tif, dp->tdir_tag,
- (TIFFDataType)dp->tdir_type),
- 1))
+ const TIFFField *fld = _TIFFCreateAnonField(
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
{
TIFFWarningExtR(
tif, module,
@@ -5156,11 +5154,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff,
"Unknown field with tag %" PRIu16 " (0x%" PRIx16
") encountered",
dp->tdir_tag, dp->tdir_tag);
- if (!_TIFFMergeFields(
- tif,
- _TIFFCreateAnonField(tif, dp->tdir_tag,
- (TIFFDataType)dp->tdir_type),
- 1))
+ const TIFFField *fld = _TIFFCreateAnonField(
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
{
TIFFWarningExtR(tif, module,
"Registering anonymous field with tag %" PRIu16
--
GitLab

31
backport-CVE-2023-38288.patch Normal file
View File

@ -0,0 +1,31 @@
From 4fc16f649fa2875d5c388cf2edc295510a247ee5 Mon Sep 17 00:00:00 2001
From: Arie Haenel <arie.haenel@jct.ac.il>
Date: Wed, 19 Jul 2023 19:34:25 +0000
Subject: [PATCH] tiffcp: fix memory corruption (overflow) on hostile images
(fixes #591)
---
tools/tiffcp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 3b2d1ddac..80b39829a 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1754,6 +1754,13 @@ DECLAREreadFunc(readSeparateTilesIntoBuffer)
"Width * Samples/Pixel)");
return 0;
}
+
+ if ( (imagew - tilew * spp) > INT_MAX ){
+ TIFFError(TIFFFileName(in),
+ "Error, image raster scan line size is too large");
+ return 0;
+ }
+
iskew = imagew - tilew * spp;
tilebuf = limitMalloc(tilesize);
if (tilebuf == 0)
--
GitLab

59
backport-CVE-2023-38289.patch Normal file
View File

@ -0,0 +1,59 @@
From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001
From: Arie Haenel <arie.haenel@jct.ac.il>
Date: Wed, 19 Jul 2023 19:40:01 +0000
Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes
#592)
---
tools/raw2tiff.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
index 4ee59e5d7..0d6b0b664 100644
--- a/tools/raw2tiff.c
+++ b/tools/raw2tiff.c
@@ -101,6 +101,7 @@ int main(int argc, char *argv[])
int fd;
char *outfilename = NULL;
TIFF *out;
+ uint32_t temp_limit_check = 0; /* temp for integer overflow checking*/
uint32_t row, col, band;
int c;
@@ -221,6 +222,33 @@ int main(int argc, char *argv[])
if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
return EXIT_FAILURE;
+ /* check for integer overflow in */
+ /* hdr_size + (*width) * (*length) * nbands * depth */
+
+ if ((width == 0) || (length == 0) ){
+ fprintf(stderr, "Too large nbands value specified.\n");
+ return (EXIT_FAILURE);
+ }
+
+ temp_limit_check = nbands * depth;
+
+ if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) ) {
+ fprintf(stderr, "Too large length size specified.\n");
+ return (EXIT_FAILURE);
+ }
+ temp_limit_check = temp_limit_check * length;
+
+ if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) ) {
+ fprintf(stderr, "Too large width size specified.\n");
+ return (EXIT_FAILURE);
+ }
+ temp_limit_check = temp_limit_check * width;
+
+ if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) ) {
+ fprintf(stderr, "Too large header size specified.\n");
+ return (EXIT_FAILURE);
+ }
+
if (outfilename == NULL)
outfilename = argv[optind + 1];
out = TIFFOpen(outfilename, "w");
--
GitLab

27
backport-CVE-2023-6228.patch
View File

@ -1,27 +0,0 @@
From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sat, 9 Sep 2023 15:45:47 +0200
Subject: [PATCH] Check also if codec of input image is available,
independently from codec check of output image and return with error if not.
Fixes #606.
---
tools/tiffcp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index aff06260..2628bdbb 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -846,6 +846,8 @@ static int tiffcp(TIFF *in, TIFF *out)
if (!TIFFIsCODECConfigured(compression))
return FALSE;
TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
+ if (!TIFFIsCODECConfigured(input_compression))
+ return FALSE;
TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
if (input_compression == COMPRESSION_JPEG)
{
--
GitLab

33
libtiff.spec
View File

@ -1,16 +1,13 @@
Name: libtiff Name: libtiff
Version: 4.6.0 Version: 4.5.1
Release: 3 Release: 1
Summary: TIFF Library and Utilities Summary: TIFF Library and Utilities
License: libtiff License: libtiff
URL: https://libtiff.gitlab.io/libtiff/ URL: https://www.simplesystems.org/libtiff/
Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
Patch6000: backport-CVE-2023-6228.patch Patch6000: backport-CVE-2023-38288.patch
Patch6001: backport-0001-CVE-2023-6277.patch Patch6001: backport-CVE-2023-38289.patch
Patch6002: backport-0002-CVE-2023-6277.patch
Patch6003: backport-0003-CVE-2023-6277.patch
Patch6004: backport-0004-CVE-2024-7006.patch
BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: libtool automake autoconf pkgconfig BuildRequires: libtool automake autoconf pkgconfig
@ -130,24 +127,6 @@ find doc -name 'Makefile*' | xargs rm
%exclude %{_mandir}/man1/* %exclude %{_mandir}/man1/*
%changelog %changelog
* Tue Aug 13 2024 wangguochun <wangguochun@kylinos.cn> - 4.6.0-3
- fix CVE-2024-7006
* Mon Jul 22 2024 xuguangmin <xuguangmin@kylinos.cn> - 4.6.0-2
- Fix incorrect dates in the ChangeLog section of the spec file.
* Wed Dec 27 2023 lvgenggeng <lvgenggeng@uniontech.com> - 4.6.0-1
- bump to 4.6.0
* Wed Nov 29 2023 liningjie <liningjie@xfusion.com> - 4.5.1-4
- backport patch for fix CVE-2023-6277 issue
* Sat Nov 25 2023 liningjie <liningjie@xfusion.com> - 4.5.1-3
- fix CVE-2023-6277
* Tue Nov 21 2023 liningjie <liningjie@xfusion.com> - 4.5.1-2
- fix CVE-2023-6228
* Mon Jul 24 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 4.5.1-1 * Mon Jul 24 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 4.5.1-1
- update 4.5.1 - update 4.5.1
@ -166,7 +145,7 @@ find doc -name 'Makefile*' | xargs rm
* Wed May 24 2023 zhangpan <zhangpan103@h-partners.com> - 4.5.0-4 * Wed May 24 2023 zhangpan <zhangpan103@h-partners.com> - 4.5.0-4
- fix CVE-2023-2731 - fix CVE-2023-2731
* Mon Feb 20 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 4.5.0-3 * Thu Feb 20 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 4.5.0-3
- delete old so files - delete old so files
* Thu Feb 16 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 4.5.0-2 * Thu Feb 16 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 4.5.0-2

BIN
tiff-4.5.1.tar.gz Normal file
View File

Binary file not shown.

BIN
tiff-4.6.0.tar.gz
View File

Binary file not shown.