fix CVE-2022-0907

(cherry picked from commit ebd6ade78cacff00a65a64c81f394a772ba4f6fc)
2022-03-28 16:58:52 +08:00 · 2022-03-28 16:58:52 +08:00 · bfe35ead2d
commit bfe35ead2d
parent ff5d12d526
2 changed files with 89 additions and 1 deletions
--- a/backport-CVE-2022-0907.patch
+++ b/backport-CVE-2022-0907.patch
@ -0,0 +1,84 @@
+From 10b4736669928673cc9a5c5f2a88ffdc92f1b560 Mon Sep 17 00:00:00 2001
+From: Augustus <wangdw.augustus@qq.com>
+Date: Mon, 7 Mar 2022 18:21:49 +0800
+Subject: [PATCH 1/3] add checks for return value of limitMalloc (#392)
+
+---
+ tools/tiffcrop.c | 32 ++++++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 61bafc5..68ac071 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -7316,7 +7316,11 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr)
+   if (!sect_buff)
+     {
+     sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
+-    *sect_buff_ptr = sect_buff;
+    if (!sect_buff)
+    {
+        TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+        return (-1);
+    }
+     _TIFFmemset(sect_buff, 0, sectsize);
+     }
+   else
+@@ -7332,15 +7336,15 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr)
+       else
+         sect_buff = new_buff;
+ 
+      if (!sect_buff)
+      {
+          TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+          return (-1);
+      }
+       _TIFFmemset(sect_buff, 0, sectsize);
+       }
+     }
+ 
+-  if (!sect_buff)
+-    {
+-    TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+-    return (-1);
+-    }
+   prev_sectsize = sectsize;
+   *sect_buff_ptr = sect_buff;
+ 
+@@ -7607,7 +7611,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   if (!crop_buff)
+     {
+     crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
+-    *crop_buff_ptr = crop_buff;
+    if (!crop_buff)
+    {
+        TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+        return (-1);
+    }
+     _TIFFmemset(crop_buff, 0, cropsize);
+     prev_cropsize = cropsize;
+     }
+@@ -7623,15 +7631,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+         }
+       else
+         crop_buff = new_buff;
+      if (!crop_buff)
+      {
+          TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+          return (-1);
+      }
+       _TIFFmemset(crop_buff, 0, cropsize);
+       }
+     }
+ 
+-  if (!crop_buff)
+-    {
+-    TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+-    return (-1);
+-    }
+   *crop_buff_ptr = crop_buff;
+ 
+   if (crop->crop_mode & CROP_INVERT)
+-- 
+2.27.0
+
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.1.0
-Release:        7
+Release:        8
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@ -16,6 +16,7 @@ Patch6006:	backport-0002-CVE-2022-22844.patch
 Patch6007:	backport-0003-CVE-2022-22844.patch
 Patch6008:	backport-CVE-2022-0891.patch
 Patch6009:      backport-CVE-2022-0908.patch
+Patch6010:      backport-CVE-2022-0907.patch

 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires:  libtool automake autoconf pkgconfig git
@ -122,6 +123,9 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html

 %changelog
+* Tue Mar 28 2022 yangcheng <yangcheng87@h-partners.com> - 4.1.0-8
+- fix CVE-2022-0907
+
 * Tue Mar 22 2022 yangcheng <yangcheng87@h-partners.com> - 4.1.0-7
 - Type:cve
 - ID:CVE-2022-0908