From 0cc59eafc84c91acefea97a68d053bea2f0e8c3c Mon Sep 17 00:00:00 2001
From: dongyuzhen <dongyuzhen@h-partners.com>
Date: Sat, 2 Apr 2022 10:58:51 +0800
Subject: [PATCH] fix CVE-2022-0909,CVE-2022-0924

(cherry picked from commit ebfbb100c28d61b856b1d252e42e563cd6830303)
---
 backport-CVE-2022-0909.patch | 35 ++++++++++++++++++++++
 backport-CVE-2022-0924.patch | 56 ++++++++++++++++++++++++++++++++++++
 libtiff.spec                 |  7 ++++-
 3 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2022-0909.patch
 create mode 100644 backport-CVE-2022-0924.patch

diff --git a/backport-CVE-2022-0909.patch b/backport-CVE-2022-0909.patch
new file mode 100644
index 0000000..ae60999
--- /dev/null
+++ b/backport-CVE-2022-0909.patch
@@ -0,0 +1,35 @@
+From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 8 Mar 2022 16:22:04 +0000
+Subject: [PATCH] fix the FPE in tiffcrop (#393)
+
+Conflict:NA
+Reference:https://gitlab.com/libtiff/libtiff/-/commit/32ea0722ee68f503b7a3f9b2d557acb293fc8cde
+
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 1e0a76c..39aeeb4 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -334,13 +334,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap)
+ 		break;
+ 	case TIFFTAG_XRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
++        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+ 		td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
+ 		break;
+ 	case TIFFTAG_YRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
++        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+ 		td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
+ 		break;
+-- 
+2.27.0
+
diff --git a/backport-CVE-2022-0924.patch b/backport-CVE-2022-0924.patch
new file mode 100644
index 0000000..8586606
--- /dev/null
+++ b/backport-CVE-2022-0924.patch
@@ -0,0 +1,56 @@
+From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Thu, 10 Mar 2022 08:48:00 +0000
+Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
+
+Conflict:NA
+Reference:https://gitlab.com/libtiff/libtiff/-/commit/88d79a45a31c74cba98c697892fed5f7db8b963a
+
+---
+ tools/tiffcp.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 84d8148..f260f80 100644
+--- a/tools/tiffcp.c
++++ b/tools/tiffcp.c
+@@ -1523,12 +1523,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
+ 	tdata_t obuf;
+ 	tstrip_t strip = 0;
+ 	tsample_t s;
++	uint16 bps = 0, bytes_per_sample;
+ 
+ 	obuf = _TIFFmalloc(stripsize);
+ 	if (obuf == NULL)
+ 		return (0);
+ 	_TIFFmemset(obuf, 0, stripsize);
+ 	(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
++	(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++	if( bps == 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
++            _TIFFfree(obuf);
++            return 0;
++        }
++        if( (bps % 8) != 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
++            _TIFFfree(obuf);
++            return 0;
++        }
++	bytes_per_sample = bps/8;
+ 	for (s = 0; s < spp; s++) {
+ 		uint32 row;
+ 		for (row = 0; row < imagelength; row += rowsperstrip) {
+@@ -1538,7 +1553,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
+ 
+ 			cpContigBufToSeparateBuf(
+ 			    obuf, (uint8*) buf + row*rowsize + s,
+-			    nrows, imagewidth, 0, 0, spp, 1);
++			    nrows, imagewidth, 0, 0, spp, bytes_per_sample);
+ 			if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
+ 				TIFFError(TIFFFileName(out),
+ 				    "Error, can't write strip %u",
+-- 
+2.27.0
+
diff --git a/libtiff.spec b/libtiff.spec
index 8878c32..f73b71b 100644
--- a/libtiff.spec
+++ b/libtiff.spec
@@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.1.0
-Release:        9
+Release:        10
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@@ -18,6 +18,8 @@ Patch6008:	backport-CVE-2022-0891.patch
 Patch6009:      backport-CVE-2022-0908.patch
 Patch6010:      backport-CVE-2022-0907.patch
 Patch6011:      backport-CVE-2022-0865.patch
+Patch6012:      backport-CVE-2022-0909.patch
+Patch6013:      backport-CVE-2022-0924.patch
 
 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires:  libtool automake autoconf pkgconfig git
@@ -124,6 +126,9 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html
 
 %changelog
+* Sat Apr 02 2022 dongyuzhen <dongyuzhen@h-partners.com> - 4.1.0-10
+- fix CVE-2022-0909,CVE-2022-0924
+
 * Tue Mar 29 2022 yangcheng <yangcheng87@h-partners.com> - 4.1.0-9
 - fix CVE-2022-0865