packages/libtiff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

1

Browse Source
This commit is contained in:
19909236985 2022-06-23 15:15:15 +08:00
parent 10091c3c2d
commit 7092167bfd
21 changed files with 1202 additions and 533 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

772
backport-0001-CVE-2022-1622-CVE-2022-1623.patch Normal file
View File

@ -0,0 +1,772 @@
From 189d65779275132c86abd1e06cdab8a080645b32 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 10 Mar 2022 12:14:31 +0100
Subject: [PATCH 1/3] tif_lzw.c: make LZW_CHECKEOS non-optional
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/318/diffs
this is pre-patch for CVE-2022-1622 and CVE-2022-1623
---
libtiff/tif_lzw.c | 551 ++++++++++++++++++++++++++++++----------------
1 file changed, 356 insertions(+), 195 deletions(-)
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index c06aec4..c28366b 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -1,6 +1,7 @@
/*
* Copyright (c) 1988-1997 Sam Leffler
* Copyright (c) 1991-1997 Silicon Graphics, Inc.
+ * Copyright (c) 2022 Even Rouault
*
* Permission to use, copy, modify, distribute, and sell this software and
* its documentation for any purpose is hereby granted without fee, provided
@@ -36,8 +37,13 @@
*/
#include "tif_predict.h"
+#include <stdbool.h>
#include <stdio.h>
+/* Select the plausible largest natural integer type for the architecture */
+#define SIZEOF_WORDTYPE SIZEOF_SIZE_T
+typedef size_t WordType;
+
/*
* NB: The 5.0 spec describes a different algorithm than Aldus
* implements. Specifically, Aldus does code length transitions
@@ -52,13 +58,6 @@
* Future revisions to the TIFF spec are expected to "clarify this issue".
*/
#define LZW_COMPAT /* include backwards compatibility code */
-/*
- * Each strip of data is supposed to be terminated by a CODE_EOI.
- * If the following #define is included, the decoder will also
- * check for end-of-strip w/o seeing this code. This makes the
- * library more robust, but also slower.
- */
-#define LZW_CHECKEOS /* include checks for strips w/o EOI code */
#define MAXCODE(n) ((1L<<(n))-1)
/*
@@ -92,7 +91,7 @@ typedef struct {
unsigned short nbits; /* # of bits/code */
unsigned short maxcode; /* maximum code for lzw_nbits */
unsigned short free_ent; /* next free entry in hash table */
- unsigned long nextdata; /* next bits of i/o */
+ WordType nextdata; /* next bits of i/o */
long nextbits; /* # of valid bits in lzw_nextdata */
int rw_mode; /* preserve rw_mode from init */
@@ -119,8 +118,10 @@ typedef struct {
typedef struct code_ent {
struct code_ent *next;
unsigned short length; /* string len, including this token */
- unsigned char value; /* data value */
+ /* firstchar should be placed immediately before value in this structure */
unsigned char firstchar; /* first token of string */
+ unsigned char value; /* data value */
+ bool repeated;
} code_t;
typedef int (*decodeFunc)(TIFF*, uint8_t*, tmsize_t, uint16_t);
@@ -131,10 +132,8 @@ typedef struct {
/* Decoding specific data */
long dec_nbitsmask; /* lzw_nbits 1 bits, right adjusted */
long dec_restart; /* restart count */
-#ifdef LZW_CHECKEOS
uint64_t dec_bitsleft; /* available bits in raw data */
tmsize_t old_tif_rawcc; /* value of tif_rawcc at the end of the previous TIFLZWDecode() call */
-#endif
decodeFunc dec_decode; /* regular or backwards compatible */
code_t* dec_codep; /* current recognized code */
code_t* dec_oldcodep; /* previously recognized code */
@@ -167,26 +166,6 @@ static void cl_hash(LZWCodecState*);
* LZW Decoder.
*/
-#ifdef LZW_CHECKEOS
-/*
- * This check shouldn't be necessary because each
- * strip is suppose to be terminated with CODE_EOI.
- */
-#define NextCode(_tif, _sp, _bp, _code, _get) { \
- if ((_sp)->dec_bitsleft < (uint64_t)nbits) { \
- TIFFWarningExt(_tif->tif_clientdata, module, \
- "LZWDecode: Strip %"PRIu32" not terminated with EOI code", \
- _tif->tif_curstrip); \
- _code = CODE_EOI; \
- } else { \
- _get(_sp,_bp,_code); \
- (_sp)->dec_bitsleft -= nbits; \
- } \
-}
-#else
-#define NextCode(tif, sp, bp, code, get) get(sp, bp, code)
-#endif
-
static int
LZWFixupTags(TIFF* tif)
{
@@ -236,17 +215,17 @@ LZWSetupDecode(TIFF* tif)
*/
code = 255;
do {
- sp->dec_codetab[code].value = (unsigned char)code;
sp->dec_codetab[code].firstchar = (unsigned char)code;
+ sp->dec_codetab[code].value = (unsigned char)code;
+ sp->dec_codetab[code].repeated = true;
sp->dec_codetab[code].length = 1;
sp->dec_codetab[code].next = NULL;
} while (code--);
/*
- * Zero-out the unused entries
- */
- /* Silence false positive */
- /* coverity[overrun-buffer-arg] */
- _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
+ * Zero-out the unused entries */
+ /* Silence false positive */
+ /* coverity[overrun-buffer-arg] */
+ memset(&sp->dec_codetab[CODE_CLEAR], 0,
(CODE_FIRST - CODE_CLEAR) * sizeof (code_t));
}
return (1);
@@ -316,11 +295,9 @@ LZWPreDecode(TIFF* tif, uint16_t s)
sp->dec_restart = 0;
sp->dec_nbitsmask = MAXCODE(BITS_MIN);
-#ifdef LZW_CHECKEOS
sp->dec_bitsleft = 0;
- sp->old_tif_rawcc = 0;
-#endif
- sp->dec_free_entp = sp->dec_codetab + CODE_FIRST;
+ sp->old_tif_rawcc = 0;
+ sp->dec_free_entp = sp->dec_codetab - 1 ; // + CODE_FIRST;
/*
* Zero entries that are not yet filled in. We do
* this to guard against bogus input data that causes
@@ -328,8 +305,7 @@ LZWPreDecode(TIFF* tif, uint16_t s)
* come up with a way to safely bounds-check input codes
* while decoding then you can remove this operation.
*/
- _TIFFmemset(sp->dec_free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
- sp->dec_oldcodep = &sp->dec_codetab[-1];
+ sp->dec_oldcodep = &sp->dec_codetab[0];
sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1];
return (1);
}
@@ -337,24 +313,77 @@ LZWPreDecode(TIFF* tif, uint16_t s)
/*
* Decode a "hunk of data".
*/
-#define GetNextCode(sp, bp, code) { \
- nextdata = (nextdata<<8) | *(bp)++; \
- nextbits += 8; \
- if (nextbits < nbits) { \
- nextdata = (nextdata<<8) | *(bp)++; \
- nextbits += 8; \
- } \
- code = (hcode_t)((nextdata >> (nextbits-nbits)) & nbitsmask); \
- nextbits -= nbits; \
-}
+/* Get the next 32 or 64-bit from the input data */
+
+#ifdef WORDS_BIGENDIAN
+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata))
+#elif SIZEOF_WORDTYPE == 8
+# if defined(__GNUC__) && defined(__x86_64__)
+# define GetNextData(nextdata, bp) nextdata = __builtin_bswap64(*(uint64_t*)(bp))
+# elif defined(_M_X64)
+# define GetNextData(nextdata, bp) nextdata = _byteswap_uint64(*(uint64_t*)(bp))
+# elif defined(__GNUC__)
+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \
+ nextdata = __builtin_bswap64(nextdata)
+# else
+# define GetNextData(nextdata, bp) nextdata = (((uint64_t)bp[0]) << 56) | \
+ (((uint64_t)bp[1]) << 48) | \
+ (((uint64_t)bp[2]) << 40) | \
+ (((uint64_t)bp[3]) << 32) | \
+ (((uint64_t)bp[4]) << 24) | \
+ (((uint64_t)bp[5]) << 16) | \
+ (((uint64_t)bp[6]) << 8) | \
+ (((uint64_t)bp[7]))
+# endif
+#elif SIZEOF_WORDTYPE == 4
+# if defined(__GNUC__) && defined(__i386__)
+# define GetNextData(nextdata, bp) nextdata = __builtin_bswap32(*(uint32_t*)(bp))
+# elif defined(_M_X86)
+# define GetNextData(nextdata, bp) nextdata = _byteswap_ulong(*(unsigned long*)(bp))
+# elif defined(__GNUC__)
+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \
+ nextdata = __builtin_bswap32(nextdata)
+# else
+# define GetNextData(nextdata, bp) nextdata = (((uint32_t)bp[0]) << 24) | \
+ (((uint32_t)bp[1]) << 16) | \
+ (((uint32_t)bp[2]) << 8) | \
+ (((uint32_t)bp[3]))
+# endif
+#else
+# error "Unhandled SIZEOF_WORDTYPE"
+#endif
-static void
-codeLoop(TIFF* tif, const char* module)
-{
- TIFFErrorExt(tif->tif_clientdata, module,
- "Bogus encoding, loop in the code table; scanline %"PRIu32,
- tif->tif_row);
-}
+#define GetNextCodeLZW() do { \
+ nextbits -= nbits; \
+ if (nextbits < 0) { \
+ if (dec_bitsleft >= 8 * SIZEOF_WORDTYPE) { \
+ unsigned codetmp = (unsigned)(nextdata << (-nextbits)); \
+ GetNextData(nextdata, bp); \
+ bp += SIZEOF_WORDTYPE; \
+ nextbits += 8 * SIZEOF_WORDTYPE; \
+ dec_bitsleft -= 8 * SIZEOF_WORDTYPE; \
+ code = (WordType)((codetmp | (nextdata >> nextbits)) & nbitsmask); \
+ break; \
+ } \
+ else {\
+ if( dec_bitsleft < 8) { \
+ goto no_eoi; \
+ }\
+ nextdata = (nextdata<<8) | *(bp)++; \
+ nextbits += 8; \
+ dec_bitsleft -= 8; \
+ if( nextbits < 0 ) { \
+ if( dec_bitsleft < 8) { \
+ goto no_eoi; \
+ }\
+ nextdata = (nextdata<<8) | *(bp)++; \
+ nextbits += 8; \
+ dec_bitsleft -= 8; \
+ } \
+ } \
+ } \
+ code = (WordType)((nextdata >> nextbits) & nbitsmask); \
+} while(0)
static int
LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
@@ -363,13 +392,10 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
LZWCodecState *sp = DecoderState(tif);
char *op = (char*) op0;
long occ = (long) occ0;
- char *tp;
unsigned char *bp;
- hcode_t code;
- int len;
long nbits, nextbits, nbitsmask;
- unsigned long nextdata;
- code_t *codep, *free_entp, *maxcodep, *oldcodep;
+ WordType nextdata;
+ code_t *free_entp, *maxcodep, *oldcodep;
(void) s;
assert(sp != NULL);
@@ -386,7 +412,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
if (sp->dec_restart) {
long residue;
- codep = sp->dec_codep;
+ code_t* codep = sp->dec_codep;
residue = codep->length - sp->dec_restart;
if (residue > occ) {
/*
@@ -400,7 +426,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
codep = codep->next;
} while (--residue > occ && codep);
if (codep) {
- tp = op + occ;
+ uint8_t* tp = op + occ;
do {
*--tp = codep->value;
codep = codep->next;
@@ -413,7 +439,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
*/
op += residue;
occ -= residue;
- tp = op;
+ uint8_t* tp = op;
do {
int t;
--tp;
@@ -425,9 +451,8 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
}
bp = (unsigned char *)tif->tif_rawcp;
-#ifdef LZW_CHECKEOS
sp->dec_bitsleft += (((uint64_t)tif->tif_rawcc - sp->old_tif_rawcc) << 3);
-#endif
+ uint64_t dec_bitsleft = sp->dec_bitsleft;
nbits = sp->lzw_nbits;
nextdata = sp->lzw_nextdata;
nextbits = sp->lzw_nextbits;
@@ -435,128 +460,235 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
oldcodep = sp->dec_oldcodep;
free_entp = sp->dec_free_entp;
maxcodep = sp->dec_maxcodep;
+ code_t* const dec_codetab = sp->dec_codetab;
+ code_t* codep;
+
+ if (occ == 0) {
+ goto after_loop;
+ }
+
+begin:
+ {
+ WordType code;
+ GetNextCodeLZW();
+ codep = dec_codetab + code;
+ if (code >= CODE_FIRST)
+ goto code_above_or_equal_to_258;
+ if (code < 256)
+ goto code_below_256;
+ if (code == CODE_EOI)
+ goto after_loop;
+ goto code_clear;
+
+code_below_256:
+ {
+ if (codep > free_entp)
+ goto error_code;
+ free_entp->next = oldcodep;
+ free_entp->firstchar = oldcodep->firstchar;
+ free_entp->length = oldcodep->length+1;
+ free_entp->value = (uint8_t)code;
+ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - code));
+ if (++free_entp > maxcodep) {
+ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */
+ nbits = BITS_MAX;
+ nbitsmask = MAXCODE(nbits);
+ maxcodep = dec_codetab + nbitsmask-1;
+ if( free_entp >= &dec_codetab[CSIZE] )
+ {
+ /* At that point, the next valid states are either EOI or a */
+ /* CODE_CLEAR. If a regular code is read, at the next */
+ /* attempt at registering a new entry, we will error out */
+ /* due to setting free_entp before any valid code */
+ free_entp = dec_codetab - 1;
+ }
+ }
+ oldcodep = codep;
+ *op++ = (uint8_t)code;
+ occ--;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
- while (occ > 0) {
- NextCode(tif, sp, bp, code, GetNextCode);
- if (code == CODE_EOI)
- break;
- if (code == CODE_CLEAR) {
- do {
- free_entp = sp->dec_codetab + CODE_FIRST;
- _TIFFmemset(free_entp, 0,
- (CSIZE - CODE_FIRST) * sizeof (code_t));
- nbits = BITS_MIN;
- nbitsmask = MAXCODE(BITS_MIN);
- maxcodep = sp->dec_codetab + nbitsmask-1;
- NextCode(tif, sp, bp, code, GetNextCode);
- } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */
- if (code == CODE_EOI)
- break;
- if (code > CODE_CLEAR) {
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "LZWDecode: Corrupted LZW table at scanline %"PRIu32,
- tif->tif_row);
- return (0);
- }
- *op++ = (char)code;
- occ--;
- oldcodep = sp->dec_codetab + code;
- continue;
- }
- codep = sp->dec_codetab + code;
-
- /*
- * Add the new entry to the code table.
- */
- if (free_entp < &sp->dec_codetab[0] ||
- free_entp >= &sp->dec_codetab[CSIZE]) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "Corrupted LZW table at scanline %"PRIu32,
- tif->tif_row);
- return (0);
- }
+code_above_or_equal_to_258:
+ {
+ /*
+ * Add the new entry to the code table.
+ */
+
+ if (codep >= free_entp)
+ {
+ if (codep != free_entp)
+ goto error_code;
+ free_entp->value = oldcodep->firstchar;
+ }
+ else
+ {
+ free_entp->value = codep->firstchar;
+ }
+ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - free_entp->value));
+ free_entp->next = oldcodep;
+
+ free_entp->firstchar = oldcodep->firstchar;
+ free_entp->length = oldcodep->length+1;
+ if (++free_entp > maxcodep) {
+ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */
+ nbits = BITS_MAX;
+ nbitsmask = MAXCODE(nbits);
+ maxcodep = dec_codetab + nbitsmask-1;
+ if (free_entp >= &dec_codetab[CSIZE])
+ {
+ /* At that point, the next valid states are either EOI or a */
+ /* CODE_CLEAR. If a regular code is read, at the next */
+ /* attempt at registering a new entry, we will error out */
+ /* due to setting free_entp before any valid code */
+ free_entp = dec_codetab - 1;
+ }
+ }
+ oldcodep = codep;
+
+ /*
+ * Code maps to a string, copy string
+ * value to output (written in reverse).
+ */
+ /* tiny bit faster on x86_64 to store in unsigned short than int */
+ unsigned short len = codep->length;
+
+ if (len < 3) /* equivalent to len == 2 given all other conditions */
+ {
+ if (occ <= 2)
+ {
+ if (occ == 2)
+ {
+ memcpy(op, &(codep->firstchar), 2);
+ op += 2;
+ occ -= 2;
+ goto after_loop;
+ }
+ goto too_short_buffer;
+ }
- free_entp->next = oldcodep;
- if (free_entp->next < &sp->dec_codetab[0] ||
- free_entp->next >= &sp->dec_codetab[CSIZE]) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "Corrupted LZW table at scanline %"PRIu32,
- tif->tif_row);
- return (0);
- }
- free_entp->firstchar = free_entp->next->firstchar;
- free_entp->length = free_entp->next->length+1;
- free_entp->value = (codep < free_entp) ?
- codep->firstchar : free_entp->firstchar;
- if (++free_entp > maxcodep) {
- if (++nbits > BITS_MAX) /* should not happen */
- nbits = BITS_MAX;
- nbitsmask = MAXCODE(nbits);
- maxcodep = sp->dec_codetab + nbitsmask-1;
- }
- oldcodep = codep;
- if (code >= 256) {
- /*
- * Code maps to a string, copy string
- * value to output (written in reverse).
- */
- if(codep->length == 0) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "Wrong length of decoded string: "
- "data probably corrupted at scanline %"PRIu32,
- tif->tif_row);
- return (0);
- }
- if (codep->length > occ) {
- /*
- * String is too long for decode buffer,
- * locate portion that will fit, copy to
- * the decode buffer, and setup restart
- * logic for the next decoding call.
- */
- sp->dec_codep = codep;
- do {
- codep = codep->next;
- } while (codep && codep->length > occ);
- if (codep) {
- sp->dec_restart = (long)occ;
- tp = op + occ;
- do {
- *--tp = codep->value;
- codep = codep->next;
- } while (--occ && codep);
- if (codep)
- codeLoop(tif, module);
- }
- break;
- }
- len = codep->length;
- tp = op + len;
- do {
- int t;
- --tp;
- t = codep->value;
- codep = codep->next;
- *tp = (char)t;
- } while (codep && tp > op);
- if (codep) {
- codeLoop(tif, module);
- break;
- }
- assert(occ >= len);
- op += len;
- occ -= len;
- } else {
- *op++ = (char)code;
- occ--;
- }
- }
+ memcpy(op, &(codep->firstchar), 2);
+ op += 2;
+ occ -= 2;
+ goto begin; /* we can save the comparison occ > 0 */
+ }
+
+ if (len == 3)
+ {
+ if (occ <= 3)
+ {
+ if (occ == 3)
+ {
+ op[0] = codep->firstchar;
+ op[1] = codep->next->value;
+ op[2] = codep->value;
+ op += 3;
+ occ -= 3;
+ goto after_loop;
+ }
+ goto too_short_buffer;
+ }
+ op[0] = codep->firstchar;
+ op[1] = codep->next->value;
+ op[2] = codep->value;
+ op += 3;
+ occ -= 3;
+ goto begin; /* we can save the comparison occ > 0 */
+ }
+
+ if (len > occ)
+ {
+ goto too_short_buffer;
+ }
+
+ if (codep->repeated)
+ {
+ memset(op, codep->value, len);
+ op += len;
+ occ -= len;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
+
+ uint8_t* tp = op + len;
+
+ assert(len >= 4);
+
+ *--tp = codep->value;
+ codep = codep->next;
+ *--tp = codep->value;
+ codep = codep->next;
+ *--tp = codep->value;
+ codep = codep->next;
+ *--tp = codep->value;
+ if (tp > op)
+ {
+ do {
+ codep = codep->next;
+ *--tp = codep->value;
+ } while (tp > op);
+ }
+
+ assert(occ >= len);
+ op += len;
+ occ -= len;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
+code_clear:
+ {
+ free_entp = dec_codetab + CODE_FIRST;
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = dec_codetab + nbitsmask-1;
+ do {
+ GetNextCodeLZW();
+ } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */
+ if (code == CODE_EOI)
+ goto after_loop;
+ if (code > CODE_EOI) {
+ goto error_code;
+ }
+ *op++ = (uint8_t)code;
+ occ--;
+ oldcodep = dec_codetab + code;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
+ }
+
+too_short_buffer:
+ {
+ /*
+ * String is too long for decode buffer,
+ * locate portion that will fit, copy to
+ * the decode buffer, and setup restart
+ * logic for the next decoding call.
+ */
+ sp->dec_codep = codep;
+ do {
+ codep = codep->next;
+ } while (codep->length > occ);
+
+ sp->dec_restart = occ;
+ uint8_t* tp = op + occ;
+ do {
+ *--tp = codep->value;
+ codep = codep->next;
+ } while (--occ);
+ }
+
+after_loop:
tif->tif_rawcc -= (tmsize_t)((uint8_t*) bp - tif->tif_rawcp );
tif->tif_rawcp = (uint8_t*) bp;
-#ifdef LZW_CHECKEOS
sp->old_tif_rawcc = tif->tif_rawcc;
-#endif
+ sp->dec_bitsleft = dec_bitsleft;
sp->lzw_nbits = (unsigned short) nbits;
sp->lzw_nextdata = nextdata;
sp->lzw_nextbits = nextbits;
@@ -572,9 +704,35 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
return (0);
}
return (1);
+
+no_eoi:
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "LZWDecode: Strip %"PRIu32" not terminated with EOI code",
+ tif->tif_curstrip);
+ return 0;
+error_code:
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Using code not yet in table");
+ return 0;
}
#ifdef LZW_COMPAT
+
+/*
+ * This check shouldn't be necessary because each
+ * strip is suppose to be terminated with CODE_EOI.
+ */
+#define NextCode(_tif, _sp, _bp, _code, _get, dec_bitsleft) { \
+ if (dec_bitsleft < (uint64_t)nbits) { \
+ TIFFWarningExt(_tif->tif_clientdata, module, \
+ "LZWDecode: Strip %"PRIu32" not terminated with EOI code", \
+ _tif->tif_curstrip); \
+ _code = CODE_EOI; \
+ } else { \
+ _get(_sp,_bp,_code); \
+ dec_bitsleft -= nbits; \
+ } \
+}
+
/*
* Decode a "hunk of data" for old images.
*/
@@ -601,7 +759,8 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
unsigned char *bp;
int code, nbits;
int len;
- long nextbits, nextdata, nbitsmask;
+ long nextbits, nbitsmask;
+ WordType nextdata;
code_t *codep, *free_entp, *maxcodep, *oldcodep;
(void) s;
@@ -653,9 +812,10 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
}
bp = (unsigned char *)tif->tif_rawcp;
-#ifdef LZW_CHECKEOS
+
sp->dec_bitsleft += (((uint64_t)tif->tif_rawcc - sp->old_tif_rawcc) << 3);
-#endif
+ uint64_t dec_bitsleft = sp->dec_bitsleft;
+
nbits = sp->lzw_nbits;
nextdata = sp->lzw_nextdata;
nextbits = sp->lzw_nextbits;
@@ -665,7 +825,7 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
maxcodep = sp->dec_maxcodep;
while (occ > 0) {
- NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft);
if (code == CODE_EOI)
break;
if (code == CODE_CLEAR) {
@@ -676,7 +836,7 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask;
- NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft);
} while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */
if (code == CODE_EOI)
break;
@@ -772,9 +932,10 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
tif->tif_rawcc -= (tmsize_t)((uint8_t*) bp - tif->tif_rawcp );
tif->tif_rawcp = (uint8_t*) bp;
-#ifdef LZW_CHECKEOS
+
sp->old_tif_rawcc = tif->tif_rawcc;
-#endif
+ sp->dec_bitsleft = dec_bitsleft;
+
sp->lzw_nbits = (unsigned short)nbits;
sp->lzw_nextdata = nextdata;
sp->lzw_nextbits = nextbits;
@@ -893,7 +1054,7 @@ LZWEncode(TIFF* tif, uint8_t* bp, tmsize_t cc, uint16_t s)
hcode_t ent;
long disp;
long incount, outcount, checkpoint;
- unsigned long nextdata;
+ WordType nextdata;
long nextbits;
int free_ent, maxcode, nbits;
uint8_t* op;
@@ -1057,7 +1218,7 @@ LZWPostEncode(TIFF* tif)
register LZWCodecState *sp = EncoderState(tif);
uint8_t* op = tif->tif_rawcp;
long nextbits = sp->lzw_nextbits;
- unsigned long nextdata = sp->lzw_nextdata;
+ WordType nextdata = sp->lzw_nextdata;
long outcount = sp->enc_outcount;
int nbits = sp->lzw_nbits;
--
2.27.0

16
backport-0001-CVE-2022-22844.patch
View File

@ -7,22 +7,14 @@ Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/49b81e99704bd199a24ccce65f974cc2d78cccc4
---
tools/tiffset.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
tools/tiffset.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/tools/tiffset.c b/tools/tiffset.c
index 7ecc401..53afc51 100644
index 8c9e23c..b7badd9 100644
--- a/tools/tiffset.c
+++ b/tools/tiffset.c
@@ -32,6 +32,7 @@
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
+#include <stdint.h>
#include "tiffio.h"
@@ -133,9 +134,19 @@ main(int argc, char* argv[])
@@ -146,9 +146,19 @@ main(int argc, char* argv[])
arg_index++;
if (TIFFFieldDataType(fip) == TIFF_ASCII) {

56
backport-0002-CVE-2022-1622-CVE-2022-1623.patch Normal file
View File

@ -0,0 +1,56 @@
From b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 22 Apr 2022 18:58:52 +0200
Subject: [PATCH] tif_lzw.c: fix potential out-of-bounds error when trying to
read in the same tile/strip after an error has occured (fixes #410)
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a
---
libtiff/tif_lzw.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index c28366b..1f255d9 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -140,6 +140,7 @@ typedef struct {
code_t* dec_free_entp; /* next free entry */
code_t* dec_maxcodep; /* max available entry */
code_t* dec_codetab; /* kept separate for small machines */
+ int read_error; /* whether a read error has occured, and which should cause further reads in the same strip/tile to be aborted */
/* Encoding specific data */
int enc_oldcode; /* last code encountered */
@@ -307,6 +308,7 @@ LZWPreDecode(TIFF* tif, uint16_t s)
*/
sp->dec_oldcodep = &sp->dec_codetab[0];
sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1];
+ sp->read_error = 0;
return (1);
}
@@ -399,7 +401,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
(void) s;
assert(sp != NULL);
- assert(sp->dec_codetab != NULL);
+ assert(sp->dec_codetab != NULL);
+
+ if (sp->read_error) {
+ return 0;
+ }
/*
Fail if value does not fit in long.
@@ -711,6 +717,7 @@ no_eoi:
tif->tif_curstrip);
return 0;
error_code:
+ sp->read_error = 1;
TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Using code not yet in table");
return 0;
}
--
2.27.0

4
backport-0002-CVE-2022-22844.patch
View File

@ -11,10 +11,10 @@ Reference:https://gitlab.com/libtiff/libtiff/-/commit/0cf67888e32e36b45828dd4679
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/tiffset.c b/tools/tiffset.c
index 53afc51..75a8616 100644
index b7badd9..b8b52c0 100644
--- a/tools/tiffset.c
+++ b/tools/tiffset.c
@@ -136,15 +136,15 @@ main(int argc, char* argv[])
@@ -148,15 +148,15 @@ main(int argc, char* argv[])
if (TIFFFieldDataType(fip) == TIFF_ASCII) {
if(TIFFFieldPassCount( fip )) {
size_t len;

4
backport-0003-CVE-2022-22844.patch
View File

@ -11,10 +11,10 @@ Reference:https://gitlab.com/libtiff/libtiff/-/commit/0a827a985f891d6df481a6f581
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/tiffset.c b/tools/tiffset.c
index 75a8616..19e177b 100644
index b8b52c0..e7a88c0 100644
--- a/tools/tiffset.c
+++ b/tools/tiffset.c
@@ -136,7 +136,7 @@ main(int argc, char* argv[])
@@ -148,7 +148,7 @@ main(int argc, char* argv[])
if (TIFFFieldDataType(fip) == TIFF_ASCII) {
if(TIFFFieldPassCount( fip )) {
size_t len;

102
backport-CVE-2020-35521_CVE-2020-35522.patch
View File

@ -1,102 +0,0 @@
From b5a935d96b21cda0f434230cdf8ca958cd8b4eef Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Sun, 15 Nov 2020 17:02:51 +0100
Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef
---
man/tiff2rgba.1 | 4 ++++
tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
2 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1
index d9c9baa..fe9ebb2 100644
--- a/man/tiff2rgba.1
+++ b/man/tiff2rgba.1
@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file.
Currently this does not work if the
.B \-b
flag is also in effect.
+.TP
+.BI \-M " size"
+Set maximum memory allocation size (in MiB). The default is 256MiB.
+Set to 0 to disable the limit.
.SH "SEE ALSO"
.BR tiff2bw (1),
.BR TIFFReadRGBAImage (3t),
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
index 2eb6f6c..743efe3 100644
--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
@@ -53,6 +53,10 @@ uint32 rowsperstrip = (uint32) -1;
int process_by_block = 0; /* default is whole image at once */
int no_alpha = 0;
int bigtiff_output = 0;
+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
+/* malloc size limit (in bytes)
+ * disabled when set to 0 */
+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
static int tiffcvt(TIFF* in, TIFF* out);
@@ -68,8 +72,11 @@ main(int argc, char* argv[])
extern char *optarg;
#endif
- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
+ while ((c = getopt(argc, argv, "c:r:t:bn8hM")) != -1)
switch (c) {
+ case 'M':
+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
+ break;
case 'b':
process_by_block = 1;
break;
@@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
(unsigned long)pixel_count, (unsigned long)sizeof(uint32));
return (0);
}
+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
+ TIFFError(TIFFFileName(in),
+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
+ return 0;
+ }
/* Read the image in one chunk into an RGBA array */
if (!TIFFReadRGBAImageOriented(in, width, height, raster,
@@ -520,6 +533,13 @@ tiffcvt(TIFF* in, TIFF* out)
TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
CopyField(TIFFTAG_DOCUMENTNAME, stringv);
+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
+ {
+ TIFFError(TIFFFileName(in),
+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
+ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
+ return 0;
+ }
if( process_by_block && TIFFIsTiled( in ) )
return( cvt_by_tile( in, out ) );
else if( process_by_block )
@@ -529,7 +549,7 @@ tiffcvt(TIFF* in, TIFF* out)
}
static char* stuff[] = {
- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
"where comp is one of the following compression algorithms:",
" jpeg\t\tJPEG encoding",
" zip\t\tZip/Deflate encoding",
@@ -541,6 +561,7 @@ static char* stuff[] = {
" -b (progress by block rather than as a whole image)",
" -n don't emit alpha component.",
" -8 write BigTIFF file instead of ClassicTIFF",
+ " -M set the memory allocation limit in MiB. 0 to disable limit",
NULL
};
--
2.23.0

50
backport-CVE-2020-35523.patch
View File

@ -1,50 +0,0 @@
From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Tue, 10 Nov 2020 01:54:30 +0100
Subject: [PATCH] gtTileContig(): check Tile width for overflow
fixes #211
---
libtiff/tif_getimage.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 4da785d3..96ab1460 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -29,6 +29,7 @@
*/
#include "tiffiop.h"
#include <stdio.h>
+#include <limits.h>
static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
@@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
flip = setorientation(img);
if (flip & FLIP_VERTICALLY) {
- y = h - 1;
- toskew = -(int32)(tw + w);
+ if ((tw + w) > INT_MAX) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+ return (0);
+ }
+ y = h - 1;
+ toskew = -(int32)(tw + w);
}
else {
- y = 0;
- toskew = -(int32)(tw - w);
+ if (tw > (INT_MAX + w)) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+ return (0);
+ }
+ y = 0;
+ toskew = -(int32)(tw - w);
}
/*
--
GitLab

34
backport-CVE-2020-35524.patch
View File

@ -1,34 +0,0 @@
From 7be2e452ddcf6d7abca88f41d3761e6edab72b22 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Sat, 14 Nov 2020 12:53:01 +0000
Subject: [PATCH] tiff2pdf.c: properly calculate datasize when saving to JPEG
YCbCr
fixes #220
---
tools/tiff2pdf.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -2063,9 +2063,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF*
#endif
(void) 0;
}
- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+#ifdef JPEG_SUPPORT
+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG
+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
+ } else
+#endif
+ {
+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+ }
}
if (k == 0) {
/* Assume we had overflow inside TIFFScanlineSize */

57
backport-CVE-2022-0561.patch
View File

@ -1,29 +1,28 @@
From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 6 Feb 2022 13:08:38 +0100
Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
source pointer and size of zero (fixes #362)
---
libtiff/tif_dirread.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 6f90941..627bf48 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5682,8 +5682,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp)
_TIFFfree(data);
return(0);
}
- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64));
- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64));
+ if( dir->tdir_count )
+ _TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64));
+ _TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64));
_TIFFfree(data);
data=resizeddata;
}
--
2.27.0
From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 6 Feb 2022 13:08:38 +0100
Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
source pointer and size of zero (fixes #362)
---
libtiff/tif_dirread.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 23194ced..50ebf8ac 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
_TIFFfree(data);
return(0);
}
- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
+ if( dir->tdir_count )
+ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
+ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
_TIFFfree(data);
data=resizeddata;
}
--
GitLab

55
backport-CVE-2022-0562.patch
View File

@ -1,29 +1,26 @@
From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 5 Feb 2022 20:36:41 +0100
Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
source pointer and size of zero (fixes #362)
---
libtiff/tif_dirread.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 627bf48..8a0e951 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4126,8 +4126,9 @@ TIFFReadDirectory(TIFF* tif)
goto bad;
}
- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
- _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+ if (old_extrasamples > 0)
+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
_TIFFfree(new_sampleinfo);
}
--
2.27.0
From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 5 Feb 2022 20:36:41 +0100
Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
source pointer and size of zero (fixes #362)
---
libtiff/tif_dirread.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 2bbc4585..23194ced 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif)
goto bad;
}
- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
+ if (old_extrasamples > 0)
+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
_TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
_TIFFfree(new_sampleinfo);
}
--
GitLab

6
backport-CVE-2022-0865.patch
View File

@ -9,10 +9,10 @@ Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD
1 file changed, 10 insertions(+)
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
index 7ffe885..ca1ca43 100644
index 7408633..8bfa4ce 100644
--- a/libtiff/tif_jbig.c
+++ b/libtiff/tif_jbig.c
@@ -208,6 +208,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
*/
tif->tif_flags |= TIFF_NOBITREV;
tif->tif_flags &= ~TIFF_MAPPED;
@ -30,5 +30,5 @@ index 7ffe885..ca1ca43 100644
/* Setup the function pointers for encode, decode, and cleanup. */
tif->tif_setupdecode = JBIGSetupDecode;
--
2.27.0
2.35.1

431
backport-CVE-2022-0891.patch
View File

@ -1,216 +1,215 @@
From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 8 Mar 2022 17:02:44 +0000
Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in
extractImageSection
Conflict:NA
Reference:https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c
---
tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------
1 file changed, 36 insertions(+), 56 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 7b3c9e7..36b68bb 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -105,8 +105,8 @@
* of messages to monitor progess without enabling dump logs.
*/
-static char tiffcrop_version_id[] = "2.4";
-static char tiffcrop_rev_date[] = "12-13-2010";
+static char tiffcrop_version_id[] = "2.4.1";
+static char tiffcrop_rev_date[] = "03-03-2010";
#include "tif_config.h"
#include "tiffiop.h"
@@ -6669,10 +6669,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
uint32 img_length;
#endif
- uint32 j, shift1, shift2, trailing_bits;
+ uint32 j, shift1, trailing_bits;
uint32 row, first_row, last_row, first_col, last_col;
uint32 src_offset, dst_offset, row_offset, col_offset;
- uint32 offset1, offset2, full_bytes;
+ uint32 offset1, full_bytes;
uint32 sect_width;
#ifdef DEVELMODE
uint32 sect_length;
@@ -6682,7 +6682,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
int k;
unsigned char bitset;
- static char *bitarray = NULL;
#endif
img_width = image->width;
@@ -6700,17 +6699,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
dst_offset = 0;
#ifdef DEVELMODE
- if (bitarray == NULL)
- {
- if ((bitarray = (char *)malloc(img_width)) == NULL)
- {
- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
- return (-1);
- }
- }
+ char bitarray[39];
#endif
- /* rows, columns, width, length are expressed in pixels */
+ /* rows, columns, width, length are expressed in pixels
+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
+ * last_col shall be also extracted. */
first_row = section->y1;
last_row = section->y2;
first_col = section->x1;
@@ -6720,9 +6714,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
sect_length = last_row - first_row + 1;
#endif
- img_rowsize = ((img_width * bps + 7) / 8) * spp;
- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
- trailing_bits = (sect_width * bps) % 8;
+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
+ * samples rather than separate planes so the same logic works to extract regions
+ * regardless of the way the data are organized in the input file.
+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
+ */
+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
#ifdef DEVELMODE
TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",
@@ -6735,10 +6734,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if ((bps % 8) == 0)
{
- col_offset = first_col * spp * bps / 8;
+ col_offset = (first_col * spp * bps) / 8;
for (row = first_row; row <= last_row; row++)
{
- /* row_offset = row * img_width * spp * bps / 8; */
row_offset = row * img_rowsize;
src_offset = row_offset + col_offset;
@@ -6751,14 +6749,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
}
else
{ /* bps != 8 */
- shift1 = spp * ((first_col * bps) % 8);
- shift2 = spp * ((last_col * bps) % 8);
+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
for (row = first_row; row <= last_row; row++)
{
/* pull out the first byte */
row_offset = row * img_rowsize;
- offset1 = row_offset + (first_col * bps / 8);
- offset2 = row_offset + (last_col * bps / 8);
+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
#ifdef DEVELMODE
for (j = 0, k = 7; j < 8; j++, k--)
@@ -6770,12 +6766,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
sprintf(&bitarray[9], " ");
for (j = 10, k = 7; j < 18; j++, k--)
{
- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
sprintf(&bitarray[j], (bitset) ? "1" : "0");
}
bitarray[18] = '\0';
- TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Shift2: %d\n",
- row, offset1, shift1, offset2, shift2);
+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n",
+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
#endif
bytebuff1 = bytebuff2 = 0;
@@ -6799,11 +6795,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if (trailing_bits != 0)
{
- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
sect_buff[dst_offset] = bytebuff2;
#ifdef DEVELMODE
TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n",
- offset2, dst_offset);
+ offset1 + full_bytes, dst_offset);
for (j = 30, k = 7; j < 38; j++, k--)
{
bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
@@ -6822,8 +6819,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#endif
for (j = 0; j <= full_bytes; j++)
{
- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
}
#ifdef DEVELMODE
@@ -6839,36 +6838,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#endif
dst_offset += full_bytes;
+ /* Copy the trailing_bits for the last byte in the destination buffer.
+ Could come from one ore two bytes of the source buffer. */
if (trailing_bits != 0)
{
#ifdef DEVELMODE
- TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset);
-#endif
- if (shift2 > shift1)
- {
- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
- sect_buff[dst_offset] = bytebuff2;
-#ifdef DEVELMODE
- TIFFError ("", " Shift2 > Shift1\n");
+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
#endif
+ /* More than necessary bits are already copied into last destination buffer,
+ * only masking of last byte in destination buffer is necessary.*/
+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
}
- else
- {
- if (shift2 < shift1)
- {
- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
- sect_buff[dst_offset] &= bytebuff2;
-#ifdef DEVELMODE
- TIFFError ("", " Shift2 < Shift1\n");
-#endif
- }
-#ifdef DEVELMODE
- else
- TIFFError ("", " Shift2 == Shift1\n");
-#endif
- }
- }
#ifdef DEVELMODE
sprintf(&bitarray[28], " ");
sprintf(&bitarray[29], " ");
@@ -7021,7 +7001,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
width = sections[i].x2 - sections[i].x1 + 1;
length = sections[i].y2 - sections[i].y1 + 1;
sectsize = (uint32)
- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
/* allocate a buffer if we don't have one already */
if (createImageSection(sectsize, sect_buff_ptr))
{
--
2.27.0
From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 8 Mar 2022 17:02:44 +0000
Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in
extractImageSection
Conflict:NA
Reference:https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c
---
tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------
1 file changed, 36 insertions(+), 56 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index f2e5474a..e62bcc71 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -105,8 +105,8 @@
* of messages to monitor progress without enabling dump logs.
*/
-static char tiffcrop_version_id[] = "2.4";
-static char tiffcrop_rev_date[] = "12-13-2010";
+static char tiffcrop_version_id[] = "2.4.1";
+static char tiffcrop_rev_date[] = "03-03-2010";
#include "tif_config.h"
#include "libport.h"
@@ -6739,10 +6739,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
uint32_t img_length;
#endif
- uint32_t j, shift1, shift2, trailing_bits;
+ uint32_t j, shift1, trailing_bits;
uint32_t row, first_row, last_row, first_col, last_col;
uint32_t src_offset, dst_offset, row_offset, col_offset;
- uint32_t offset1, offset2, full_bytes;
+ uint32_t offset1, full_bytes;
uint32_t sect_width;
#ifdef DEVELMODE
uint32_t sect_length;
@@ -6752,7 +6752,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
int k;
unsigned char bitset;
- static char *bitarray = NULL;
#endif
img_width = image->width;
@@ -6770,17 +6769,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
dst_offset = 0;
#ifdef DEVELMODE
- if (bitarray == NULL)
- {
- if ((bitarray = (char *)malloc(img_width)) == NULL)
- {
- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
- return (-1);
- }
- }
+ char bitarray[39];
#endif
- /* rows, columns, width, length are expressed in pixels */
+ /* rows, columns, width, length are expressed in pixels
+ * first_row, last_row, .. are index into image array starting at 0 to width-1,
+ * last_col shall be also extracted. */
first_row = section->y1;
last_row = section->y2;
first_col = section->x1;
@@ -6790,9 +6784,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
sect_length = last_row - first_row + 1;
#endif
- img_rowsize = ((img_width * bps + 7) / 8) * spp;
- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
- trailing_bits = (sect_width * bps) % 8;
+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved
+ * samples rather than separate planes so the same logic works to extract regions
+ * regardless of the way the data are organized in the input file.
+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
+ */
+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
#ifdef DEVELMODE
TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
@@ -6805,10 +6804,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if ((bps % 8) == 0)
{
- col_offset = first_col * spp * bps / 8;
+ col_offset = (first_col * spp * bps) / 8;
for (row = first_row; row <= last_row; row++)
{
- /* row_offset = row * img_width * spp * bps / 8; */
row_offset = row * img_rowsize;
src_offset = row_offset + col_offset;
@@ -6821,14 +6819,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
}
else
{ /* bps != 8 */
- shift1 = spp * ((first_col * bps) % 8);
- shift2 = spp * ((last_col * bps) % 8);
+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
for (row = first_row; row <= last_row; row++)
{
/* pull out the first byte */
row_offset = row * img_rowsize;
- offset1 = row_offset + (first_col * bps / 8);
- offset2 = row_offset + (last_col * bps / 8);
+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
#ifdef DEVELMODE
for (j = 0, k = 7; j < 8; j++, k--)
@@ -6840,12 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
sprintf(&bitarray[9], " ");
for (j = 10, k = 7; j < 18; j++, k--)
{
- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
sprintf(&bitarray[j], (bitset) ? "1" : "0");
}
bitarray[18] = '\0';
- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n",
- row, offset1, shift1, offset2, shift2);
+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n",
+ row, offset1, shift1, offset1+full_bytes, trailing_bits);
#endif
bytebuff1 = bytebuff2 = 0;
@@ -6869,11 +6865,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if (trailing_bits != 0)
{
- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
sect_buff[dst_offset] = bytebuff2;
#ifdef DEVELMODE
TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n",
- offset2, dst_offset);
+ offset1 + full_bytes, dst_offset);
for (j = 30, k = 7; j < 38; j++, k--)
{
bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
@@ -6892,8 +6889,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#endif
for (j = 0; j <= full_bytes; j++)
{
- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
}
#ifdef DEVELMODE
@@ -6909,36 +6908,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#endif
dst_offset += full_bytes;
+ /* Copy the trailing_bits for the last byte in the destination buffer.
+ Could come from one ore two bytes of the source buffer. */
if (trailing_bits != 0)
{
#ifdef DEVELMODE
- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);
-#endif
- if (shift2 > shift1)
- {
- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
- sect_buff[dst_offset] = bytebuff2;
-#ifdef DEVELMODE
- TIFFError ("", " Shift2 > Shift1\n");
+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
#endif
+ /* More than necessary bits are already copied into last destination buffer,
+ * only masking of last byte in destination buffer is necessary.*/
+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
}
- else
- {
- if (shift2 < shift1)
- {
- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
- sect_buff[dst_offset] &= bytebuff2;
-#ifdef DEVELMODE
- TIFFError ("", " Shift2 < Shift1\n");
-#endif
- }
-#ifdef DEVELMODE
- else
- TIFFError ("", " Shift2 == Shift1\n");
-#endif
- }
- }
#ifdef DEVELMODE
sprintf(&bitarray[28], " ");
sprintf(&bitarray[29], " ");
@@ -7091,7 +7071,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
width = sections[i].x2 - sections[i].x1 + 1;
length = sections[i].y2 - sections[i].y1 + 1;
sectsize = (uint32_t)
- ceil((width * image->bps + 7) / (double)8) * image->spp * length;
+ ceil((width * image->bps * image->spp + 7) / (double)8) * length;
/* allocate a buffer if we don't have one already */
if (createImageSection(sectsize, sect_buff_ptr))
{
--
GitLab

25
backport-CVE-2022-0907.patch
View File

@ -4,17 +4,17 @@ Date: Mon, 7 Mar 2022 18:21:49 +0800
Subject: [PATCH 1/3] add checks for return value of limitMalloc (#392)
---
tools/tiffcrop.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
tools/tiffcrop.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 61bafc5..68ac071 100644
index 302a7e9..e407bf5 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7316,7 +7316,11 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr)
@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
if (!sect_buff)
{
sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
sect_buff = (unsigned char *)limitMalloc(sectsize);
- *sect_buff_ptr = sect_buff;
+ if (!sect_buff)
+ {
@ -24,7 +24,7 @@ index 61bafc5..68ac071 100644
_TIFFmemset(sect_buff, 0, sectsize);
}
else
@@ -7332,15 +7336,15 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr)
@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
else
sect_buff = new_buff;
@ -45,10 +45,10 @@ index 61bafc5..68ac071 100644
prev_sectsize = sectsize;
*sect_buff_ptr = sect_buff;
@@ -7607,7 +7611,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (!crop_buff)
{
crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
crop_buff = (unsigned char *)limitMalloc(cropsize);
- *crop_buff_ptr = crop_buff;
+ if (!crop_buff)
+ {
@ -58,7 +58,7 @@ index 61bafc5..68ac071 100644
_TIFFmemset(crop_buff, 0, cropsize);
prev_cropsize = cropsize;
}
@@ -7623,15 +7631,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
}
else
crop_buff = new_buff;
@ -79,6 +79,11 @@ index 61bafc5..68ac071 100644
*crop_buff_ptr = crop_buff;
if (crop->crop_mode & CROP_INVERT)
@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
* fill-column: 78
* End:
*/
+
--
2.27.0
2.35.1

10
backport-CVE-2022-0908.patch
View File

@ -9,19 +9,19 @@ Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 28a7992..b9b4079 100644
index d654a1c..a31109a 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -5021,7 +5021,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
@@ -5080,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
_TIFFfree(data);
return(0);
}
- _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
+ if (dp->tdir_count > 0 )
+ {
+ _TIFFmemcpy(o,data,(uint32)dp->tdir_count);
+ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
+ }
o[(uint32)dp->tdir_count]=0;
o[(uint32_t)dp->tdir_count]=0;
if (data!=0)
_TIFFfree(data);
--

4
backport-CVE-2022-0909.patch
View File

@ -11,10 +11,10 @@ Reference:https://gitlab.com/libtiff/libtiff/-/commit/32ea0722ee68f503b7a3f9b2d5
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 1e0a76c..39aeeb4 100644
index a6c254f..77da6ea 100644
--- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c
@@ -334,13 +334,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
break;
case TIFFTAG_XRESOLUTION:
dblval = va_arg(ap, double);

16
backport-CVE-2022-0924.patch
View File

@ -11,16 +11,16 @@ Reference:https://gitlab.com/libtiff/libtiff/-/commit/88d79a45a31c74cba98c697892
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 84d8148..f260f80 100644
index 1f88951..552d8fa 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1523,12 +1523,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
tdata_t obuf;
tstrip_t strip = 0;
tsample_t s;
+ uint16 bps = 0, bytes_per_sample;
+ uint16_t bps = 0, bytes_per_sample;
obuf = _TIFFmalloc(stripsize);
obuf = limitMalloc(stripsize);
if (obuf == NULL)
return (0);
_TIFFmemset(obuf, 0, stripsize);
@ -40,17 +40,17 @@ index 84d8148..f260f80 100644
+ }
+ bytes_per_sample = bps/8;
for (s = 0; s < spp; s++) {
uint32 row;
uint32_t row;
for (row = 0; row < imagelength; row += rowsperstrip) {
@@ -1538,7 +1553,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
cpContigBufToSeparateBuf(
obuf, (uint8*) buf + row*rowsize + s,
obuf, (uint8_t*) buf + row * rowsize + s,
- nrows, imagewidth, 0, 0, spp, 1);
+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
TIFFError(TIFFFileName(out),
"Error, can't write strip %u",
"Error, can't write strip %"PRIu32,
--
2.27.0

6
backport-CVE-2022-1355.patch
View File

@ -3,15 +3,17 @@ From: Su_Laus <sulau@freenet.de>
Date: Sat, 2 Apr 2022 22:33:31 +0200
Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
Conflict:NA
Reference:https://gitlab.com/gitlab-org/build/omnibus-mirror/libtiff/-/commit/fb1db384959698edd6caeea84e28253d272a0f96
---
tools/tiffcp.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 1c81322..83b3910 100644
index 552d8fa..57eef90 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -247,19 +247,34 @@ main(int argc, char* argv[])
@@ -274,19 +274,34 @@ main(int argc, char* argv[])
deftilewidth = atoi(optarg);
break;
case 'B':

34
fix-raw2tiff-floating-point-exception.patch Normal file
View File

@ -0,0 +1,34 @@
From 42f499986d3c8a1dce55db7d97d501f8e9dfc8f6 Mon Sep 17 00:00:00 2001
From: t.feng <fengtao40@huawei.com>
Date: Mon, 13 Dec 2021 21:03:13 +0800
Subject: [PATCH] fix raw2tiff floating point exception
if we input illegal nbands, like:
raw2tiff -b :2 test.raw test.tif
we got:
Floating point exception (core dumped)
so, check nbands before guessSize
---
tools/raw2tiff.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
index dfee715..3a6f00e 100644
--- a/tools/raw2tiff.c
+++ b/tools/raw2tiff.c
@@ -209,6 +209,11 @@ main(int argc, char* argv[])
return (EXIT_FAILURE);
}
+ if (nbands == 0) {
+ fprintf(stderr, "The number of bands is illegal.\n");
+ return (-1);
+ }
+
if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
return EXIT_FAILURE;
--
2.27.0

53
libtiff.spec
View File

@ -1,32 +1,31 @@
Name: libtiff
Version: 4.1.0
Release: 11
Version: 4.3.0
Release: 1
Summary: TIFF Library and Utilities
License: libtiff
URL: https://www.simplesystems.org/libtiff/
Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
Patch6000: backport-CVE-2020-35521_CVE-2020-35522.patch
Patch6001: backport-CVE-2020-35523.patch
Patch6002: backport-CVE-2020-35524.patch
Patch6003: backport-CVE-2022-0561.patch
Patch6004: backport-CVE-2022-0562.patch
Patch6005: backport-0001-CVE-2022-22844.patch
Patch6006: backport-0002-CVE-2022-22844.patch
Patch6007: backport-0003-CVE-2022-22844.patch
Patch6008: backport-CVE-2022-0891.patch
Patch6009: backport-CVE-2022-0908.patch
Patch6010: backport-CVE-2022-0907.patch
Patch6011: backport-CVE-2022-0865.patch
Patch6012: backport-CVE-2022-0909.patch
Patch6013: backport-CVE-2022-0924.patch
Patch6014: backport-CVE-2022-1355.patch
Patch6000: backport-CVE-2022-0561.patch
Patch6001: backport-CVE-2022-0562.patch
Patch6002: backport-0001-CVE-2022-22844.patch
Patch6003: backport-0002-CVE-2022-22844.patch
Patch6004: backport-0003-CVE-2022-22844.patch
Patch6005: backport-CVE-2022-0891.patch
Patch6006: backport-CVE-2022-0907.patch
Patch6007: backport-CVE-2022-0908.patch
Patch6008: backport-CVE-2022-0865.patch
Patch6009: backport-CVE-2022-0909.patch
Patch6010: backport-CVE-2022-0924.patch
Patch6011: backport-CVE-2022-1355.patch
Patch6012: backport-0001-CVE-2022-1622-CVE-2022-1623.patch
Patch6013: backport-0002-CVE-2022-1622-CVE-2022-1623.patch
Patch9000: fix-raw2tiff-floating-point-exception.patch
BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: libtool automake autoconf pkgconfig git
Provides: %{name}-tools
Obsoletes: %{name}-tools
BuildRequires: libtool automake autoconf pkgconfig
%description
This %{name} provides support for the Tag Image File Format (TIFF), a widely
@ -38,9 +37,6 @@ for manipulating TIFF format image files using the libtiff library.
Summary: Development files for %{name} library
Requires: %{name} = %{version}-%{release} pkgconfig
Provides: %{name}-static
Obsoletes: %{name}-static
%description devel
This package contains the header files and documentation necessary for developing programs
which will manipulate TIFF format image files using the libtiff library.
@ -48,7 +44,7 @@ which will manipulate TIFF format image files using the libtiff library.
%package_help
%prep
%autosetup -n tiff-%{version} -p1 -S git
%autosetup -n tiff-%{version} -p1
libtoolize --force --copy
aclocal -I . -I m4
@ -123,10 +119,13 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man*
%doc RELEASE-DATE VERSION
%doc TODO ChangeLog html
%exclude %{_mandir}/man1/tiffgt.1
%exclude %{_mandir}/man1/*
%exclude %{_datadir}/html/man/tiffgt.1.html
%changelog
* Thu Jun 23 2022 wuchaochao <wuchaochao4@h-partners.com> - 4.3.0-1
- update to 4.3.0 for fix CVE-2022-1622,CVE-2022-1623
* Wed May 18 2022 liuyumeng <liuyumeng5@h-partners.com> - 4.1.0-11
- fix CVE-2022-1355
@ -153,7 +152,7 @@ find html -name 'Makefile*' | xargs rm
* Thu Mar 10 2022 dongyuzhen <dongyuzhen@h-partners.com> - 4.1.0-5
- Type:cves
- ID:CVE-2022-22844
- ID:CVE-2022-22844
- SUG:NA
- DESC:fix CVE-2022-22844

BIN
tiff-4.1.0.tar.gz
View File

Binary file not shown.

BIN
tiff-4.3.0.tar.gz Normal file
View File

Binary file not shown.