diff --git a/backport-0001-CVE-2022-1622-CVE-2022-1623.patch b/backport-0001-CVE-2022-1622-CVE-2022-1623.patch new file mode 100644 index 0000000..529766d --- /dev/null +++ b/backport-0001-CVE-2022-1622-CVE-2022-1623.patch @@ -0,0 +1,772 @@ +From 189d65779275132c86abd1e06cdab8a080645b32 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 10 Mar 2022 12:14:31 +0100 +Subject: [PATCH 1/3] tif_lzw.c: make LZW_CHECKEOS non-optional + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/318/diffs + +this is pre-patch for CVE-2022-1622 and CVE-2022-1623 +--- + libtiff/tif_lzw.c | 551 ++++++++++++++++++++++++++++++---------------- + 1 file changed, 356 insertions(+), 195 deletions(-) + +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c +index c06aec4..c28366b 100644 +--- a/libtiff/tif_lzw.c ++++ b/libtiff/tif_lzw.c +@@ -1,6 +1,7 @@ + /* + * Copyright (c) 1988-1997 Sam Leffler + * Copyright (c) 1991-1997 Silicon Graphics, Inc. ++ * Copyright (c) 2022 Even Rouault + * + * Permission to use, copy, modify, distribute, and sell this software and + * its documentation for any purpose is hereby granted without fee, provided +@@ -36,8 +37,13 @@ + */ + #include "tif_predict.h" + ++#include + #include + ++/* Select the plausible largest natural integer type for the architecture */ ++#define SIZEOF_WORDTYPE SIZEOF_SIZE_T ++typedef size_t WordType; ++ + /* + * NB: The 5.0 spec describes a different algorithm than Aldus + * implements. Specifically, Aldus does code length transitions +@@ -52,13 +58,6 @@ + * Future revisions to the TIFF spec are expected to "clarify this issue". + */ + #define LZW_COMPAT /* include backwards compatibility code */ +-/* +- * Each strip of data is supposed to be terminated by a CODE_EOI. +- * If the following #define is included, the decoder will also +- * check for end-of-strip w/o seeing this code. This makes the +- * library more robust, but also slower. +- */ +-#define LZW_CHECKEOS /* include checks for strips w/o EOI code */ + + #define MAXCODE(n) ((1L<<(n))-1) + /* +@@ -92,7 +91,7 @@ typedef struct { + unsigned short nbits; /* # of bits/code */ + unsigned short maxcode; /* maximum code for lzw_nbits */ + unsigned short free_ent; /* next free entry in hash table */ +- unsigned long nextdata; /* next bits of i/o */ ++ WordType nextdata; /* next bits of i/o */ + long nextbits; /* # of valid bits in lzw_nextdata */ + + int rw_mode; /* preserve rw_mode from init */ +@@ -119,8 +118,10 @@ typedef struct { + typedef struct code_ent { + struct code_ent *next; + unsigned short length; /* string len, including this token */ +- unsigned char value; /* data value */ ++ /* firstchar should be placed immediately before value in this structure */ + unsigned char firstchar; /* first token of string */ ++ unsigned char value; /* data value */ ++ bool repeated; + } code_t; + + typedef int (*decodeFunc)(TIFF*, uint8_t*, tmsize_t, uint16_t); +@@ -131,10 +132,8 @@ typedef struct { + /* Decoding specific data */ + long dec_nbitsmask; /* lzw_nbits 1 bits, right adjusted */ + long dec_restart; /* restart count */ +-#ifdef LZW_CHECKEOS + uint64_t dec_bitsleft; /* available bits in raw data */ + tmsize_t old_tif_rawcc; /* value of tif_rawcc at the end of the previous TIFLZWDecode() call */ +-#endif + decodeFunc dec_decode; /* regular or backwards compatible */ + code_t* dec_codep; /* current recognized code */ + code_t* dec_oldcodep; /* previously recognized code */ +@@ -167,26 +166,6 @@ static void cl_hash(LZWCodecState*); + * LZW Decoder. + */ + +-#ifdef LZW_CHECKEOS +-/* +- * This check shouldn't be necessary because each +- * strip is suppose to be terminated with CODE_EOI. +- */ +-#define NextCode(_tif, _sp, _bp, _code, _get) { \ +- if ((_sp)->dec_bitsleft < (uint64_t)nbits) { \ +- TIFFWarningExt(_tif->tif_clientdata, module, \ +- "LZWDecode: Strip %"PRIu32" not terminated with EOI code", \ +- _tif->tif_curstrip); \ +- _code = CODE_EOI; \ +- } else { \ +- _get(_sp,_bp,_code); \ +- (_sp)->dec_bitsleft -= nbits; \ +- } \ +-} +-#else +-#define NextCode(tif, sp, bp, code, get) get(sp, bp, code) +-#endif +- + static int + LZWFixupTags(TIFF* tif) + { +@@ -236,17 +215,17 @@ LZWSetupDecode(TIFF* tif) + */ + code = 255; + do { +- sp->dec_codetab[code].value = (unsigned char)code; + sp->dec_codetab[code].firstchar = (unsigned char)code; ++ sp->dec_codetab[code].value = (unsigned char)code; ++ sp->dec_codetab[code].repeated = true; + sp->dec_codetab[code].length = 1; + sp->dec_codetab[code].next = NULL; + } while (code--); + /* +- * Zero-out the unused entries +- */ +- /* Silence false positive */ +- /* coverity[overrun-buffer-arg] */ +- _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, ++ * Zero-out the unused entries */ ++ /* Silence false positive */ ++ /* coverity[overrun-buffer-arg] */ ++ memset(&sp->dec_codetab[CODE_CLEAR], 0, + (CODE_FIRST - CODE_CLEAR) * sizeof (code_t)); + } + return (1); +@@ -316,11 +295,9 @@ LZWPreDecode(TIFF* tif, uint16_t s) + + sp->dec_restart = 0; + sp->dec_nbitsmask = MAXCODE(BITS_MIN); +-#ifdef LZW_CHECKEOS + sp->dec_bitsleft = 0; +- sp->old_tif_rawcc = 0; +-#endif +- sp->dec_free_entp = sp->dec_codetab + CODE_FIRST; ++ sp->old_tif_rawcc = 0; ++ sp->dec_free_entp = sp->dec_codetab - 1 ; // + CODE_FIRST; + /* + * Zero entries that are not yet filled in. We do + * this to guard against bogus input data that causes +@@ -328,8 +305,7 @@ LZWPreDecode(TIFF* tif, uint16_t s) + * come up with a way to safely bounds-check input codes + * while decoding then you can remove this operation. + */ +- _TIFFmemset(sp->dec_free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); +- sp->dec_oldcodep = &sp->dec_codetab[-1]; ++ sp->dec_oldcodep = &sp->dec_codetab[0]; + sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1]; + return (1); + } +@@ -337,24 +313,77 @@ LZWPreDecode(TIFF* tif, uint16_t s) + /* + * Decode a "hunk of data". + */ +-#define GetNextCode(sp, bp, code) { \ +- nextdata = (nextdata<<8) | *(bp)++; \ +- nextbits += 8; \ +- if (nextbits < nbits) { \ +- nextdata = (nextdata<<8) | *(bp)++; \ +- nextbits += 8; \ +- } \ +- code = (hcode_t)((nextdata >> (nextbits-nbits)) & nbitsmask); \ +- nextbits -= nbits; \ +-} ++/* Get the next 32 or 64-bit from the input data */ ++ ++#ifdef WORDS_BIGENDIAN ++# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)) ++#elif SIZEOF_WORDTYPE == 8 ++# if defined(__GNUC__) && defined(__x86_64__) ++# define GetNextData(nextdata, bp) nextdata = __builtin_bswap64(*(uint64_t*)(bp)) ++# elif defined(_M_X64) ++# define GetNextData(nextdata, bp) nextdata = _byteswap_uint64(*(uint64_t*)(bp)) ++# elif defined(__GNUC__) ++# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \ ++ nextdata = __builtin_bswap64(nextdata) ++# else ++# define GetNextData(nextdata, bp) nextdata = (((uint64_t)bp[0]) << 56) | \ ++ (((uint64_t)bp[1]) << 48) | \ ++ (((uint64_t)bp[2]) << 40) | \ ++ (((uint64_t)bp[3]) << 32) | \ ++ (((uint64_t)bp[4]) << 24) | \ ++ (((uint64_t)bp[5]) << 16) | \ ++ (((uint64_t)bp[6]) << 8) | \ ++ (((uint64_t)bp[7])) ++# endif ++#elif SIZEOF_WORDTYPE == 4 ++# if defined(__GNUC__) && defined(__i386__) ++# define GetNextData(nextdata, bp) nextdata = __builtin_bswap32(*(uint32_t*)(bp)) ++# elif defined(_M_X86) ++# define GetNextData(nextdata, bp) nextdata = _byteswap_ulong(*(unsigned long*)(bp)) ++# elif defined(__GNUC__) ++# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \ ++ nextdata = __builtin_bswap32(nextdata) ++# else ++# define GetNextData(nextdata, bp) nextdata = (((uint32_t)bp[0]) << 24) | \ ++ (((uint32_t)bp[1]) << 16) | \ ++ (((uint32_t)bp[2]) << 8) | \ ++ (((uint32_t)bp[3])) ++# endif ++#else ++# error "Unhandled SIZEOF_WORDTYPE" ++#endif + +-static void +-codeLoop(TIFF* tif, const char* module) +-{ +- TIFFErrorExt(tif->tif_clientdata, module, +- "Bogus encoding, loop in the code table; scanline %"PRIu32, +- tif->tif_row); +-} ++#define GetNextCodeLZW() do { \ ++ nextbits -= nbits; \ ++ if (nextbits < 0) { \ ++ if (dec_bitsleft >= 8 * SIZEOF_WORDTYPE) { \ ++ unsigned codetmp = (unsigned)(nextdata << (-nextbits)); \ ++ GetNextData(nextdata, bp); \ ++ bp += SIZEOF_WORDTYPE; \ ++ nextbits += 8 * SIZEOF_WORDTYPE; \ ++ dec_bitsleft -= 8 * SIZEOF_WORDTYPE; \ ++ code = (WordType)((codetmp | (nextdata >> nextbits)) & nbitsmask); \ ++ break; \ ++ } \ ++ else {\ ++ if( dec_bitsleft < 8) { \ ++ goto no_eoi; \ ++ }\ ++ nextdata = (nextdata<<8) | *(bp)++; \ ++ nextbits += 8; \ ++ dec_bitsleft -= 8; \ ++ if( nextbits < 0 ) { \ ++ if( dec_bitsleft < 8) { \ ++ goto no_eoi; \ ++ }\ ++ nextdata = (nextdata<<8) | *(bp)++; \ ++ nextbits += 8; \ ++ dec_bitsleft -= 8; \ ++ } \ ++ } \ ++ } \ ++ code = (WordType)((nextdata >> nextbits) & nbitsmask); \ ++} while(0) + + static int + LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) +@@ -363,13 +392,10 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + LZWCodecState *sp = DecoderState(tif); + char *op = (char*) op0; + long occ = (long) occ0; +- char *tp; + unsigned char *bp; +- hcode_t code; +- int len; + long nbits, nextbits, nbitsmask; +- unsigned long nextdata; +- code_t *codep, *free_entp, *maxcodep, *oldcodep; ++ WordType nextdata; ++ code_t *free_entp, *maxcodep, *oldcodep; + + (void) s; + assert(sp != NULL); +@@ -386,7 +412,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + if (sp->dec_restart) { + long residue; + +- codep = sp->dec_codep; ++ code_t* codep = sp->dec_codep; + residue = codep->length - sp->dec_restart; + if (residue > occ) { + /* +@@ -400,7 +426,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + codep = codep->next; + } while (--residue > occ && codep); + if (codep) { +- tp = op + occ; ++ uint8_t* tp = op + occ; + do { + *--tp = codep->value; + codep = codep->next; +@@ -413,7 +439,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + */ + op += residue; + occ -= residue; +- tp = op; ++ uint8_t* tp = op; + do { + int t; + --tp; +@@ -425,9 +451,8 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + } + + bp = (unsigned char *)tif->tif_rawcp; +-#ifdef LZW_CHECKEOS + sp->dec_bitsleft += (((uint64_t)tif->tif_rawcc - sp->old_tif_rawcc) << 3); +-#endif ++ uint64_t dec_bitsleft = sp->dec_bitsleft; + nbits = sp->lzw_nbits; + nextdata = sp->lzw_nextdata; + nextbits = sp->lzw_nextbits; +@@ -435,128 +460,235 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + oldcodep = sp->dec_oldcodep; + free_entp = sp->dec_free_entp; + maxcodep = sp->dec_maxcodep; ++ code_t* const dec_codetab = sp->dec_codetab; ++ code_t* codep; ++ ++ if (occ == 0) { ++ goto after_loop; ++ } ++ ++begin: ++ { ++ WordType code; ++ GetNextCodeLZW(); ++ codep = dec_codetab + code; ++ if (code >= CODE_FIRST) ++ goto code_above_or_equal_to_258; ++ if (code < 256) ++ goto code_below_256; ++ if (code == CODE_EOI) ++ goto after_loop; ++ goto code_clear; ++ ++code_below_256: ++ { ++ if (codep > free_entp) ++ goto error_code; ++ free_entp->next = oldcodep; ++ free_entp->firstchar = oldcodep->firstchar; ++ free_entp->length = oldcodep->length+1; ++ free_entp->value = (uint8_t)code; ++ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - code)); ++ if (++free_entp > maxcodep) { ++ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */ ++ nbits = BITS_MAX; ++ nbitsmask = MAXCODE(nbits); ++ maxcodep = dec_codetab + nbitsmask-1; ++ if( free_entp >= &dec_codetab[CSIZE] ) ++ { ++ /* At that point, the next valid states are either EOI or a */ ++ /* CODE_CLEAR. If a regular code is read, at the next */ ++ /* attempt at registering a new entry, we will error out */ ++ /* due to setting free_entp before any valid code */ ++ free_entp = dec_codetab - 1; ++ } ++ } ++ oldcodep = codep; ++ *op++ = (uint8_t)code; ++ occ--; ++ if (occ == 0) ++ goto after_loop; ++ goto begin; ++ } + +- while (occ > 0) { +- NextCode(tif, sp, bp, code, GetNextCode); +- if (code == CODE_EOI) +- break; +- if (code == CODE_CLEAR) { +- do { +- free_entp = sp->dec_codetab + CODE_FIRST; +- _TIFFmemset(free_entp, 0, +- (CSIZE - CODE_FIRST) * sizeof (code_t)); +- nbits = BITS_MIN; +- nbitsmask = MAXCODE(BITS_MIN); +- maxcodep = sp->dec_codetab + nbitsmask-1; +- NextCode(tif, sp, bp, code, GetNextCode); +- } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */ +- if (code == CODE_EOI) +- break; +- if (code > CODE_CLEAR) { +- TIFFErrorExt(tif->tif_clientdata, tif->tif_name, +- "LZWDecode: Corrupted LZW table at scanline %"PRIu32, +- tif->tif_row); +- return (0); +- } +- *op++ = (char)code; +- occ--; +- oldcodep = sp->dec_codetab + code; +- continue; +- } +- codep = sp->dec_codetab + code; +- +- /* +- * Add the new entry to the code table. +- */ +- if (free_entp < &sp->dec_codetab[0] || +- free_entp >= &sp->dec_codetab[CSIZE]) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "Corrupted LZW table at scanline %"PRIu32, +- tif->tif_row); +- return (0); +- } ++code_above_or_equal_to_258: ++ { ++ /* ++ * Add the new entry to the code table. ++ */ ++ ++ if (codep >= free_entp) ++ { ++ if (codep != free_entp) ++ goto error_code; ++ free_entp->value = oldcodep->firstchar; ++ } ++ else ++ { ++ free_entp->value = codep->firstchar; ++ } ++ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - free_entp->value)); ++ free_entp->next = oldcodep; ++ ++ free_entp->firstchar = oldcodep->firstchar; ++ free_entp->length = oldcodep->length+1; ++ if (++free_entp > maxcodep) { ++ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */ ++ nbits = BITS_MAX; ++ nbitsmask = MAXCODE(nbits); ++ maxcodep = dec_codetab + nbitsmask-1; ++ if (free_entp >= &dec_codetab[CSIZE]) ++ { ++ /* At that point, the next valid states are either EOI or a */ ++ /* CODE_CLEAR. If a regular code is read, at the next */ ++ /* attempt at registering a new entry, we will error out */ ++ /* due to setting free_entp before any valid code */ ++ free_entp = dec_codetab - 1; ++ } ++ } ++ oldcodep = codep; ++ ++ /* ++ * Code maps to a string, copy string ++ * value to output (written in reverse). ++ */ ++ /* tiny bit faster on x86_64 to store in unsigned short than int */ ++ unsigned short len = codep->length; ++ ++ if (len < 3) /* equivalent to len == 2 given all other conditions */ ++ { ++ if (occ <= 2) ++ { ++ if (occ == 2) ++ { ++ memcpy(op, &(codep->firstchar), 2); ++ op += 2; ++ occ -= 2; ++ goto after_loop; ++ } ++ goto too_short_buffer; ++ } + +- free_entp->next = oldcodep; +- if (free_entp->next < &sp->dec_codetab[0] || +- free_entp->next >= &sp->dec_codetab[CSIZE]) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "Corrupted LZW table at scanline %"PRIu32, +- tif->tif_row); +- return (0); +- } +- free_entp->firstchar = free_entp->next->firstchar; +- free_entp->length = free_entp->next->length+1; +- free_entp->value = (codep < free_entp) ? +- codep->firstchar : free_entp->firstchar; +- if (++free_entp > maxcodep) { +- if (++nbits > BITS_MAX) /* should not happen */ +- nbits = BITS_MAX; +- nbitsmask = MAXCODE(nbits); +- maxcodep = sp->dec_codetab + nbitsmask-1; +- } +- oldcodep = codep; +- if (code >= 256) { +- /* +- * Code maps to a string, copy string +- * value to output (written in reverse). +- */ +- if(codep->length == 0) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "Wrong length of decoded string: " +- "data probably corrupted at scanline %"PRIu32, +- tif->tif_row); +- return (0); +- } +- if (codep->length > occ) { +- /* +- * String is too long for decode buffer, +- * locate portion that will fit, copy to +- * the decode buffer, and setup restart +- * logic for the next decoding call. +- */ +- sp->dec_codep = codep; +- do { +- codep = codep->next; +- } while (codep && codep->length > occ); +- if (codep) { +- sp->dec_restart = (long)occ; +- tp = op + occ; +- do { +- *--tp = codep->value; +- codep = codep->next; +- } while (--occ && codep); +- if (codep) +- codeLoop(tif, module); +- } +- break; +- } +- len = codep->length; +- tp = op + len; +- do { +- int t; +- --tp; +- t = codep->value; +- codep = codep->next; +- *tp = (char)t; +- } while (codep && tp > op); +- if (codep) { +- codeLoop(tif, module); +- break; +- } +- assert(occ >= len); +- op += len; +- occ -= len; +- } else { +- *op++ = (char)code; +- occ--; +- } +- } ++ memcpy(op, &(codep->firstchar), 2); ++ op += 2; ++ occ -= 2; ++ goto begin; /* we can save the comparison occ > 0 */ ++ } ++ ++ if (len == 3) ++ { ++ if (occ <= 3) ++ { ++ if (occ == 3) ++ { ++ op[0] = codep->firstchar; ++ op[1] = codep->next->value; ++ op[2] = codep->value; ++ op += 3; ++ occ -= 3; ++ goto after_loop; ++ } ++ goto too_short_buffer; ++ } ++ op[0] = codep->firstchar; ++ op[1] = codep->next->value; ++ op[2] = codep->value; ++ op += 3; ++ occ -= 3; ++ goto begin; /* we can save the comparison occ > 0 */ ++ } ++ ++ if (len > occ) ++ { ++ goto too_short_buffer; ++ } ++ ++ if (codep->repeated) ++ { ++ memset(op, codep->value, len); ++ op += len; ++ occ -= len; ++ if (occ == 0) ++ goto after_loop; ++ goto begin; ++ } ++ ++ uint8_t* tp = op + len; ++ ++ assert(len >= 4); ++ ++ *--tp = codep->value; ++ codep = codep->next; ++ *--tp = codep->value; ++ codep = codep->next; ++ *--tp = codep->value; ++ codep = codep->next; ++ *--tp = codep->value; ++ if (tp > op) ++ { ++ do { ++ codep = codep->next; ++ *--tp = codep->value; ++ } while (tp > op); ++ } ++ ++ assert(occ >= len); ++ op += len; ++ occ -= len; ++ if (occ == 0) ++ goto after_loop; ++ goto begin; ++ } + ++code_clear: ++ { ++ free_entp = dec_codetab + CODE_FIRST; ++ nbits = BITS_MIN; ++ nbitsmask = MAXCODE(BITS_MIN); ++ maxcodep = dec_codetab + nbitsmask-1; ++ do { ++ GetNextCodeLZW(); ++ } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */ ++ if (code == CODE_EOI) ++ goto after_loop; ++ if (code > CODE_EOI) { ++ goto error_code; ++ } ++ *op++ = (uint8_t)code; ++ occ--; ++ oldcodep = dec_codetab + code; ++ if (occ == 0) ++ goto after_loop; ++ goto begin; ++ } ++ } ++ ++too_short_buffer: ++ { ++ /* ++ * String is too long for decode buffer, ++ * locate portion that will fit, copy to ++ * the decode buffer, and setup restart ++ * logic for the next decoding call. ++ */ ++ sp->dec_codep = codep; ++ do { ++ codep = codep->next; ++ } while (codep->length > occ); ++ ++ sp->dec_restart = occ; ++ uint8_t* tp = op + occ; ++ do { ++ *--tp = codep->value; ++ codep = codep->next; ++ } while (--occ); ++ } ++ ++after_loop: + tif->tif_rawcc -= (tmsize_t)((uint8_t*) bp - tif->tif_rawcp ); + tif->tif_rawcp = (uint8_t*) bp; +-#ifdef LZW_CHECKEOS + sp->old_tif_rawcc = tif->tif_rawcc; +-#endif ++ sp->dec_bitsleft = dec_bitsleft; + sp->lzw_nbits = (unsigned short) nbits; + sp->lzw_nextdata = nextdata; + sp->lzw_nextbits = nextbits; +@@ -572,9 +704,35 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + return (0); + } + return (1); ++ ++no_eoi: ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "LZWDecode: Strip %"PRIu32" not terminated with EOI code", ++ tif->tif_curstrip); ++ return 0; ++error_code: ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Using code not yet in table"); ++ return 0; + } + + #ifdef LZW_COMPAT ++ ++/* ++ * This check shouldn't be necessary because each ++ * strip is suppose to be terminated with CODE_EOI. ++ */ ++#define NextCode(_tif, _sp, _bp, _code, _get, dec_bitsleft) { \ ++ if (dec_bitsleft < (uint64_t)nbits) { \ ++ TIFFWarningExt(_tif->tif_clientdata, module, \ ++ "LZWDecode: Strip %"PRIu32" not terminated with EOI code", \ ++ _tif->tif_curstrip); \ ++ _code = CODE_EOI; \ ++ } else { \ ++ _get(_sp,_bp,_code); \ ++ dec_bitsleft -= nbits; \ ++ } \ ++} ++ + /* + * Decode a "hunk of data" for old images. + */ +@@ -601,7 +759,8 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + unsigned char *bp; + int code, nbits; + int len; +- long nextbits, nextdata, nbitsmask; ++ long nextbits, nbitsmask; ++ WordType nextdata; + code_t *codep, *free_entp, *maxcodep, *oldcodep; + + (void) s; +@@ -653,9 +812,10 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + } + + bp = (unsigned char *)tif->tif_rawcp; +-#ifdef LZW_CHECKEOS ++ + sp->dec_bitsleft += (((uint64_t)tif->tif_rawcc - sp->old_tif_rawcc) << 3); +-#endif ++ uint64_t dec_bitsleft = sp->dec_bitsleft; ++ + nbits = sp->lzw_nbits; + nextdata = sp->lzw_nextdata; + nextbits = sp->lzw_nextbits; +@@ -665,7 +825,7 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + maxcodep = sp->dec_maxcodep; + + while (occ > 0) { +- NextCode(tif, sp, bp, code, GetNextCodeCompat); ++ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft); + if (code == CODE_EOI) + break; + if (code == CODE_CLEAR) { +@@ -676,7 +836,7 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask; +- NextCode(tif, sp, bp, code, GetNextCodeCompat); ++ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft); + } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */ + if (code == CODE_EOI) + break; +@@ -772,9 +932,10 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + + tif->tif_rawcc -= (tmsize_t)((uint8_t*) bp - tif->tif_rawcp ); + tif->tif_rawcp = (uint8_t*) bp; +-#ifdef LZW_CHECKEOS ++ + sp->old_tif_rawcc = tif->tif_rawcc; +-#endif ++ sp->dec_bitsleft = dec_bitsleft; ++ + sp->lzw_nbits = (unsigned short)nbits; + sp->lzw_nextdata = nextdata; + sp->lzw_nextbits = nextbits; +@@ -893,7 +1054,7 @@ LZWEncode(TIFF* tif, uint8_t* bp, tmsize_t cc, uint16_t s) + hcode_t ent; + long disp; + long incount, outcount, checkpoint; +- unsigned long nextdata; ++ WordType nextdata; + long nextbits; + int free_ent, maxcode, nbits; + uint8_t* op; +@@ -1057,7 +1218,7 @@ LZWPostEncode(TIFF* tif) + register LZWCodecState *sp = EncoderState(tif); + uint8_t* op = tif->tif_rawcp; + long nextbits = sp->lzw_nextbits; +- unsigned long nextdata = sp->lzw_nextdata; ++ WordType nextdata = sp->lzw_nextdata; + long outcount = sp->enc_outcount; + int nbits = sp->lzw_nbits; + +-- +2.27.0 + diff --git a/backport-0001-CVE-2022-22844.patch b/backport-0001-CVE-2022-22844.patch index e02aa8c..1cd1069 100644 --- a/backport-0001-CVE-2022-22844.patch +++ b/backport-0001-CVE-2022-22844.patch @@ -7,22 +7,14 @@ Conflict:NA Reference:https://gitlab.com/libtiff/libtiff/-/commit/49b81e99704bd199a24ccce65f974cc2d78cccc4 --- - tools/tiffset.c | 17 ++++++++++++++--- - 1 file changed, 14 insertions(+), 3 deletions(-) + tools/tiffset.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tools/tiffset.c b/tools/tiffset.c -index 7ecc401..53afc51 100644 +index 8c9e23c..b7badd9 100644 --- a/tools/tiffset.c +++ b/tools/tiffset.c -@@ -32,6 +32,7 @@ - #include - #include - #include -+#include - - #include "tiffio.h" - -@@ -133,9 +134,19 @@ main(int argc, char* argv[]) +@@ -146,9 +146,19 @@ main(int argc, char* argv[]) arg_index++; if (TIFFFieldDataType(fip) == TIFF_ASCII) { diff --git a/backport-0002-CVE-2022-1622-CVE-2022-1623.patch b/backport-0002-CVE-2022-1622-CVE-2022-1623.patch new file mode 100644 index 0000000..bad52c4 --- /dev/null +++ b/backport-0002-CVE-2022-1622-CVE-2022-1623.patch @@ -0,0 +1,56 @@ +From b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Fri, 22 Apr 2022 18:58:52 +0200 +Subject: [PATCH] tif_lzw.c: fix potential out-of-bounds error when trying to + read in the same tile/strip after an error has occured (fixes #410) + +Conflict:NA +Reference:https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a +--- + libtiff/tif_lzw.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c +index c28366b..1f255d9 100644 +--- a/libtiff/tif_lzw.c ++++ b/libtiff/tif_lzw.c +@@ -140,6 +140,7 @@ typedef struct { + code_t* dec_free_entp; /* next free entry */ + code_t* dec_maxcodep; /* max available entry */ + code_t* dec_codetab; /* kept separate for small machines */ ++ int read_error; /* whether a read error has occured, and which should cause further reads in the same strip/tile to be aborted */ + + /* Encoding specific data */ + int enc_oldcode; /* last code encountered */ +@@ -307,6 +308,7 @@ LZWPreDecode(TIFF* tif, uint16_t s) + */ + sp->dec_oldcodep = &sp->dec_codetab[0]; + sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1]; ++ sp->read_error = 0; + return (1); + } + +@@ -399,7 +401,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s) + + (void) s; + assert(sp != NULL); +- assert(sp->dec_codetab != NULL); ++ assert(sp->dec_codetab != NULL); ++ ++ if (sp->read_error) { ++ return 0; ++ } + + /* + Fail if value does not fit in long. +@@ -711,6 +717,7 @@ no_eoi: + tif->tif_curstrip); + return 0; + error_code: ++ sp->read_error = 1; + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Using code not yet in table"); + return 0; + } +-- +2.27.0 + diff --git a/backport-0002-CVE-2022-22844.patch b/backport-0002-CVE-2022-22844.patch index 5cc47a5..015de92 100644 --- a/backport-0002-CVE-2022-22844.patch +++ b/backport-0002-CVE-2022-22844.patch @@ -11,10 +11,10 @@ Reference:https://gitlab.com/libtiff/libtiff/-/commit/0cf67888e32e36b45828dd4679 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/tiffset.c b/tools/tiffset.c -index 53afc51..75a8616 100644 +index b7badd9..b8b52c0 100644 --- a/tools/tiffset.c +++ b/tools/tiffset.c -@@ -136,15 +136,15 @@ main(int argc, char* argv[]) +@@ -148,15 +148,15 @@ main(int argc, char* argv[]) if (TIFFFieldDataType(fip) == TIFF_ASCII) { if(TIFFFieldPassCount( fip )) { size_t len; diff --git a/backport-0003-CVE-2022-22844.patch b/backport-0003-CVE-2022-22844.patch index 6450024..bb5b5c3 100644 --- a/backport-0003-CVE-2022-22844.patch +++ b/backport-0003-CVE-2022-22844.patch @@ -11,10 +11,10 @@ Reference:https://gitlab.com/libtiff/libtiff/-/commit/0a827a985f891d6df481a6f581 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/tiffset.c b/tools/tiffset.c -index 75a8616..19e177b 100644 +index b8b52c0..e7a88c0 100644 --- a/tools/tiffset.c +++ b/tools/tiffset.c -@@ -136,7 +136,7 @@ main(int argc, char* argv[]) +@@ -148,7 +148,7 @@ main(int argc, char* argv[]) if (TIFFFieldDataType(fip) == TIFF_ASCII) { if(TIFFFieldPassCount( fip )) { size_t len; diff --git a/backport-CVE-2020-35521_CVE-2020-35522.patch b/backport-CVE-2020-35521_CVE-2020-35522.patch deleted file mode 100644 index 91348ec..0000000 --- a/backport-CVE-2020-35521_CVE-2020-35522.patch +++ /dev/null @@ -1,102 +0,0 @@ -From b5a935d96b21cda0f434230cdf8ca958cd8b4eef Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Sun, 15 Nov 2020 17:02:51 +0100 -Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba - -Conflict:NA -Reference:https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef - ---- - man/tiff2rgba.1 | 4 ++++ - tools/tiff2rgba.c | 25 +++++++++++++++++++++++-- - 2 files changed, 27 insertions(+), 2 deletions(-) - -diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1 -index d9c9baa..fe9ebb2 100644 ---- a/man/tiff2rgba.1 -+++ b/man/tiff2rgba.1 -@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file. - Currently this does not work if the - .B \-b - flag is also in effect. -+.TP -+.BI \-M " size" -+Set maximum memory allocation size (in MiB). The default is 256MiB. -+Set to 0 to disable the limit. - .SH "SEE ALSO" - .BR tiff2bw (1), - .BR TIFFReadRGBAImage (3t), -diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c -index 2eb6f6c..743efe3 100644 ---- a/tools/tiff2rgba.c -+++ b/tools/tiff2rgba.c -@@ -53,6 +53,10 @@ uint32 rowsperstrip = (uint32) -1; - int process_by_block = 0; /* default is whole image at once */ - int no_alpha = 0; - int bigtiff_output = 0; -+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024) -+/* malloc size limit (in bytes) -+ * disabled when set to 0 */ -+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC; - - - static int tiffcvt(TIFF* in, TIFF* out); -@@ -68,8 +72,11 @@ main(int argc, char* argv[]) - extern char *optarg; - #endif - -- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1) -+ while ((c = getopt(argc, argv, "c:r:t:bn8hM")) != -1) - switch (c) { -+ case 'M': -+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20; -+ break; - case 'b': - process_by_block = 1; - break; -@@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out ) - (unsigned long)pixel_count, (unsigned long)sizeof(uint32)); - return (0); - } -+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) { -+ TIFFError(TIFFFileName(in), -+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.", -+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc); -+ return 0; -+ } - - /* Read the image in one chunk into an RGBA array */ - if (!TIFFReadRGBAImageOriented(in, width, height, raster, -@@ -520,6 +533,13 @@ tiffcvt(TIFF* in, TIFF* out) - TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion()); - CopyField(TIFFTAG_DOCUMENTNAME, stringv); - -+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc) -+ { -+ TIFFError(TIFFFileName(in), -+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")", -+ (uint64)TIFFStripSize(in), (uint64)maxMalloc); -+ return 0; -+ } - if( process_by_block && TIFFIsTiled( in ) ) - return( cvt_by_tile( in, out ) ); - else if( process_by_block ) -@@ -529,7 +549,7 @@ tiffcvt(TIFF* in, TIFF* out) - } - - static char* stuff[] = { -- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output", -+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output", - "where comp is one of the following compression algorithms:", - " jpeg\t\tJPEG encoding", - " zip\t\tZip/Deflate encoding", -@@ -541,6 +561,7 @@ static char* stuff[] = { - " -b (progress by block rather than as a whole image)", - " -n don't emit alpha component.", - " -8 write BigTIFF file instead of ClassicTIFF", -+ " -M set the memory allocation limit in MiB. 0 to disable limit", - NULL - }; - --- -2.23.0 \ No newline at end of file diff --git a/backport-CVE-2020-35523.patch b/backport-CVE-2020-35523.patch deleted file mode 100644 index bed7c1c..0000000 --- a/backport-CVE-2020-35523.patch +++ /dev/null @@ -1,50 +0,0 @@ -From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Tue, 10 Nov 2020 01:54:30 +0100 -Subject: [PATCH] gtTileContig(): check Tile width for overflow - -fixes #211 ---- - libtiff/tif_getimage.c | 17 +++++++++++++---- - 1 file changed, 13 insertions(+), 4 deletions(-) - -diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c -index 4da785d3..96ab1460 100644 ---- a/libtiff/tif_getimage.c -+++ b/libtiff/tif_getimage.c -@@ -29,6 +29,7 @@ - */ - #include "tiffiop.h" - #include -+#include - - static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32); - static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32); -@@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h) - - flip = setorientation(img); - if (flip & FLIP_VERTICALLY) { -- y = h - 1; -- toskew = -(int32)(tw + w); -+ if ((tw + w) > INT_MAX) { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); -+ return (0); -+ } -+ y = h - 1; -+ toskew = -(int32)(tw + w); - } - else { -- y = 0; -- toskew = -(int32)(tw - w); -+ if (tw > (INT_MAX + w)) { -+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)"); -+ return (0); -+ } -+ y = 0; -+ toskew = -(int32)(tw - w); - } - - /* --- -GitLab - diff --git a/backport-CVE-2020-35524.patch b/backport-CVE-2020-35524.patch deleted file mode 100644 index 0ac58aa..0000000 --- a/backport-CVE-2020-35524.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 7be2e452ddcf6d7abca88f41d3761e6edab72b22 Mon Sep 17 00:00:00 2001 -From: Thomas Bernard -Date: Sat, 14 Nov 2020 12:53:01 +0000 -Subject: [PATCH] tiff2pdf.c: properly calculate datasize when saving to JPEG - YCbCr - -fixes #220 ---- - tools/tiff2pdf.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - ---- a/tools/tiff2pdf.c -+++ b/tools/tiff2pdf.c -@@ -2063,9 +2063,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* - #endif - (void) 0; - } -- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); -- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ -- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); -+#ifdef JPEG_SUPPORT -+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG -+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) { -+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p); -+ } else -+#endif -+ { -+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); -+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ -+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); -+ } - } - if (k == 0) { - /* Assume we had overflow inside TIFFScanlineSize */ diff --git a/backport-CVE-2022-0561.patch b/backport-CVE-2022-0561.patch index 59efd2e..d74c5e5 100644 --- a/backport-CVE-2022-0561.patch +++ b/backport-CVE-2022-0561.patch @@ -1,29 +1,28 @@ -From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sun, 6 Feb 2022 13:08:38 +0100 -Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null - source pointer and size of zero (fixes #362) - ---- - libtiff/tif_dirread.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 6f90941..627bf48 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -5682,8 +5682,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp) - _TIFFfree(data); - return(0); - } -- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64)); -- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64)); -+ if( dir->tdir_count ) -+ _TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64)); -+ _TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64)); - _TIFFfree(data); - data=resizeddata; - } --- -2.27.0 - +From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 6 Feb 2022 13:08:38 +0100 +Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +--- + libtiff/tif_dirread.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 23194ced..50ebf8ac 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); +- _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); ++ if( dir->tdir_count ) ++ _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t)); ++ _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t)); + _TIFFfree(data); + data=resizeddata; + } +-- +GitLab \ No newline at end of file diff --git a/backport-CVE-2022-0562.patch b/backport-CVE-2022-0562.patch index 7fdfdfb..98a72fd 100644 --- a/backport-CVE-2022-0562.patch +++ b/backport-CVE-2022-0562.patch @@ -1,29 +1,26 @@ -From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 -From: Even Rouault -Date: Sat, 5 Feb 2022 20:36:41 +0100 -Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null - source pointer and size of zero (fixes #362) - ---- - libtiff/tif_dirread.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 627bf48..8a0e951 100644 ---- a/libtiff/tif_dirread.c -+++ b/libtiff/tif_dirread.c -@@ -4126,8 +4126,9 @@ TIFFReadDirectory(TIFF* tif) - goto bad; - } - -- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); -- _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); -+ if (old_extrasamples > 0) -+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); -+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); - _TIFFfree(new_sampleinfo); - } - --- -2.27.0 - +From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sat, 5 Feb 2022 20:36:41 +0100 +Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #362) + +--- + libtiff/tif_dirread.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 2bbc4585..23194ced 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif) + goto bad; + } + +- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); ++ if (old_extrasamples > 0) ++ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); + _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); + _TIFFfree(new_sampleinfo); + } +-- +GitLab diff --git a/backport-CVE-2022-0865.patch b/backport-CVE-2022-0865.patch index e7bced7..a95a071 100644 --- a/backport-CVE-2022-0865.patch +++ b/backport-CVE-2022-0865.patch @@ -9,10 +9,10 @@ Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD 1 file changed, 10 insertions(+) diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c -index 7ffe885..ca1ca43 100644 +index 7408633..8bfa4ce 100644 --- a/libtiff/tif_jbig.c +++ b/libtiff/tif_jbig.c -@@ -208,6 +208,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) +@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) */ tif->tif_flags |= TIFF_NOBITREV; tif->tif_flags &= ~TIFF_MAPPED; @@ -30,5 +30,5 @@ index 7ffe885..ca1ca43 100644 /* Setup the function pointers for encode, decode, and cleanup. */ tif->tif_setupdecode = JBIGSetupDecode; -- -2.27.0 +2.35.1 diff --git a/backport-CVE-2022-0891.patch b/backport-CVE-2022-0891.patch index 0518b4d..1d6f210 100644 --- a/backport-CVE-2022-0891.patch +++ b/backport-CVE-2022-0891.patch @@ -1,216 +1,215 @@ -From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001 -From: Su Laus -Date: Tue, 8 Mar 2022 17:02:44 +0000 -Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in - extractImageSection - -Conflict:NA -Reference:https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c ---- - tools/tiffcrop.c | 92 +++++++++++++++++++----------------------------- - 1 file changed, 36 insertions(+), 56 deletions(-) - -diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 7b3c9e7..36b68bb 100644 ---- a/tools/tiffcrop.c -+++ b/tools/tiffcrop.c -@@ -105,8 +105,8 @@ - * of messages to monitor progess without enabling dump logs. - */ - --static char tiffcrop_version_id[] = "2.4"; --static char tiffcrop_rev_date[] = "12-13-2010"; -+static char tiffcrop_version_id[] = "2.4.1"; -+static char tiffcrop_rev_date[] = "03-03-2010"; - - #include "tif_config.h" - #include "tiffiop.h" -@@ -6669,10 +6669,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - uint32 img_length; - #endif -- uint32 j, shift1, shift2, trailing_bits; -+ uint32 j, shift1, trailing_bits; - uint32 row, first_row, last_row, first_col, last_col; - uint32 src_offset, dst_offset, row_offset, col_offset; -- uint32 offset1, offset2, full_bytes; -+ uint32 offset1, full_bytes; - uint32 sect_width; - #ifdef DEVELMODE - uint32 sect_length; -@@ -6682,7 +6682,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - int k; - unsigned char bitset; -- static char *bitarray = NULL; - #endif - - img_width = image->width; -@@ -6700,17 +6699,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - dst_offset = 0; - - #ifdef DEVELMODE -- if (bitarray == NULL) -- { -- if ((bitarray = (char *)malloc(img_width)) == NULL) -- { -- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); -- return (-1); -- } -- } -+ char bitarray[39]; - #endif - -- /* rows, columns, width, length are expressed in pixels */ -+ /* rows, columns, width, length are expressed in pixels -+ * first_row, last_row, .. are index into image array starting at 0 to width-1, -+ * last_col shall be also extracted. */ - first_row = section->y1; - last_row = section->y2; - first_col = section->x1; -@@ -6720,9 +6714,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #ifdef DEVELMODE - sect_length = last_row - first_row + 1; - #endif -- img_rowsize = ((img_width * bps + 7) / 8) * spp; -- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ -- trailing_bits = (sect_width * bps) % 8; -+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved -+ * samples rather than separate planes so the same logic works to extract regions -+ * regardless of the way the data are organized in the input file. -+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 -+ */ -+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ -+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ -+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ - - #ifdef DEVELMODE - TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n", -@@ -6735,10 +6734,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, - - if ((bps % 8) == 0) - { -- col_offset = first_col * spp * bps / 8; -+ col_offset = (first_col * spp * bps) / 8; - for (row = first_row; row <= last_row; row++) - { -- /* row_offset = row * img_width * spp * bps / 8; */ - row_offset = row * img_rowsize; - src_offset = row_offset + col_offset; - -@@ -6751,14 +6749,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - } - else - { /* bps != 8 */ -- shift1 = spp * ((first_col * bps) % 8); -- shift2 = spp * ((last_col * bps) % 8); -+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ - for (row = first_row; row <= last_row; row++) - { - /* pull out the first byte */ - row_offset = row * img_rowsize; -- offset1 = row_offset + (first_col * bps / 8); -- offset2 = row_offset + (last_col * bps / 8); -+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ - - #ifdef DEVELMODE - for (j = 0, k = 7; j < 8; j++, k--) -@@ -6770,12 +6766,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - sprintf(&bitarray[9], " "); - for (j = 10, k = 7; j < 18; j++, k--) - { -- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; -+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; - sprintf(&bitarray[j], (bitset) ? "1" : "0"); - } - bitarray[18] = '\0'; -- TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Shift2: %d\n", -- row, offset1, shift1, offset2, shift2); -+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n", -+ row, offset1, shift1, offset1+full_bytes, trailing_bits); - #endif - - bytebuff1 = bytebuff2 = 0; -@@ -6799,11 +6795,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, - - if (trailing_bits != 0) - { -- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); -+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ -+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); - sect_buff[dst_offset] = bytebuff2; - #ifdef DEVELMODE - TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", -- offset2, dst_offset); -+ offset1 + full_bytes, dst_offset); - for (j = 30, k = 7; j < 38; j++, k--) - { - bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; -@@ -6822,8 +6819,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #endif - for (j = 0; j <= full_bytes; j++) - { -- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); -- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); -+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ -+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ -+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); -+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); - sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); - } - #ifdef DEVELMODE -@@ -6839,36 +6838,17 @@ extractImageSection(struct image_data *image, struct pageseg *section, - #endif - dst_offset += full_bytes; - -+ /* Copy the trailing_bits for the last byte in the destination buffer. -+ Could come from one ore two bytes of the source buffer. */ - if (trailing_bits != 0) - { - #ifdef DEVELMODE -- TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset); --#endif -- if (shift2 > shift1) -- { -- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); -- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); -- sect_buff[dst_offset] = bytebuff2; --#ifdef DEVELMODE -- TIFFError ("", " Shift2 > Shift1\n"); -+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset); - #endif -+ /* More than necessary bits are already copied into last destination buffer, -+ * only masking of last byte in destination buffer is necessary.*/ -+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); - } -- else -- { -- if (shift2 < shift1) -- { -- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); -- sect_buff[dst_offset] &= bytebuff2; --#ifdef DEVELMODE -- TIFFError ("", " Shift2 < Shift1\n"); --#endif -- } --#ifdef DEVELMODE -- else -- TIFFError ("", " Shift2 == Shift1\n"); --#endif -- } -- } - #ifdef DEVELMODE - sprintf(&bitarray[28], " "); - sprintf(&bitarray[29], " "); -@@ -7021,7 +7001,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, - width = sections[i].x2 - sections[i].x1 + 1; - length = sections[i].y2 - sections[i].y1 + 1; - sectsize = (uint32) -- ceil((width * image->bps + 7) / (double)8) * image->spp * length; -+ ceil((width * image->bps * image->spp + 7) / (double)8) * length; - /* allocate a buffer if we don't have one already */ - if (createImageSection(sectsize, sect_buff_ptr)) - { --- -2.27.0 - +From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Tue, 8 Mar 2022 17:02:44 +0000 +Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in + extractImageSection + +Conflict:NA +Reference:https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c +--- + tools/tiffcrop.c | 92 +++++++++++++++++++----------------------------- + 1 file changed, 36 insertions(+), 56 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index f2e5474a..e62bcc71 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -105,8 +105,8 @@ + * of messages to monitor progress without enabling dump logs. + */ + +-static char tiffcrop_version_id[] = "2.4"; +-static char tiffcrop_rev_date[] = "12-13-2010"; ++static char tiffcrop_version_id[] = "2.4.1"; ++static char tiffcrop_rev_date[] = "03-03-2010"; + + #include "tif_config.h" + #include "libport.h" +@@ -6739,10 +6739,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + uint32_t img_length; + #endif +- uint32_t j, shift1, shift2, trailing_bits; ++ uint32_t j, shift1, trailing_bits; + uint32_t row, first_row, last_row, first_col, last_col; + uint32_t src_offset, dst_offset, row_offset, col_offset; +- uint32_t offset1, offset2, full_bytes; ++ uint32_t offset1, full_bytes; + uint32_t sect_width; + #ifdef DEVELMODE + uint32_t sect_length; +@@ -6752,7 +6752,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + int k; + unsigned char bitset; +- static char *bitarray = NULL; + #endif + + img_width = image->width; +@@ -6770,17 +6769,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + dst_offset = 0; + + #ifdef DEVELMODE +- if (bitarray == NULL) +- { +- if ((bitarray = (char *)malloc(img_width)) == NULL) +- { +- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); +- return (-1); +- } +- } ++ char bitarray[39]; + #endif + +- /* rows, columns, width, length are expressed in pixels */ ++ /* rows, columns, width, length are expressed in pixels ++ * first_row, last_row, .. are index into image array starting at 0 to width-1, ++ * last_col shall be also extracted. */ + first_row = section->y1; + last_row = section->y2; + first_col = section->x1; +@@ -6790,9 +6784,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #ifdef DEVELMODE + sect_length = last_row - first_row + 1; + #endif +- img_rowsize = ((img_width * bps + 7) / 8) * spp; +- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ +- trailing_bits = (sect_width * bps) % 8; ++ /* The read function loadImage() used copy separate plane data into a buffer as interleaved ++ * samples rather than separate planes so the same logic works to extract regions ++ * regardless of the way the data are organized in the input file. ++ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 ++ */ ++ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ ++ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ ++ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ + + #ifdef DEVELMODE + TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n", +@@ -6805,10 +6804,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, + + if ((bps % 8) == 0) + { +- col_offset = first_col * spp * bps / 8; ++ col_offset = (first_col * spp * bps) / 8; + for (row = first_row; row <= last_row; row++) + { +- /* row_offset = row * img_width * spp * bps / 8; */ + row_offset = row * img_rowsize; + src_offset = row_offset + col_offset; + +@@ -6821,14 +6819,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + } + else + { /* bps != 8 */ +- shift1 = spp * ((first_col * bps) % 8); +- shift2 = spp * ((last_col * bps) % 8); ++ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ + for (row = first_row; row <= last_row; row++) + { + /* pull out the first byte */ + row_offset = row * img_rowsize; +- offset1 = row_offset + (first_col * bps / 8); +- offset2 = row_offset + (last_col * bps / 8); ++ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ + + #ifdef DEVELMODE + for (j = 0, k = 7; j < 8; j++, k--) +@@ -6840,12 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + sprintf(&bitarray[9], " "); + for (j = 10, k = 7; j < 18; j++, k--) + { +- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; ++ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; + sprintf(&bitarray[j], (bitset) ? "1" : "0"); + } + bitarray[18] = '\0'; +- TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n", +- row, offset1, shift1, offset2, shift2); ++ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n", ++ row, offset1, shift1, offset1+full_bytes, trailing_bits); + #endif + + bytebuff1 = bytebuff2 = 0; +@@ -6869,11 +6865,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, + + if (trailing_bits != 0) + { +- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); ++ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ ++ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); + sect_buff[dst_offset] = bytebuff2; + #ifdef DEVELMODE + TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", +- offset2, dst_offset); ++ offset1 + full_bytes, dst_offset); + for (j = 30, k = 7; j < 38; j++, k--) + { + bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; +@@ -6892,8 +6889,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #endif + for (j = 0; j <= full_bytes; j++) + { +- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); +- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); ++ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ ++ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ ++ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); ++ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); + sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); + } + #ifdef DEVELMODE +@@ -6909,36 +6908,17 @@ extractImageSection(struct image_data *image, struct pageseg *section, + #endif + dst_offset += full_bytes; + ++ /* Copy the trailing_bits for the last byte in the destination buffer. ++ Could come from one ore two bytes of the source buffer. */ + if (trailing_bits != 0) + { + #ifdef DEVELMODE +- TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset); +-#endif +- if (shift2 > shift1) +- { +- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); +- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); +- sect_buff[dst_offset] = bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 > Shift1\n"); ++ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset); + #endif ++ /* More than necessary bits are already copied into last destination buffer, ++ * only masking of last byte in destination buffer is necessary.*/ ++ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); + } +- else +- { +- if (shift2 < shift1) +- { +- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); +- sect_buff[dst_offset] &= bytebuff2; +-#ifdef DEVELMODE +- TIFFError ("", " Shift2 < Shift1\n"); +-#endif +- } +-#ifdef DEVELMODE +- else +- TIFFError ("", " Shift2 == Shift1\n"); +-#endif +- } +- } + #ifdef DEVELMODE + sprintf(&bitarray[28], " "); + sprintf(&bitarray[29], " "); +@@ -7091,7 +7071,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, + width = sections[i].x2 - sections[i].x1 + 1; + length = sections[i].y2 - sections[i].y1 + 1; + sectsize = (uint32_t) +- ceil((width * image->bps + 7) / (double)8) * image->spp * length; ++ ceil((width * image->bps * image->spp + 7) / (double)8) * length; + /* allocate a buffer if we don't have one already */ + if (createImageSection(sectsize, sect_buff_ptr)) + { +-- +GitLab diff --git a/backport-CVE-2022-0907.patch b/backport-CVE-2022-0907.patch index 0cbf154..ce1af73 100644 --- a/backport-CVE-2022-0907.patch +++ b/backport-CVE-2022-0907.patch @@ -4,17 +4,17 @@ Date: Mon, 7 Mar 2022 18:21:49 +0800 Subject: [PATCH 1/3] add checks for return value of limitMalloc (#392) --- - tools/tiffcrop.c | 32 ++++++++++++++++++++------------ - 1 file changed, 20 insertions(+), 12 deletions(-) + tools/tiffcrop.c | 33 +++++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 61bafc5..68ac071 100644 +index 302a7e9..e407bf5 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c -@@ -7316,7 +7316,11 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr) +@@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) if (!sect_buff) { - sect_buff = (unsigned char *)_TIFFmalloc(sectsize); + sect_buff = (unsigned char *)limitMalloc(sectsize); - *sect_buff_ptr = sect_buff; + if (!sect_buff) + { @@ -24,7 +24,7 @@ index 61bafc5..68ac071 100644 _TIFFmemset(sect_buff, 0, sectsize); } else -@@ -7332,15 +7336,15 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr) +@@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) else sect_buff = new_buff; @@ -45,10 +45,10 @@ index 61bafc5..68ac071 100644 prev_sectsize = sectsize; *sect_buff_ptr = sect_buff; -@@ -7607,7 +7611,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, +@@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, if (!crop_buff) { - crop_buff = (unsigned char *)_TIFFmalloc(cropsize); + crop_buff = (unsigned char *)limitMalloc(cropsize); - *crop_buff_ptr = crop_buff; + if (!crop_buff) + { @@ -58,7 +58,7 @@ index 61bafc5..68ac071 100644 _TIFFmemset(crop_buff, 0, cropsize); prev_cropsize = cropsize; } -@@ -7623,15 +7631,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, +@@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, } else crop_buff = new_buff; @@ -79,6 +79,11 @@ index 61bafc5..68ac071 100644 *crop_buff_ptr = crop_buff; if (crop->crop_mode & CROP_INVERT) +@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui + * fill-column: 78 + * End: + */ ++ -- -2.27.0 +2.35.1 diff --git a/backport-CVE-2022-0908.patch b/backport-CVE-2022-0908.patch index 88aea4b..446c9f6 100644 --- a/backport-CVE-2022-0908.patch +++ b/backport-CVE-2022-0908.patch @@ -9,19 +9,19 @@ Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 28a7992..b9b4079 100644 +index d654a1c..a31109a 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c -@@ -5021,7 +5021,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) +@@ -5080,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) _TIFFfree(data); return(0); } -- _TIFFmemcpy(o,data,(uint32)dp->tdir_count); +- _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); + if (dp->tdir_count > 0 ) + { -+ _TIFFmemcpy(o,data,(uint32)dp->tdir_count); ++ _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count); + } - o[(uint32)dp->tdir_count]=0; + o[(uint32_t)dp->tdir_count]=0; if (data!=0) _TIFFfree(data); -- diff --git a/backport-CVE-2022-0909.patch b/backport-CVE-2022-0909.patch index ae60999..9d33170 100644 --- a/backport-CVE-2022-0909.patch +++ b/backport-CVE-2022-0909.patch @@ -11,10 +11,10 @@ Reference:https://gitlab.com/libtiff/libtiff/-/commit/32ea0722ee68f503b7a3f9b2d5 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index 1e0a76c..39aeeb4 100644 +index a6c254f..77da6ea 100644 --- a/libtiff/tif_dir.c +++ b/libtiff/tif_dir.c -@@ -334,13 +334,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) +@@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) break; case TIFFTAG_XRESOLUTION: dblval = va_arg(ap, double); diff --git a/backport-CVE-2022-0924.patch b/backport-CVE-2022-0924.patch index 8586606..4eff659 100644 --- a/backport-CVE-2022-0924.patch +++ b/backport-CVE-2022-0924.patch @@ -11,16 +11,16 @@ Reference:https://gitlab.com/libtiff/libtiff/-/commit/88d79a45a31c74cba98c697892 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 84d8148..f260f80 100644 +index 1f88951..552d8fa 100644 --- a/tools/tiffcp.c +++ b/tools/tiffcp.c -@@ -1523,12 +1523,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) +@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) tdata_t obuf; tstrip_t strip = 0; tsample_t s; -+ uint16 bps = 0, bytes_per_sample; ++ uint16_t bps = 0, bytes_per_sample; - obuf = _TIFFmalloc(stripsize); + obuf = limitMalloc(stripsize); if (obuf == NULL) return (0); _TIFFmemset(obuf, 0, stripsize); @@ -40,17 +40,17 @@ index 84d8148..f260f80 100644 + } + bytes_per_sample = bps/8; for (s = 0; s < spp; s++) { - uint32 row; + uint32_t row; for (row = 0; row < imagelength; row += rowsperstrip) { -@@ -1538,7 +1553,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) +@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) cpContigBufToSeparateBuf( - obuf, (uint8*) buf + row*rowsize + s, + obuf, (uint8_t*) buf + row * rowsize + s, - nrows, imagewidth, 0, 0, spp, 1); + nrows, imagewidth, 0, 0, spp, bytes_per_sample); if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { TIFFError(TIFFFileName(out), - "Error, can't write strip %u", + "Error, can't write strip %"PRIu32, -- 2.27.0 diff --git a/backport-CVE-2022-1355.patch b/backport-CVE-2022-1355.patch index 20d7258..8118a04 100644 --- a/backport-CVE-2022-1355.patch +++ b/backport-CVE-2022-1355.patch @@ -3,15 +3,17 @@ From: Su_Laus Date: Sat, 2 Apr 2022 22:33:31 +0200 Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400) +Conflict:NA +Reference:https://gitlab.com/gitlab-org/build/omnibus-mirror/libtiff/-/commit/fb1db384959698edd6caeea84e28253d272a0f96 --- tools/tiffcp.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 1c81322..83b3910 100644 +index 552d8fa..57eef90 100644 --- a/tools/tiffcp.c +++ b/tools/tiffcp.c -@@ -247,19 +247,34 @@ main(int argc, char* argv[]) +@@ -274,19 +274,34 @@ main(int argc, char* argv[]) deftilewidth = atoi(optarg); break; case 'B': diff --git a/fix-raw2tiff-floating-point-exception.patch b/fix-raw2tiff-floating-point-exception.patch new file mode 100644 index 0000000..ca217c8 --- /dev/null +++ b/fix-raw2tiff-floating-point-exception.patch @@ -0,0 +1,34 @@ +From 42f499986d3c8a1dce55db7d97d501f8e9dfc8f6 Mon Sep 17 00:00:00 2001 +From: t.feng +Date: Mon, 13 Dec 2021 21:03:13 +0800 +Subject: [PATCH] fix raw2tiff floating point exception + +if we input illegal nbands, like: +raw2tiff -b :2 test.raw test.tif +we got: +Floating point exception (core dumped) +so, check nbands before guessSize + +--- + tools/raw2tiff.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c +index dfee715..3a6f00e 100644 +--- a/tools/raw2tiff.c ++++ b/tools/raw2tiff.c +@@ -209,6 +209,11 @@ main(int argc, char* argv[]) + return (EXIT_FAILURE); + } + ++ if (nbands == 0) { ++ fprintf(stderr, "The number of bands is illegal.\n"); ++ return (-1); ++ } ++ + if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0) + return EXIT_FAILURE; + +-- +2.27.0 + diff --git a/libtiff.spec b/libtiff.spec index 881d0e8..efb71a0 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,32 +1,31 @@ Name: libtiff -Version: 4.1.0 -Release: 11 +Version: 4.3.0 +Release: 1 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz -Patch6000: backport-CVE-2020-35521_CVE-2020-35522.patch -Patch6001: backport-CVE-2020-35523.patch -Patch6002: backport-CVE-2020-35524.patch -Patch6003: backport-CVE-2022-0561.patch -Patch6004: backport-CVE-2022-0562.patch -Patch6005: backport-0001-CVE-2022-22844.patch -Patch6006: backport-0002-CVE-2022-22844.patch -Patch6007: backport-0003-CVE-2022-22844.patch -Patch6008: backport-CVE-2022-0891.patch -Patch6009: backport-CVE-2022-0908.patch -Patch6010: backport-CVE-2022-0907.patch -Patch6011: backport-CVE-2022-0865.patch -Patch6012: backport-CVE-2022-0909.patch -Patch6013: backport-CVE-2022-0924.patch -Patch6014: backport-CVE-2022-1355.patch +Patch6000: backport-CVE-2022-0561.patch +Patch6001: backport-CVE-2022-0562.patch +Patch6002: backport-0001-CVE-2022-22844.patch +Patch6003: backport-0002-CVE-2022-22844.patch +Patch6004: backport-0003-CVE-2022-22844.patch +Patch6005: backport-CVE-2022-0891.patch +Patch6006: backport-CVE-2022-0907.patch +Patch6007: backport-CVE-2022-0908.patch +Patch6008: backport-CVE-2022-0865.patch +Patch6009: backport-CVE-2022-0909.patch +Patch6010: backport-CVE-2022-0924.patch +Patch6011: backport-CVE-2022-1355.patch +Patch6012: backport-0001-CVE-2022-1622-CVE-2022-1623.patch +Patch6013: backport-0002-CVE-2022-1622-CVE-2022-1623.patch + + +Patch9000: fix-raw2tiff-floating-point-exception.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel -BuildRequires: libtool automake autoconf pkgconfig git - -Provides: %{name}-tools -Obsoletes: %{name}-tools +BuildRequires: libtool automake autoconf pkgconfig %description This %{name} provides support for the Tag Image File Format (TIFF), a widely @@ -38,9 +37,6 @@ for manipulating TIFF format image files using the libtiff library. Summary: Development files for %{name} library Requires: %{name} = %{version}-%{release} pkgconfig -Provides: %{name}-static -Obsoletes: %{name}-static - %description devel This package contains the header files and documentation necessary for developing programs which will manipulate TIFF format image files using the libtiff library. @@ -48,7 +44,7 @@ which will manipulate TIFF format image files using the libtiff library. %package_help %prep -%autosetup -n tiff-%{version} -p1 -S git +%autosetup -n tiff-%{version} -p1 libtoolize --force --copy aclocal -I . -I m4 @@ -123,10 +119,13 @@ find html -name 'Makefile*' | xargs rm %{_mandir}/man* %doc RELEASE-DATE VERSION %doc TODO ChangeLog html -%exclude %{_mandir}/man1/tiffgt.1 +%exclude %{_mandir}/man1/* %exclude %{_datadir}/html/man/tiffgt.1.html %changelog +* Thu Jun 23 2022 wuchaochao - 4.3.0-1 +- update to 4.3.0 for fix CVE-2022-1622,CVE-2022-1623 + * Wed May 18 2022 liuyumeng - 4.1.0-11 - fix CVE-2022-1355 @@ -153,7 +152,7 @@ find html -name 'Makefile*' | xargs rm * Thu Mar 10 2022 dongyuzhen - 4.1.0-5 - Type:cves -- ID:CVE-2022-22844 +- ID:CVE-2022-22844 - SUG:NA - DESC:fix CVE-2022-22844 diff --git a/tiff-4.1.0.tar.gz b/tiff-4.1.0.tar.gz deleted file mode 100644 index a367cf0..0000000 Binary files a/tiff-4.1.0.tar.gz and /dev/null differ diff --git a/tiff-4.3.0.tar.gz b/tiff-4.3.0.tar.gz new file mode 100644 index 0000000..e0468fa Binary files /dev/null and b/tiff-4.3.0.tar.gz differ