!47 fix CVE-2022-0908

From: @yangcheng1203 Reviewed-by: @yanan-rock Signed-off-by: @yanan-rock
2022-03-22 15:18:50 +00:00 · 2022-03-22 15:18:50 +00:00 · ff5d12d526
commit ff5d12d526
parent 56651cde65 cf07942131
3 changed files with 40 additions and 4 deletions
--- a/backport-CVE-2022-0891.patch
+++ b/backport-CVE-2022-0891.patch
@ -78,7 +78,7 @@ index 7b3c9e7..36b68bb 100644
 +    /* The read function loadImage() used copy separate plane data into a buffer as interleaved
 +     * samples rather than separate planes so the same logic works to extract regions
 +     * regardless of the way the data are organized in the input file.
-+     * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 
+     * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
 +     */
 +    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */
 +    full_bytes = (sect_width * spp * bps) / 8;            /* number of COMPLETE bytes per row in section */
@ -126,8 +126,8 @@ index 7b3c9e7..36b68bb 100644
       bitarray[18] = '\0';
 -      TIFFError ("", "Row: %3d Offset1: %d,  Shift1: %d,    Offset2: %d,  Shift2:  %d\n", 
 -                 row, offset1, shift1, offset2, shift2); 
-+      TIFFError ("", "Row: %3d Offset1: %"PRIu32",  Shift1: %"PRIu32",    Offset2: %"PRIu32",  Trailing_bits:  %"PRIu32"\n", 
-+                 row, offset1, shift1, offset1+full_bytes, trailing_bits); 
+      TIFFError ("", "Row: %3d Offset1: %"PRIu32",  Shift1: %"PRIu32",    Offset2: %"PRIu32",  Trailing_bits:  %"PRIu32"\n",
+                 row, offset1, shift1, offset1+full_bytes, trailing_bits);
 #endif
 
       bytebuff1 = bytebuff2 = 0;
--- a/backport-CVE-2022-0908.patch
+++ b/backport-CVE-2022-0908.patch
@ -0,0 +1,29 @@
+From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Feb 2022 15:28:43 +0100
+Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #383)
+
+---
+ libtiff/tif_dirread.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 28a7992..b9b4079 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -5021,7 +5021,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
+ 								_TIFFfree(data);
+ 							return(0);
+ 						}
+-						_TIFFmemcpy(o,data,(uint32)dp->tdir_count);
+						if (dp->tdir_count > 0 )
+						{
+							_TIFFmemcpy(o,data,(uint32)dp->tdir_count);
+						}
+ 						o[(uint32)dp->tdir_count]=0;
+ 						if (data!=0)
+ 							_TIFFfree(data);
+-- 
+2.27.0
+
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.1.0
-Release:        6
+Release:        7
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@ -15,6 +15,7 @@ Patch6005:	backport-0001-CVE-2022-22844.patch
 Patch6006:	backport-0002-CVE-2022-22844.patch
 Patch6007:	backport-0003-CVE-2022-22844.patch
 Patch6008:	backport-CVE-2022-0891.patch
+Patch6009:      backport-CVE-2022-0908.patch

 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires:  libtool automake autoconf pkgconfig git
@ -121,6 +122,12 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html

 %changelog
+* Tue Mar 22 2022 yangcheng <yangcheng87@h-partners.com> - 4.1.0-7
+- Type:cve
+- ID:CVE-2022-0908
+- SUG:NA
+- DESC:fix CVE-2022-0908 and modify CVE-2022-0891 patch
+
 * Thu Mar 17 2022 wangkerong <wangkerong@h-partners.com> - 4.1.0-6
 - Type:cve
 - ID:CVE-2022-0891