packages/libtiff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

1

Browse Source
This commit is contained in:
19909236985 2022-06-23 15:15:15 +08:00
parent 10091c3c2d
commit 7092167bfd
21 changed files with 1202 additions and 533 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

772
backport-0001-CVE-2022-1622-CVE-2022-1623.patch Normal file
View File

@ -0,0 +1,772 @@
From 189d65779275132c86abd1e06cdab8a080645b32 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Thu, 10 Mar 2022 12:14:31 +0100
Subject: [PATCH 1/3] tif_lzw.c: make LZW_CHECKEOS non-optional
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/318/diffs
this is pre-patch for CVE-2022-1622 and CVE-2022-1623
---
libtiff/tif_lzw.c | 551 ++++++++++++++++++++++++++++++----------------
1 file changed, 356 insertions(+), 195 deletions(-)
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index c06aec4..c28366b 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -1,6 +1,7 @@
/*
* Copyright (c) 1988-1997 Sam Leffler
* Copyright (c) 1991-1997 Silicon Graphics, Inc.
+ * Copyright (c) 2022 Even Rouault
*
* Permission to use, copy, modify, distribute, and sell this software and
* its documentation for any purpose is hereby granted without fee, provided
@@ -36,8 +37,13 @@
*/
#include "tif_predict.h"
+#include <stdbool.h>
#include <stdio.h>
+/* Select the plausible largest natural integer type for the architecture */
+#define SIZEOF_WORDTYPE SIZEOF_SIZE_T
+typedef size_t WordType;
+
/*
* NB: The 5.0 spec describes a different algorithm than Aldus
* implements. Specifically, Aldus does code length transitions
@@ -52,13 +58,6 @@
* Future revisions to the TIFF spec are expected to "clarify this issue".
*/
#define LZW_COMPAT /* include backwards compatibility code */
-/*
- * Each strip of data is supposed to be terminated by a CODE_EOI.
- * If the following #define is included, the decoder will also
- * check for end-of-strip w/o seeing this code. This makes the
- * library more robust, but also slower.
- */
-#define LZW_CHECKEOS /* include checks for strips w/o EOI code */
#define MAXCODE(n) ((1L<<(n))-1)
/*
@@ -92,7 +91,7 @@ typedef struct {
unsigned short nbits; /* # of bits/code */
unsigned short maxcode; /* maximum code for lzw_nbits */
unsigned short free_ent; /* next free entry in hash table */
- unsigned long nextdata; /* next bits of i/o */
+ WordType nextdata; /* next bits of i/o */
long nextbits; /* # of valid bits in lzw_nextdata */
int rw_mode; /* preserve rw_mode from init */
@@ -119,8 +118,10 @@ typedef struct {
typedef struct code_ent {
struct code_ent *next;
unsigned short length; /* string len, including this token */
- unsigned char value; /* data value */
+ /* firstchar should be placed immediately before value in this structure */
unsigned char firstchar; /* first token of string */
+ unsigned char value; /* data value */
+ bool repeated;
} code_t;
typedef int (*decodeFunc)(TIFF*, uint8_t*, tmsize_t, uint16_t);
@@ -131,10 +132,8 @@ typedef struct {
/* Decoding specific data */
long dec_nbitsmask; /* lzw_nbits 1 bits, right adjusted */
long dec_restart; /* restart count */
-#ifdef LZW_CHECKEOS
uint64_t dec_bitsleft; /* available bits in raw data */
tmsize_t old_tif_rawcc; /* value of tif_rawcc at the end of the previous TIFLZWDecode() call */
-#endif
decodeFunc dec_decode; /* regular or backwards compatible */
code_t* dec_codep; /* current recognized code */
code_t* dec_oldcodep; /* previously recognized code */
@@ -167,26 +166,6 @@ static void cl_hash(LZWCodecState*);
* LZW Decoder.
*/
-#ifdef LZW_CHECKEOS
-/*
- * This check shouldn't be necessary because each
- * strip is suppose to be terminated with CODE_EOI.
- */
-#define NextCode(_tif, _sp, _bp, _code, _get) { \
- if ((_sp)->dec_bitsleft < (uint64_t)nbits) { \
- TIFFWarningExt(_tif->tif_clientdata, module, \
- "LZWDecode: Strip %"PRIu32" not terminated with EOI code", \
- _tif->tif_curstrip); \
- _code = CODE_EOI; \
- } else { \
- _get(_sp,_bp,_code); \
- (_sp)->dec_bitsleft -= nbits; \
- } \
-}
-#else
-#define NextCode(tif, sp, bp, code, get) get(sp, bp, code)
-#endif
-
static int
LZWFixupTags(TIFF* tif)
{
@@ -236,17 +215,17 @@ LZWSetupDecode(TIFF* tif)
*/
code = 255;
do {
- sp->dec_codetab[code].value = (unsigned char)code;
sp->dec_codetab[code].firstchar = (unsigned char)code;
+ sp->dec_codetab[code].value = (unsigned char)code;
+ sp->dec_codetab[code].repeated = true;
sp->dec_codetab[code].length = 1;
sp->dec_codetab[code].next = NULL;
} while (code--);
/*
- * Zero-out the unused entries
- */
- /* Silence false positive */
- /* coverity[overrun-buffer-arg] */
- _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
+ * Zero-out the unused entries */
+ /* Silence false positive */
+ /* coverity[overrun-buffer-arg] */
+ memset(&sp->dec_codetab[CODE_CLEAR], 0,
(CODE_FIRST - CODE_CLEAR) * sizeof (code_t));
}
return (1);
@@ -316,11 +295,9 @@ LZWPreDecode(TIFF* tif, uint16_t s)
sp->dec_restart = 0;
sp->dec_nbitsmask = MAXCODE(BITS_MIN);
-#ifdef LZW_CHECKEOS
sp->dec_bitsleft = 0;
- sp->old_tif_rawcc = 0;
-#endif
- sp->dec_free_entp = sp->dec_codetab + CODE_FIRST;
+ sp->old_tif_rawcc = 0;
+ sp->dec_free_entp = sp->dec_codetab - 1 ; // + CODE_FIRST;
/*
* Zero entries that are not yet filled in. We do
* this to guard against bogus input data that causes
@@ -328,8 +305,7 @@ LZWPreDecode(TIFF* tif, uint16_t s)
* come up with a way to safely bounds-check input codes
* while decoding then you can remove this operation.
*/
- _TIFFmemset(sp->dec_free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
- sp->dec_oldcodep = &sp->dec_codetab[-1];
+ sp->dec_oldcodep = &sp->dec_codetab[0];
sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1];
return (1);
}
@@ -337,24 +313,77 @@ LZWPreDecode(TIFF* tif, uint16_t s)
/*
* Decode a "hunk of data".
*/
-#define GetNextCode(sp, bp, code) { \
- nextdata = (nextdata<<8) | *(bp)++; \
- nextbits += 8; \
- if (nextbits < nbits) { \
- nextdata = (nextdata<<8) | *(bp)++; \
- nextbits += 8; \
- } \
- code = (hcode_t)((nextdata >> (nextbits-nbits)) & nbitsmask); \
- nextbits -= nbits; \
-}
+/* Get the next 32 or 64-bit from the input data */
+
+#ifdef WORDS_BIGENDIAN
+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata))
+#elif SIZEOF_WORDTYPE == 8
+# if defined(__GNUC__) && defined(__x86_64__)
+# define GetNextData(nextdata, bp) nextdata = __builtin_bswap64(*(uint64_t*)(bp))
+# elif defined(_M_X64)
+# define GetNextData(nextdata, bp) nextdata = _byteswap_uint64(*(uint64_t*)(bp))
+# elif defined(__GNUC__)
+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \
+ nextdata = __builtin_bswap64(nextdata)
+# else
+# define GetNextData(nextdata, bp) nextdata = (((uint64_t)bp[0]) << 56) | \
+ (((uint64_t)bp[1]) << 48) | \
+ (((uint64_t)bp[2]) << 40) | \
+ (((uint64_t)bp[3]) << 32) | \
+ (((uint64_t)bp[4]) << 24) | \
+ (((uint64_t)bp[5]) << 16) | \
+ (((uint64_t)bp[6]) << 8) | \
+ (((uint64_t)bp[7]))
+# endif
+#elif SIZEOF_WORDTYPE == 4
+# if defined(__GNUC__) && defined(__i386__)
+# define GetNextData(nextdata, bp) nextdata = __builtin_bswap32(*(uint32_t*)(bp))
+# elif defined(_M_X86)
+# define GetNextData(nextdata, bp) nextdata = _byteswap_ulong(*(unsigned long*)(bp))
+# elif defined(__GNUC__)
+# define GetNextData(nextdata, bp) memcpy(&nextdata, bp, sizeof(nextdata)); \
+ nextdata = __builtin_bswap32(nextdata)
+# else
+# define GetNextData(nextdata, bp) nextdata = (((uint32_t)bp[0]) << 24) | \
+ (((uint32_t)bp[1]) << 16) | \
+ (((uint32_t)bp[2]) << 8) | \
+ (((uint32_t)bp[3]))
+# endif
+#else
+# error "Unhandled SIZEOF_WORDTYPE"
+#endif
-static void
-codeLoop(TIFF* tif, const char* module)
-{
- TIFFErrorExt(tif->tif_clientdata, module,
- "Bogus encoding, loop in the code table; scanline %"PRIu32,
- tif->tif_row);
-}
+#define GetNextCodeLZW() do { \
+ nextbits -= nbits; \
+ if (nextbits < 0) { \
+ if (dec_bitsleft >= 8 * SIZEOF_WORDTYPE) { \
+ unsigned codetmp = (unsigned)(nextdata << (-nextbits)); \
+ GetNextData(nextdata, bp); \
+ bp += SIZEOF_WORDTYPE; \
+ nextbits += 8 * SIZEOF_WORDTYPE; \
+ dec_bitsleft -= 8 * SIZEOF_WORDTYPE; \
+ code = (WordType)((codetmp | (nextdata >> nextbits)) & nbitsmask); \
+ break; \
+ } \
+ else {\
+ if( dec_bitsleft < 8) { \
+ goto no_eoi; \
+ }\
+ nextdata = (nextdata<<8) | *(bp)++; \
+ nextbits += 8; \
+ dec_bitsleft -= 8; \
+ if( nextbits < 0 ) { \
+ if( dec_bitsleft < 8) { \
+ goto no_eoi; \
+ }\
+ nextdata = (nextdata<<8) | *(bp)++; \
+ nextbits += 8; \
+ dec_bitsleft -= 8; \
+ } \
+ } \
+ } \
+ code = (WordType)((nextdata >> nextbits) & nbitsmask); \
+} while(0)
static int
LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
@@ -363,13 +392,10 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
LZWCodecState *sp = DecoderState(tif);
char *op = (char*) op0;
long occ = (long) occ0;
- char *tp;
unsigned char *bp;
- hcode_t code;
- int len;
long nbits, nextbits, nbitsmask;
- unsigned long nextdata;
- code_t *codep, *free_entp, *maxcodep, *oldcodep;
+ WordType nextdata;
+ code_t *free_entp, *maxcodep, *oldcodep;
(void) s;
assert(sp != NULL);
@@ -386,7 +412,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
if (sp->dec_restart) {
long residue;
- codep = sp->dec_codep;
+ code_t* codep = sp->dec_codep;
residue = codep->length - sp->dec_restart;
if (residue > occ) {
/*
@@ -400,7 +426,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
codep = codep->next;
} while (--residue > occ && codep);
if (codep) {
- tp = op + occ;
+ uint8_t* tp = op + occ;
do {
*--tp = codep->value;
codep = codep->next;
@@ -413,7 +439,7 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
*/
op += residue;
occ -= residue;
- tp = op;
+ uint8_t* tp = op;
do {
int t;
--tp;
@@ -425,9 +451,8 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
}
bp = (unsigned char *)tif->tif_rawcp;
-#ifdef LZW_CHECKEOS
sp->dec_bitsleft += (((uint64_t)tif->tif_rawcc - sp->old_tif_rawcc) << 3);
-#endif
+ uint64_t dec_bitsleft = sp->dec_bitsleft;
nbits = sp->lzw_nbits;
nextdata = sp->lzw_nextdata;
nextbits = sp->lzw_nextbits;
@@ -435,128 +460,235 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
oldcodep = sp->dec_oldcodep;
free_entp = sp->dec_free_entp;
maxcodep = sp->dec_maxcodep;
+ code_t* const dec_codetab = sp->dec_codetab;
+ code_t* codep;
+
+ if (occ == 0) {
+ goto after_loop;
+ }
+
+begin:
+ {
+ WordType code;
+ GetNextCodeLZW();
+ codep = dec_codetab + code;
+ if (code >= CODE_FIRST)
+ goto code_above_or_equal_to_258;
+ if (code < 256)
+ goto code_below_256;
+ if (code == CODE_EOI)
+ goto after_loop;
+ goto code_clear;
+
+code_below_256:
+ {
+ if (codep > free_entp)
+ goto error_code;
+ free_entp->next = oldcodep;
+ free_entp->firstchar = oldcodep->firstchar;
+ free_entp->length = oldcodep->length+1;
+ free_entp->value = (uint8_t)code;
+ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - code));
+ if (++free_entp > maxcodep) {
+ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */
+ nbits = BITS_MAX;
+ nbitsmask = MAXCODE(nbits);
+ maxcodep = dec_codetab + nbitsmask-1;
+ if( free_entp >= &dec_codetab[CSIZE] )
+ {
+ /* At that point, the next valid states are either EOI or a */
+ /* CODE_CLEAR. If a regular code is read, at the next */
+ /* attempt at registering a new entry, we will error out */
+ /* due to setting free_entp before any valid code */
+ free_entp = dec_codetab - 1;
+ }
+ }
+ oldcodep = codep;
+ *op++ = (uint8_t)code;
+ occ--;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
- while (occ > 0) {
- NextCode(tif, sp, bp, code, GetNextCode);
- if (code == CODE_EOI)
- break;
- if (code == CODE_CLEAR) {
- do {
- free_entp = sp->dec_codetab + CODE_FIRST;
- _TIFFmemset(free_entp, 0,
- (CSIZE - CODE_FIRST) * sizeof (code_t));
- nbits = BITS_MIN;
- nbitsmask = MAXCODE(BITS_MIN);
- maxcodep = sp->dec_codetab + nbitsmask-1;
- NextCode(tif, sp, bp, code, GetNextCode);
- } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */
- if (code == CODE_EOI)
- break;
- if (code > CODE_CLEAR) {
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "LZWDecode: Corrupted LZW table at scanline %"PRIu32,
- tif->tif_row);
- return (0);
- }
- *op++ = (char)code;
- occ--;
- oldcodep = sp->dec_codetab + code;
- continue;
- }
- codep = sp->dec_codetab + code;
-
- /*
- * Add the new entry to the code table.
- */
- if (free_entp < &sp->dec_codetab[0] ||
- free_entp >= &sp->dec_codetab[CSIZE]) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "Corrupted LZW table at scanline %"PRIu32,
- tif->tif_row);
- return (0);
- }
+code_above_or_equal_to_258:
+ {
+ /*
+ * Add the new entry to the code table.
+ */
+
+ if (codep >= free_entp)
+ {
+ if (codep != free_entp)
+ goto error_code;
+ free_entp->value = oldcodep->firstchar;
+ }
+ else
+ {
+ free_entp->value = codep->firstchar;
+ }
+ free_entp->repeated = (bool)(oldcodep->repeated & !(oldcodep->value - free_entp->value));
+ free_entp->next = oldcodep;
+
+ free_entp->firstchar = oldcodep->firstchar;
+ free_entp->length = oldcodep->length+1;
+ if (++free_entp > maxcodep) {
+ if (++nbits > BITS_MAX) /* should not happen for a conformant encoder */
+ nbits = BITS_MAX;
+ nbitsmask = MAXCODE(nbits);
+ maxcodep = dec_codetab + nbitsmask-1;
+ if (free_entp >= &dec_codetab[CSIZE])
+ {
+ /* At that point, the next valid states are either EOI or a */
+ /* CODE_CLEAR. If a regular code is read, at the next */
+ /* attempt at registering a new entry, we will error out */
+ /* due to setting free_entp before any valid code */
+ free_entp = dec_codetab - 1;
+ }
+ }
+ oldcodep = codep;
+
+ /*
+ * Code maps to a string, copy string
+ * value to output (written in reverse).
+ */
+ /* tiny bit faster on x86_64 to store in unsigned short than int */
+ unsigned short len = codep->length;
+
+ if (len < 3) /* equivalent to len == 2 given all other conditions */
+ {
+ if (occ <= 2)
+ {
+ if (occ == 2)
+ {
+ memcpy(op, &(codep->firstchar), 2);
+ op += 2;
+ occ -= 2;
+ goto after_loop;
+ }
+ goto too_short_buffer;
+ }
- free_entp->next = oldcodep;
- if (free_entp->next < &sp->dec_codetab[0] ||
- free_entp->next >= &sp->dec_codetab[CSIZE]) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "Corrupted LZW table at scanline %"PRIu32,
- tif->tif_row);
- return (0);
- }
- free_entp->firstchar = free_entp->next->firstchar;
- free_entp->length = free_entp->next->length+1;
- free_entp->value = (codep < free_entp) ?
- codep->firstchar : free_entp->firstchar;
- if (++free_entp > maxcodep) {
- if (++nbits > BITS_MAX) /* should not happen */
- nbits = BITS_MAX;
- nbitsmask = MAXCODE(nbits);
- maxcodep = sp->dec_codetab + nbitsmask-1;
- }
- oldcodep = codep;
- if (code >= 256) {
- /*
- * Code maps to a string, copy string
- * value to output (written in reverse).
- */
- if(codep->length == 0) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "Wrong length of decoded string: "
- "data probably corrupted at scanline %"PRIu32,
- tif->tif_row);
- return (0);
- }
- if (codep->length > occ) {
- /*
- * String is too long for decode buffer,
- * locate portion that will fit, copy to
- * the decode buffer, and setup restart
- * logic for the next decoding call.
- */
- sp->dec_codep = codep;
- do {
- codep = codep->next;
- } while (codep && codep->length > occ);
- if (codep) {
- sp->dec_restart = (long)occ;
- tp = op + occ;
- do {
- *--tp = codep->value;
- codep = codep->next;
- } while (--occ && codep);
- if (codep)
- codeLoop(tif, module);
- }
- break;
- }
- len = codep->length;
- tp = op + len;
- do {
- int t;
- --tp;
- t = codep->value;
- codep = codep->next;
- *tp = (char)t;
- } while (codep && tp > op);
- if (codep) {
- codeLoop(tif, module);
- break;
- }
- assert(occ >= len);
- op += len;
- occ -= len;
- } else {
- *op++ = (char)code;
- occ--;
- }
- }
+ memcpy(op, &(codep->firstchar), 2);
+ op += 2;
+ occ -= 2;
+ goto begin; /* we can save the comparison occ > 0 */
+ }
+
+ if (len == 3)
+ {
+ if (occ <= 3)
+ {
+ if (occ == 3)
+ {
+ op[0] = codep->firstchar;
+ op[1] = codep->next->value;
+ op[2] = codep->value;
+ op += 3;
+ occ -= 3;
+ goto after_loop;
+ }
+ goto too_short_buffer;
+ }
+ op[0] = codep->firstchar;
+ op[1] = codep->next->value;
+ op[2] = codep->value;
+ op += 3;
+ occ -= 3;
+ goto begin; /* we can save the comparison occ > 0 */
+ }
+
+ if (len > occ)
+ {
+ goto too_short_buffer;
+ }
+
+ if (codep->repeated)
+ {
+ memset(op, codep->value, len);
+ op += len;
+ occ -= len;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
+
+ uint8_t* tp = op + len;
+
+ assert(len >= 4);
+
+ *--tp = codep->value;
+ codep = codep->next;
+ *--tp = codep->value;
+ codep = codep->next;
+ *--tp = codep->value;
+ codep = codep->next;
+ *--tp = codep->value;
+ if (tp > op)
+ {
+ do {
+ codep = codep->next;
+ *--tp = codep->value;
+ } while (tp > op);
+ }
+
+ assert(occ >= len);
+ op += len;
+ occ -= len;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
+code_clear:
+ {
+ free_entp = dec_codetab + CODE_FIRST;
+ nbits = BITS_MIN;
+ nbitsmask = MAXCODE(BITS_MIN);
+ maxcodep = dec_codetab + nbitsmask-1;
+ do {
+ GetNextCodeLZW();
+ } while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */
+ if (code == CODE_EOI)
+ goto after_loop;
+ if (code > CODE_EOI) {
+ goto error_code;
+ }
+ *op++ = (uint8_t)code;
+ occ--;
+ oldcodep = dec_codetab + code;
+ if (occ == 0)
+ goto after_loop;
+ goto begin;
+ }
+ }
+
+too_short_buffer:
+ {
+ /*
+ * String is too long for decode buffer,
+ * locate portion that will fit, copy to
+ * the decode buffer, and setup restart
+ * logic for the next decoding call.
+ */
+ sp->dec_codep = codep;
+ do {
+ codep = codep->next;
+ } while (codep->length > occ);
+
+ sp->dec_restart = occ;
+ uint8_t* tp = op + occ;
+ do {
+ *--tp = codep->value;
+ codep = codep->next;
+ } while (--occ);
+ }
+
+after_loop:
tif->tif_rawcc -= (tmsize_t)((uint8_t*) bp - tif->tif_rawcp );
tif->tif_rawcp = (uint8_t*) bp;
-#ifdef LZW_CHECKEOS
sp->old_tif_rawcc = tif->tif_rawcc;
-#endif
+ sp->dec_bitsleft = dec_bitsleft;
sp->lzw_nbits = (unsigned short) nbits;
sp->lzw_nextdata = nextdata;
sp->lzw_nextbits = nextbits;
@@ -572,9 +704,35 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
return (0);
}
return (1);
+
+no_eoi:
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "LZWDecode: Strip %"PRIu32" not terminated with EOI code",
+ tif->tif_curstrip);
+ return 0;
+error_code:
+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Using code not yet in table");
+ return 0;
}
#ifdef LZW_COMPAT
+
+/*
+ * This check shouldn't be necessary because each
+ * strip is suppose to be terminated with CODE_EOI.
+ */
+#define NextCode(_tif, _sp, _bp, _code, _get, dec_bitsleft) { \
+ if (dec_bitsleft < (uint64_t)nbits) { \
+ TIFFWarningExt(_tif->tif_clientdata, module, \
+ "LZWDecode: Strip %"PRIu32" not terminated with EOI code", \
+ _tif->tif_curstrip); \
+ _code = CODE_EOI; \
+ } else { \
+ _get(_sp,_bp,_code); \
+ dec_bitsleft -= nbits; \
+ } \
+}
+
/*
* Decode a "hunk of data" for old images.
*/
@@ -601,7 +759,8 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
unsigned char *bp;
int code, nbits;
int len;
- long nextbits, nextdata, nbitsmask;
+ long nextbits, nbitsmask;
+ WordType nextdata;
code_t *codep, *free_entp, *maxcodep, *oldcodep;
(void) s;
@@ -653,9 +812,10 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
}
bp = (unsigned char *)tif->tif_rawcp;
-#ifdef LZW_CHECKEOS
+
sp->dec_bitsleft += (((uint64_t)tif->tif_rawcc - sp->old_tif_rawcc) << 3);
-#endif
+ uint64_t dec_bitsleft = sp->dec_bitsleft;
+
nbits = sp->lzw_nbits;
nextdata = sp->lzw_nextdata;
nextbits = sp->lzw_nextbits;
@@ -665,7 +825,7 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
maxcodep = sp->dec_maxcodep;
while (occ > 0) {
- NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft);
if (code == CODE_EOI)
break;
if (code == CODE_CLEAR) {
@@ -676,7 +836,7 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
nbits = BITS_MIN;
nbitsmask = MAXCODE(BITS_MIN);
maxcodep = sp->dec_codetab + nbitsmask;
- NextCode(tif, sp, bp, code, GetNextCodeCompat);
+ NextCode(tif, sp, bp, code, GetNextCodeCompat, dec_bitsleft);
} while (code == CODE_CLEAR); /* consecutive CODE_CLEAR codes */
if (code == CODE_EOI)
break;
@@ -772,9 +932,10 @@ LZWDecodeCompat(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
tif->tif_rawcc -= (tmsize_t)((uint8_t*) bp - tif->tif_rawcp );
tif->tif_rawcp = (uint8_t*) bp;
-#ifdef LZW_CHECKEOS
+
sp->old_tif_rawcc = tif->tif_rawcc;
-#endif
+ sp->dec_bitsleft = dec_bitsleft;
+
sp->lzw_nbits = (unsigned short)nbits;
sp->lzw_nextdata = nextdata;
sp->lzw_nextbits = nextbits;
@@ -893,7 +1054,7 @@ LZWEncode(TIFF* tif, uint8_t* bp, tmsize_t cc, uint16_t s)
hcode_t ent;
long disp;
long incount, outcount, checkpoint;
- unsigned long nextdata;
+ WordType nextdata;
long nextbits;
int free_ent, maxcode, nbits;
uint8_t* op;
@@ -1057,7 +1218,7 @@ LZWPostEncode(TIFF* tif)
register LZWCodecState *sp = EncoderState(tif);
uint8_t* op = tif->tif_rawcp;
long nextbits = sp->lzw_nextbits;
- unsigned long nextdata = sp->lzw_nextdata;
+ WordType nextdata = sp->lzw_nextdata;
long outcount = sp->enc_outcount;
int nbits = sp->lzw_nbits;
--
2.27.0

16
backport-0001-CVE-2022-22844.patch
View File

@ -7,22 +7,14 @@ Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/49b81e99704bd199a24ccce65f974cc2d78cccc4 Reference:https://gitlab.com/libtiff/libtiff/-/commit/49b81e99704bd199a24ccce65f974cc2d78cccc4
--- ---
tools/tiffset.c | 17 ++++++++++++++--- tools/tiffset.c | 16 +++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-) 1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/tools/tiffset.c b/tools/tiffset.c diff --git a/tools/tiffset.c b/tools/tiffset.c
index 7ecc401..53afc51 100644 index 8c9e23c..b7badd9 100644
--- a/tools/tiffset.c --- a/tools/tiffset.c
+++ b/tools/tiffset.c +++ b/tools/tiffset.c
@@ -32,6 +32,7 @@ @@ -146,9 +146,19 @@ main(int argc, char* argv[])
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
+#include <stdint.h>
#include "tiffio.h"
@@ -133,9 +134,19 @@ main(int argc, char* argv[])
arg_index++; arg_index++;
if (TIFFFieldDataType(fip) == TIFF_ASCII) { if (TIFFFieldDataType(fip) == TIFF_ASCII) {

56
backport-0002-CVE-2022-1622-CVE-2022-1623.patch Normal file
View File

@ -0,0 +1,56 @@
From b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 22 Apr 2022 18:58:52 +0200
Subject: [PATCH] tif_lzw.c: fix potential out-of-bounds error when trying to
read in the same tile/strip after an error has occured (fixes #410)
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a
---
libtiff/tif_lzw.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
index c28366b..1f255d9 100644
--- a/libtiff/tif_lzw.c
+++ b/libtiff/tif_lzw.c
@@ -140,6 +140,7 @@ typedef struct {
code_t* dec_free_entp; /* next free entry */
code_t* dec_maxcodep; /* max available entry */
code_t* dec_codetab; /* kept separate for small machines */
+ int read_error; /* whether a read error has occured, and which should cause further reads in the same strip/tile to be aborted */
/* Encoding specific data */
int enc_oldcode; /* last code encountered */
@@ -307,6 +308,7 @@ LZWPreDecode(TIFF* tif, uint16_t s)
*/
sp->dec_oldcodep = &sp->dec_codetab[0];
sp->dec_maxcodep = &sp->dec_codetab[sp->dec_nbitsmask-1];
+ sp->read_error = 0;
return (1);
}
@@ -399,7 +401,11 @@ LZWDecode(TIFF* tif, uint8_t* op0, tmsize_t occ0, uint16_t s)
(void) s;
assert(sp != NULL);
- assert(sp->dec_codetab != NULL);
+ assert(sp->dec_codetab != NULL);
+
+ if (sp->read_error) {
+ return 0;
+ }
/*
Fail if value does not fit in long.
@@ -711,6 +717,7 @@ no_eoi:
tif->tif_curstrip);
return 0;
error_code:
+ sp->read_error = 1;
TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Using code not yet in table");
return 0;
}
--
2.27.0

4
backport-0002-CVE-2022-22844.patch
View File

@ -11,10 +11,10 @@ Reference:https://gitlab.com/libtiff/libtiff/-/commit/0cf67888e32e36b45828dd4679
1 file changed, 4 insertions(+), 4 deletions(-) 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/tiffset.c b/tools/tiffset.c diff --git a/tools/tiffset.c b/tools/tiffset.c
index 53afc51..75a8616 100644 index b7badd9..b8b52c0 100644
--- a/tools/tiffset.c --- a/tools/tiffset.c
+++ b/tools/tiffset.c +++ b/tools/tiffset.c
@@ -136,15 +136,15 @@ main(int argc, char* argv[]) @@ -148,15 +148,15 @@ main(int argc, char* argv[])
if (TIFFFieldDataType(fip) == TIFF_ASCII) { if (TIFFFieldDataType(fip) == TIFF_ASCII) {
if(TIFFFieldPassCount( fip )) { if(TIFFFieldPassCount( fip )) {
size_t len; size_t len;

4
backport-0003-CVE-2022-22844.patch
View File

@ -11,10 +11,10 @@ Reference:https://gitlab.com/libtiff/libtiff/-/commit/0a827a985f891d6df481a6f581
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/tiffset.c b/tools/tiffset.c diff --git a/tools/tiffset.c b/tools/tiffset.c
index 75a8616..19e177b 100644 index b8b52c0..e7a88c0 100644
--- a/tools/tiffset.c --- a/tools/tiffset.c
+++ b/tools/tiffset.c +++ b/tools/tiffset.c
@@ -136,7 +136,7 @@ main(int argc, char* argv[]) @@ -148,7 +148,7 @@ main(int argc, char* argv[])
if (TIFFFieldDataType(fip) == TIFF_ASCII) { if (TIFFFieldDataType(fip) == TIFF_ASCII) {
if(TIFFFieldPassCount( fip )) { if(TIFFFieldPassCount( fip )) {
size_t len; size_t len;

102
backport-CVE-2020-35521_CVE-2020-35522.patch
View File

@ -1,102 +0,0 @@
From b5a935d96b21cda0f434230cdf8ca958cd8b4eef Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Sun, 15 Nov 2020 17:02:51 +0100
Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba
Conflict:NA
Reference:https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef
---
man/tiff2rgba.1 | 4 ++++
tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
2 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1
index d9c9baa..fe9ebb2 100644
--- a/man/tiff2rgba.1
+++ b/man/tiff2rgba.1
@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file.
Currently this does not work if the
.B \-b
flag is also in effect.
+.TP
+.BI \-M " size"
+Set maximum memory allocation size (in MiB). The default is 256MiB.
+Set to 0 to disable the limit.
.SH "SEE ALSO"
.BR tiff2bw (1),
.BR TIFFReadRGBAImage (3t),
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
index 2eb6f6c..743efe3 100644
--- a/tools/tiff2rgba.c
+++ b/tools/tiff2rgba.c
@@ -53,6 +53,10 @@ uint32 rowsperstrip = (uint32) -1;
int process_by_block = 0; /* default is whole image at once */
int no_alpha = 0;
int bigtiff_output = 0;
+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
+/* malloc size limit (in bytes)
+ * disabled when set to 0 */
+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
static int tiffcvt(TIFF* in, TIFF* out);
@@ -68,8 +72,11 @@ main(int argc, char* argv[])
extern char *optarg;
#endif
- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
+ while ((c = getopt(argc, argv, "c:r:t:bn8hM")) != -1)
switch (c) {
+ case 'M':
+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
+ break;
case 'b':
process_by_block = 1;
break;
@@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
(unsigned long)pixel_count, (unsigned long)sizeof(uint32));
return (0);
}
+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
+ TIFFError(TIFFFileName(in),
+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
+ return 0;
+ }
/* Read the image in one chunk into an RGBA array */
if (!TIFFReadRGBAImageOriented(in, width, height, raster,
@@ -520,6 +533,13 @@ tiffcvt(TIFF* in, TIFF* out)
TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
CopyField(TIFFTAG_DOCUMENTNAME, stringv);
+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
+ {
+ TIFFError(TIFFFileName(in),
+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
+ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
+ return 0;
+ }
if( process_by_block && TIFFIsTiled( in ) )
return( cvt_by_tile( in, out ) );
else if( process_by_block )
@@ -529,7 +549,7 @@ tiffcvt(TIFF* in, TIFF* out)
}
static char* stuff[] = {
- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
"where comp is one of the following compression algorithms:",
" jpeg\t\tJPEG encoding",
" zip\t\tZip/Deflate encoding",
@@ -541,6 +561,7 @@ static char* stuff[] = {
" -b (progress by block rather than as a whole image)",
" -n don't emit alpha component.",
" -8 write BigTIFF file instead of ClassicTIFF",
+ " -M set the memory allocation limit in MiB. 0 to disable limit",
NULL
};
--
2.23.0

50
backport-CVE-2020-35523.patch
View File

@ -1,50 +0,0 @@
From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Tue, 10 Nov 2020 01:54:30 +0100
Subject: [PATCH] gtTileContig(): check Tile width for overflow
fixes #211
---
libtiff/tif_getimage.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 4da785d3..96ab1460 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -29,6 +29,7 @@
*/
#include "tiffiop.h"
#include <stdio.h>
+#include <limits.h>
static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
@@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
flip = setorientation(img);
if (flip & FLIP_VERTICALLY) {
- y = h - 1;
- toskew = -(int32)(tw + w);
+ if ((tw + w) > INT_MAX) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+ return (0);
+ }
+ y = h - 1;
+ toskew = -(int32)(tw + w);
}
else {
- y = 0;
- toskew = -(int32)(tw - w);
+ if (tw > (INT_MAX + w)) {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
+ return (0);
+ }
+ y = 0;
+ toskew = -(int32)(tw - w);
}
/*
--
GitLab

34
backport-CVE-2020-35524.patch
View File

@ -1,34 +0,0 @@
From 7be2e452ddcf6d7abca88f41d3761e6edab72b22 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Sat, 14 Nov 2020 12:53:01 +0000
Subject: [PATCH] tiff2pdf.c: properly calculate datasize when saving to JPEG
YCbCr
fixes #220
---
tools/tiff2pdf.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -2063,9 +2063,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF*
#endif
(void) 0;
}
- k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
- if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
- k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+#ifdef JPEG_SUPPORT
+ if(t2p->pdf_compression == T2P_COMPRESS_JPEG
+ && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
+ k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
+ } else
+#endif
+ {
+ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+ if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
+ }
}
if (k == 0) {
/* Assume we had overflow inside TIFFScanlineSize */

57
backport-CVE-2022-0561.patch
View File

@ -1,29 +1,28 @@
From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com> From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 6 Feb 2022 13:08:38 +0100 Date: Sun, 6 Feb 2022 13:08:38 +0100
Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null
source pointer and size of zero (fixes #362) source pointer and size of zero (fixes #362)
--- ---
libtiff/tif_dirread.c | 5 +++-- libtiff/tif_dirread.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-) 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 6f90941..627bf48 100644 index 23194ced..50ebf8ac 100644
--- a/libtiff/tif_dirread.c --- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c
@@ -5682,8 +5682,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uint64** lpp) @@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
_TIFFfree(data); _TIFFfree(data);
return(0); return(0);
} }
- _TIFFmemcpy(resizeddata,data,(uint32)dir->tdir_count*sizeof(uint64)); - _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
- _TIFFmemset(resizeddata+(uint32)dir->tdir_count,0,(nstrips-(uint32)dir->tdir_count)*sizeof(uint64)); - _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
+ if( dir->tdir_count ) + if( dir->tdir_count )
+ _TIFFmemcpy(resizeddata,data, (uint32)dir->tdir_count * sizeof(uint64)); + _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
+ _TIFFmemset(resizeddata+(uint32)dir->tdir_count, 0, (nstrips - (uint32)dir->tdir_count) * sizeof(uint64)); + _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
_TIFFfree(data); _TIFFfree(data);
data=resizeddata; data=resizeddata;
} }
-- --
2.27.0 GitLab

55
backport-CVE-2022-0562.patch
View File

@ -1,29 +1,26 @@
From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com> From: Even Rouault <even.rouault@spatialys.com>
Date: Sat, 5 Feb 2022 20:36:41 +0100 Date: Sat, 5 Feb 2022 20:36:41 +0100
Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null
source pointer and size of zero (fixes #362) source pointer and size of zero (fixes #362)
--- ---
libtiff/tif_dirread.c | 5 +++-- libtiff/tif_dirread.c | 3 ++-
1 file changed, 3 insertions(+), 2 deletions(-) 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 627bf48..8a0e951 100644 index 2bbc4585..23194ced 100644
--- a/libtiff/tif_dirread.c --- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c
@@ -4126,8 +4126,9 @@ TIFFReadDirectory(TIFF* tif) @@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif)
goto bad; goto bad;
} }
- memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); - memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
- _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); + if (old_extrasamples > 0)
+ if (old_extrasamples > 0) + memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
+ memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16)); _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
+ _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); _TIFFfree(new_sampleinfo);
_TIFFfree(new_sampleinfo); }
} --
GitLab
--
2.27.0

6
backport-CVE-2022-0865.patch
View File

@ -9,10 +9,10 @@ Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD
1 file changed, 10 insertions(+) 1 file changed, 10 insertions(+)
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
index 7ffe885..ca1ca43 100644 index 7408633..8bfa4ce 100644
--- a/libtiff/tif_jbig.c --- a/libtiff/tif_jbig.c
+++ b/libtiff/tif_jbig.c +++ b/libtiff/tif_jbig.c
@@ -208,6 +208,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) @@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
*/ */
tif->tif_flags |= TIFF_NOBITREV; tif->tif_flags |= TIFF_NOBITREV;
tif->tif_flags &= ~TIFF_MAPPED; tif->tif_flags &= ~TIFF_MAPPED;
@ -30,5 +30,5 @@ index 7ffe885..ca1ca43 100644
/* Setup the function pointers for encode, decode, and cleanup. */ /* Setup the function pointers for encode, decode, and cleanup. */
tif->tif_setupdecode = JBIGSetupDecode; tif->tif_setupdecode = JBIGSetupDecode;
-- --
2.27.0 2.35.1

431
backport-CVE-2022-0891.patch
View File

@ -1,216 +1,215 @@
From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001 From 232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de> From: Su Laus <sulau@freenet.de>
Date: Tue, 8 Mar 2022 17:02:44 +0000 Date: Tue, 8 Mar 2022 17:02:44 +0000
Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in
extractImageSection extractImageSection
Conflict:NA Conflict:NA
Reference:https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c Reference:https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c
--- ---
tools/tiffcrop.c | 92 +++++++++++++++++++----------------------------- tools/tiffcrop.c | 92 +++++++++++++++++++-----------------------------
1 file changed, 36 insertions(+), 56 deletions(-) 1 file changed, 36 insertions(+), 56 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 7b3c9e7..36b68bb 100644 index f2e5474a..e62bcc71 100644
--- a/tools/tiffcrop.c --- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c +++ b/tools/tiffcrop.c
@@ -105,8 +105,8 @@ @@ -105,8 +105,8 @@
* of messages to monitor progess without enabling dump logs. * of messages to monitor progress without enabling dump logs.
*/ */
-static char tiffcrop_version_id[] = "2.4"; -static char tiffcrop_version_id[] = "2.4";
-static char tiffcrop_rev_date[] = "12-13-2010"; -static char tiffcrop_rev_date[] = "12-13-2010";
+static char tiffcrop_version_id[] = "2.4.1"; +static char tiffcrop_version_id[] = "2.4.1";
+static char tiffcrop_rev_date[] = "03-03-2010"; +static char tiffcrop_rev_date[] = "03-03-2010";
#include "tif_config.h" #include "tif_config.h"
#include "tiffiop.h" #include "libport.h"
@@ -6669,10 +6669,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, @@ -6739,10 +6739,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE #ifdef DEVELMODE
uint32 img_length; uint32_t img_length;
#endif #endif
- uint32 j, shift1, shift2, trailing_bits; - uint32_t j, shift1, shift2, trailing_bits;
+ uint32 j, shift1, trailing_bits; + uint32_t j, shift1, trailing_bits;
uint32 row, first_row, last_row, first_col, last_col; uint32_t row, first_row, last_row, first_col, last_col;
uint32 src_offset, dst_offset, row_offset, col_offset; uint32_t src_offset, dst_offset, row_offset, col_offset;
- uint32 offset1, offset2, full_bytes; - uint32_t offset1, offset2, full_bytes;
+ uint32 offset1, full_bytes; + uint32_t offset1, full_bytes;
uint32 sect_width; uint32_t sect_width;
#ifdef DEVELMODE #ifdef DEVELMODE
uint32 sect_length; uint32_t sect_length;
@@ -6682,7 +6682,6 @@ extractImageSection(struct image_data *image, struct pageseg *section, @@ -6752,7 +6752,6 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE #ifdef DEVELMODE
int k; int k;
unsigned char bitset; unsigned char bitset;
- static char *bitarray = NULL; - static char *bitarray = NULL;
#endif #endif
img_width = image->width; img_width = image->width;
@@ -6700,17 +6699,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, @@ -6770,17 +6769,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
dst_offset = 0; dst_offset = 0;
#ifdef DEVELMODE #ifdef DEVELMODE
- if (bitarray == NULL) - if (bitarray == NULL)
- { - {
- if ((bitarray = (char *)malloc(img_width)) == NULL) - if ((bitarray = (char *)malloc(img_width)) == NULL)
- { - {
- TIFFError ("", "DEBUG: Unable to allocate debugging bitarray"); - TIFFError ("", "DEBUG: Unable to allocate debugging bitarray");
- return (-1); - return (-1);
- } - }
- } - }
+ char bitarray[39]; + char bitarray[39];
#endif #endif
- /* rows, columns, width, length are expressed in pixels */ - /* rows, columns, width, length are expressed in pixels */
+ /* rows, columns, width, length are expressed in pixels + /* rows, columns, width, length are expressed in pixels
+ * first_row, last_row, .. are index into image array starting at 0 to width-1, + * first_row, last_row, .. are index into image array starting at 0 to width-1,
+ * last_col shall be also extracted. */ + * last_col shall be also extracted. */
first_row = section->y1; first_row = section->y1;
last_row = section->y2; last_row = section->y2;
first_col = section->x1; first_col = section->x1;
@@ -6720,9 +6714,14 @@ extractImageSection(struct image_data *image, struct pageseg *section, @@ -6790,9 +6784,14 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE #ifdef DEVELMODE
sect_length = last_row - first_row + 1; sect_length = last_row - first_row + 1;
#endif #endif
- img_rowsize = ((img_width * bps + 7) / 8) * spp; - img_rowsize = ((img_width * bps + 7) / 8) * spp;
- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ - full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
- trailing_bits = (sect_width * bps) % 8; - trailing_bits = (sect_width * bps) % 8;
+ /* The read function loadImage() used copy separate plane data into a buffer as interleaved + /* The read function loadImage() used copy separate plane data into a buffer as interleaved
+ * samples rather than separate planes so the same logic works to extract regions + * samples rather than separate planes so the same logic works to extract regions
+ * regardless of the way the data are organized in the input file. + * regardless of the way the data are organized in the input file.
+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 + * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
+ */ + */
+ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ + img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
+ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ + full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
+ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ + trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
#ifdef DEVELMODE #ifdef DEVELMODE
TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n", TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
@@ -6735,10 +6734,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, @@ -6805,10 +6804,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if ((bps % 8) == 0) if ((bps % 8) == 0)
{ {
- col_offset = first_col * spp * bps / 8; - col_offset = first_col * spp * bps / 8;
+ col_offset = (first_col * spp * bps) / 8; + col_offset = (first_col * spp * bps) / 8;
for (row = first_row; row <= last_row; row++) for (row = first_row; row <= last_row; row++)
{ {
- /* row_offset = row * img_width * spp * bps / 8; */ - /* row_offset = row * img_width * spp * bps / 8; */
row_offset = row * img_rowsize; row_offset = row * img_rowsize;
src_offset = row_offset + col_offset; src_offset = row_offset + col_offset;
@@ -6751,14 +6749,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, @@ -6821,14 +6819,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
} }
else else
{ /* bps != 8 */ { /* bps != 8 */
- shift1 = spp * ((first_col * bps) % 8); - shift1 = spp * ((first_col * bps) % 8);
- shift2 = spp * ((last_col * bps) % 8); - shift2 = spp * ((last_col * bps) % 8);
+ shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ + shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
for (row = first_row; row <= last_row; row++) for (row = first_row; row <= last_row; row++)
{ {
/* pull out the first byte */ /* pull out the first byte */
row_offset = row * img_rowsize; row_offset = row * img_rowsize;
- offset1 = row_offset + (first_col * bps / 8); - offset1 = row_offset + (first_col * bps / 8);
- offset2 = row_offset + (last_col * bps / 8); - offset2 = row_offset + (last_col * bps / 8);
+ offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ + offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */
#ifdef DEVELMODE #ifdef DEVELMODE
for (j = 0, k = 7; j < 8; j++, k--) for (j = 0, k = 7; j < 8; j++, k--)
@@ -6770,12 +6766,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, @@ -6840,12 +6836,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
sprintf(&bitarray[9], " "); sprintf(&bitarray[9], " ");
for (j = 10, k = 7; j < 18; j++, k--) for (j = 10, k = 7; j < 18; j++, k--)
{ {
- bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0; - bitset = *(src_buff + offset2) & (((unsigned char)1 << k)) ? 1 : 0;
+ bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0; + bitset = *(src_buff + offset1 + full_bytes) & (((unsigned char)1 << k)) ? 1 : 0;
sprintf(&bitarray[j], (bitset) ? "1" : "0"); sprintf(&bitarray[j], (bitset) ? "1" : "0");
} }
bitarray[18] = '\0'; bitarray[18] = '\0';
- TIFFError ("", "Row: %3d Offset1: %d, Shift1: %d, Offset2: %d, Shift2: %d\n", - TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Shift2: %"PRIu32"\n",
- row, offset1, shift1, offset2, shift2); - row, offset1, shift1, offset2, shift2);
+ TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n", + TIFFError ("", "Row: %3d Offset1: %"PRIu32", Shift1: %"PRIu32", Offset2: %"PRIu32", Trailing_bits: %"PRIu32"\n",
+ row, offset1, shift1, offset1+full_bytes, trailing_bits); + row, offset1, shift1, offset1+full_bytes, trailing_bits);
#endif #endif
bytebuff1 = bytebuff2 = 0; bytebuff1 = bytebuff2 = 0;
@@ -6799,11 +6795,12 @@ extractImageSection(struct image_data *image, struct pageseg *section, @@ -6869,11 +6865,12 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if (trailing_bits != 0) if (trailing_bits != 0)
{ {
- bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2)); - bytebuff2 = src_buff[offset2] & ((unsigned char)255 << (7 - shift2));
+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ + /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); + bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
sect_buff[dst_offset] = bytebuff2; sect_buff[dst_offset] = bytebuff2;
#ifdef DEVELMODE #ifdef DEVELMODE
TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n",
- offset2, dst_offset); - offset2, dst_offset);
+ offset1 + full_bytes, dst_offset); + offset1 + full_bytes, dst_offset);
for (j = 30, k = 7; j < 38; j++, k--) for (j = 30, k = 7; j < 38; j++, k--)
{ {
bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0; bitset = *(sect_buff + dst_offset) & (((unsigned char)1 << k)) ? 1 : 0;
@@ -6822,8 +6819,10 @@ extractImageSection(struct image_data *image, struct pageseg *section, @@ -6892,8 +6889,10 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#endif #endif
for (j = 0; j <= full_bytes; j++) for (j = 0; j <= full_bytes; j++)
{ {
- bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); - bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
- bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1)); - bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (7 - shift1));
+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ + /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ + /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); + bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); + bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1)); sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
} }
#ifdef DEVELMODE #ifdef DEVELMODE
@@ -6839,36 +6838,17 @@ extractImageSection(struct image_data *image, struct pageseg *section, @@ -6909,36 +6908,17 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#endif #endif
dst_offset += full_bytes; dst_offset += full_bytes;
+ /* Copy the trailing_bits for the last byte in the destination buffer. + /* Copy the trailing_bits for the last byte in the destination buffer.
+ Could come from one ore two bytes of the source buffer. */ + Could come from one ore two bytes of the source buffer. */
if (trailing_bits != 0) if (trailing_bits != 0)
{ {
#ifdef DEVELMODE #ifdef DEVELMODE
- TIFFError ("", " Trailing bits src offset: %8d, Dst offset: %8d\n", offset1 + full_bytes, dst_offset); - TIFFError ("", " Trailing bits src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", offset1 + full_bytes, dst_offset);
-#endif -#endif
- if (shift2 > shift1) - if (shift2 > shift1)
- { - {
- bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2)); - bytebuff1 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (7 - shift2));
- bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1); - bytebuff2 = bytebuff1 & ((unsigned char)255 << shift1);
- sect_buff[dst_offset] = bytebuff2; - sect_buff[dst_offset] = bytebuff2;
-#ifdef DEVELMODE -#ifdef DEVELMODE
- TIFFError ("", " Shift2 > Shift1\n"); - TIFFError ("", " Shift2 > Shift1\n");
+ TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset); + TIFFError("", " Trailing bits %4"PRIu32" src offset: %8"PRIu32", Dst offset: %8"PRIu32"\n", trailing_bits, offset1 + full_bytes, dst_offset);
#endif #endif
+ /* More than necessary bits are already copied into last destination buffer, + /* More than necessary bits are already copied into last destination buffer,
+ * only masking of last byte in destination buffer is necessary.*/ + * only masking of last byte in destination buffer is necessary.*/
+ sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits)); + sect_buff[dst_offset] &= ((uint8_t)0xFF << (8 - trailing_bits));
} }
- else - else
- { - {
- if (shift2 < shift1) - if (shift2 < shift1)
- { - {
- bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1)); - bytebuff2 = ((unsigned char)255 << (shift1 - shift2 - 1));
- sect_buff[dst_offset] &= bytebuff2; - sect_buff[dst_offset] &= bytebuff2;
-#ifdef DEVELMODE -#ifdef DEVELMODE
- TIFFError ("", " Shift2 < Shift1\n"); - TIFFError ("", " Shift2 < Shift1\n");
-#endif -#endif
- } - }
-#ifdef DEVELMODE -#ifdef DEVELMODE
- else - else
- TIFFError ("", " Shift2 == Shift1\n"); - TIFFError ("", " Shift2 == Shift1\n");
-#endif -#endif
- } - }
- } - }
#ifdef DEVELMODE #ifdef DEVELMODE
sprintf(&bitarray[28], " "); sprintf(&bitarray[28], " ");
sprintf(&bitarray[29], " "); sprintf(&bitarray[29], " ");
@@ -7021,7 +7001,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image, @@ -7091,7 +7071,7 @@ writeImageSections(TIFF *in, TIFF *out, struct image_data *image,
width = sections[i].x2 - sections[i].x1 + 1; width = sections[i].x2 - sections[i].x1 + 1;
length = sections[i].y2 - sections[i].y1 + 1; length = sections[i].y2 - sections[i].y1 + 1;
sectsize = (uint32) sectsize = (uint32_t)
- ceil((width * image->bps + 7) / (double)8) * image->spp * length; - ceil((width * image->bps + 7) / (double)8) * image->spp * length;
+ ceil((width * image->bps * image->spp + 7) / (double)8) * length; + ceil((width * image->bps * image->spp + 7) / (double)8) * length;
/* allocate a buffer if we don't have one already */ /* allocate a buffer if we don't have one already */
if (createImageSection(sectsize, sect_buff_ptr)) if (createImageSection(sectsize, sect_buff_ptr))
{ {
-- --
2.27.0 GitLab

25
backport-CVE-2022-0907.patch
View File

@ -4,17 +4,17 @@ Date: Mon, 7 Mar 2022 18:21:49 +0800
Subject: [PATCH 1/3] add checks for return value of limitMalloc (#392) Subject: [PATCH 1/3] add checks for return value of limitMalloc (#392)
--- ---
tools/tiffcrop.c | 32 ++++++++++++++++++++------------ tools/tiffcrop.c | 33 +++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-) 1 file changed, 21 insertions(+), 12 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 61bafc5..68ac071 100644 index 302a7e9..e407bf5 100644
--- a/tools/tiffcrop.c --- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c +++ b/tools/tiffcrop.c
@@ -7316,7 +7316,11 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr) @@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
if (!sect_buff) if (!sect_buff)
{ {
sect_buff = (unsigned char *)_TIFFmalloc(sectsize); sect_buff = (unsigned char *)limitMalloc(sectsize);
- *sect_buff_ptr = sect_buff; - *sect_buff_ptr = sect_buff;
+ if (!sect_buff) + if (!sect_buff)
+ { + {
@ -24,7 +24,7 @@ index 61bafc5..68ac071 100644
_TIFFmemset(sect_buff, 0, sectsize); _TIFFmemset(sect_buff, 0, sectsize);
} }
else else
@@ -7332,15 +7336,15 @@ createImageSection(uint32 sectsize, unsigned char **sect_buff_ptr) @@ -7373,15 +7377,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
else else
sect_buff = new_buff; sect_buff = new_buff;
@ -45,10 +45,10 @@ index 61bafc5..68ac071 100644
prev_sectsize = sectsize; prev_sectsize = sectsize;
*sect_buff_ptr = sect_buff; *sect_buff_ptr = sect_buff;
@@ -7607,7 +7611,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, @@ -7648,7 +7652,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (!crop_buff) if (!crop_buff)
{ {
crop_buff = (unsigned char *)_TIFFmalloc(cropsize); crop_buff = (unsigned char *)limitMalloc(cropsize);
- *crop_buff_ptr = crop_buff; - *crop_buff_ptr = crop_buff;
+ if (!crop_buff) + if (!crop_buff)
+ { + {
@ -58,7 +58,7 @@ index 61bafc5..68ac071 100644
_TIFFmemset(crop_buff, 0, cropsize); _TIFFmemset(crop_buff, 0, cropsize);
prev_cropsize = cropsize; prev_cropsize = cropsize;
} }
@@ -7623,15 +7631,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, @@ -7664,15 +7672,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
} }
else else
crop_buff = new_buff; crop_buff = new_buff;
@ -79,6 +79,11 @@ index 61bafc5..68ac071 100644
*crop_buff_ptr = crop_buff; *crop_buff_ptr = crop_buff;
if (crop->crop_mode & CROP_INVERT) if (crop->crop_mode & CROP_INVERT)
@@ -9231,3 +9239,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui
* fill-column: 78
* End:
*/
+
-- --
2.27.0 2.35.1

10
backport-CVE-2022-0908.patch
View File

@ -9,19 +9,19 @@ Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null
1 file changed, 4 insertions(+), 1 deletion(-) 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 28a7992..b9b4079 100644 index d654a1c..a31109a 100644
--- a/libtiff/tif_dirread.c --- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c
@@ -5021,7 +5021,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) @@ -5080,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover)
_TIFFfree(data); _TIFFfree(data);
return(0); return(0);
} }
- _TIFFmemcpy(o,data,(uint32)dp->tdir_count); - _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
+ if (dp->tdir_count > 0 ) + if (dp->tdir_count > 0 )
+ { + {
+ _TIFFmemcpy(o,data,(uint32)dp->tdir_count); + _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
+ } + }
o[(uint32)dp->tdir_count]=0; o[(uint32_t)dp->tdir_count]=0;
if (data!=0) if (data!=0)
_TIFFfree(data); _TIFFfree(data);
-- --

4
backport-CVE-2022-0909.patch
View File

@ -11,10 +11,10 @@ Reference:https://gitlab.com/libtiff/libtiff/-/commit/32ea0722ee68f503b7a3f9b2d5
1 file changed, 2 insertions(+), 2 deletions(-) 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
index 1e0a76c..39aeeb4 100644 index a6c254f..77da6ea 100644
--- a/libtiff/tif_dir.c --- a/libtiff/tif_dir.c
+++ b/libtiff/tif_dir.c +++ b/libtiff/tif_dir.c
@@ -334,13 +334,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) @@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
break; break;
case TIFFTAG_XRESOLUTION: case TIFFTAG_XRESOLUTION:
dblval = va_arg(ap, double); dblval = va_arg(ap, double);

16
backport-CVE-2022-0924.patch
View File

@ -11,16 +11,16 @@ Reference:https://gitlab.com/libtiff/libtiff/-/commit/88d79a45a31c74cba98c697892
1 file changed, 16 insertions(+), 1 deletion(-) 1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 84d8148..f260f80 100644 index 1f88951..552d8fa 100644
--- a/tools/tiffcp.c --- a/tools/tiffcp.c
+++ b/tools/tiffcp.c +++ b/tools/tiffcp.c
@@ -1523,12 +1523,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) @@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
tdata_t obuf; tdata_t obuf;
tstrip_t strip = 0; tstrip_t strip = 0;
tsample_t s; tsample_t s;
+ uint16 bps = 0, bytes_per_sample; + uint16_t bps = 0, bytes_per_sample;
obuf = _TIFFmalloc(stripsize); obuf = limitMalloc(stripsize);
if (obuf == NULL) if (obuf == NULL)
return (0); return (0);
_TIFFmemset(obuf, 0, stripsize); _TIFFmemset(obuf, 0, stripsize);
@ -40,17 +40,17 @@ index 84d8148..f260f80 100644
+ } + }
+ bytes_per_sample = bps/8; + bytes_per_sample = bps/8;
for (s = 0; s < spp; s++) { for (s = 0; s < spp; s++) {
uint32 row; uint32_t row;
for (row = 0; row < imagelength; row += rowsperstrip) { for (row = 0; row < imagelength; row += rowsperstrip) {
@@ -1538,7 +1553,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) @@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
cpContigBufToSeparateBuf( cpContigBufToSeparateBuf(
obuf, (uint8*) buf + row*rowsize + s, obuf, (uint8_t*) buf + row * rowsize + s,
- nrows, imagewidth, 0, 0, spp, 1); - nrows, imagewidth, 0, 0, spp, 1);
+ nrows, imagewidth, 0, 0, spp, bytes_per_sample); + nrows, imagewidth, 0, 0, spp, bytes_per_sample);
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
TIFFError(TIFFFileName(out), TIFFError(TIFFFileName(out),
"Error, can't write strip %u", "Error, can't write strip %"PRIu32,
-- --
2.27.0 2.27.0

6
backport-CVE-2022-1355.patch
View File

@ -3,15 +3,17 @@ From: Su_Laus <sulau@freenet.de>
Date: Sat, 2 Apr 2022 22:33:31 +0200 Date: Sat, 2 Apr 2022 22:33:31 +0200
Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400) Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
Conflict:NA
Reference:https://gitlab.com/gitlab-org/build/omnibus-mirror/libtiff/-/commit/fb1db384959698edd6caeea84e28253d272a0f96
--- ---
tools/tiffcp.c | 25 ++++++++++++++++++++----- tools/tiffcp.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-) 1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 1c81322..83b3910 100644 index 552d8fa..57eef90 100644
--- a/tools/tiffcp.c --- a/tools/tiffcp.c
+++ b/tools/tiffcp.c +++ b/tools/tiffcp.c
@@ -247,19 +247,34 @@ main(int argc, char* argv[]) @@ -274,19 +274,34 @@ main(int argc, char* argv[])
deftilewidth = atoi(optarg); deftilewidth = atoi(optarg);
break; break;
case 'B': case 'B':

34
fix-raw2tiff-floating-point-exception.patch Normal file
View File

@ -0,0 +1,34 @@
From 42f499986d3c8a1dce55db7d97d501f8e9dfc8f6 Mon Sep 17 00:00:00 2001
From: t.feng <fengtao40@huawei.com>
Date: Mon, 13 Dec 2021 21:03:13 +0800
Subject: [PATCH] fix raw2tiff floating point exception
if we input illegal nbands, like:
raw2tiff -b :2 test.raw test.tif
we got:
Floating point exception (core dumped)
so, check nbands before guessSize
---
tools/raw2tiff.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
index dfee715..3a6f00e 100644
--- a/tools/raw2tiff.c
+++ b/tools/raw2tiff.c
@@ -209,6 +209,11 @@ main(int argc, char* argv[])
return (EXIT_FAILURE);
}
+ if (nbands == 0) {
+ fprintf(stderr, "The number of bands is illegal.\n");
+ return (-1);
+ }
+
if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
return EXIT_FAILURE;
--
2.27.0

53
libtiff.spec
View File

@ -1,32 +1,31 @@
Name: libtiff Name: libtiff
Version: 4.1.0 Version: 4.3.0
Release: 11 Release: 1
Summary: TIFF Library and Utilities Summary: TIFF Library and Utilities
License: libtiff License: libtiff
URL: https://www.simplesystems.org/libtiff/ URL: https://www.simplesystems.org/libtiff/
Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
Patch6000: backport-CVE-2020-35521_CVE-2020-35522.patch Patch6000: backport-CVE-2022-0561.patch
Patch6001: backport-CVE-2020-35523.patch Patch6001: backport-CVE-2022-0562.patch
Patch6002: backport-CVE-2020-35524.patch Patch6002: backport-0001-CVE-2022-22844.patch
Patch6003: backport-CVE-2022-0561.patch Patch6003: backport-0002-CVE-2022-22844.patch
Patch6004: backport-CVE-2022-0562.patch Patch6004: backport-0003-CVE-2022-22844.patch
Patch6005: backport-0001-CVE-2022-22844.patch Patch6005: backport-CVE-2022-0891.patch
Patch6006: backport-0002-CVE-2022-22844.patch Patch6006: backport-CVE-2022-0907.patch
Patch6007: backport-0003-CVE-2022-22844.patch Patch6007: backport-CVE-2022-0908.patch
Patch6008: backport-CVE-2022-0891.patch Patch6008: backport-CVE-2022-0865.patch
Patch6009: backport-CVE-2022-0908.patch Patch6009: backport-CVE-2022-0909.patch
Patch6010: backport-CVE-2022-0907.patch Patch6010: backport-CVE-2022-0924.patch
Patch6011: backport-CVE-2022-0865.patch Patch6011: backport-CVE-2022-1355.patch
Patch6012: backport-CVE-2022-0909.patch Patch6012: backport-0001-CVE-2022-1622-CVE-2022-1623.patch
Patch6013: backport-CVE-2022-0924.patch Patch6013: backport-0002-CVE-2022-1622-CVE-2022-1623.patch
Patch6014: backport-CVE-2022-1355.patch
Patch9000: fix-raw2tiff-floating-point-exception.patch
BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: libtool automake autoconf pkgconfig git BuildRequires: libtool automake autoconf pkgconfig
Provides: %{name}-tools
Obsoletes: %{name}-tools
%description %description
This %{name} provides support for the Tag Image File Format (TIFF), a widely This %{name} provides support for the Tag Image File Format (TIFF), a widely
@ -38,9 +37,6 @@ for manipulating TIFF format image files using the libtiff library.
Summary: Development files for %{name} library Summary: Development files for %{name} library
Requires: %{name} = %{version}-%{release} pkgconfig Requires: %{name} = %{version}-%{release} pkgconfig
Provides: %{name}-static
Obsoletes: %{name}-static
%description devel %description devel
This package contains the header files and documentation necessary for developing programs This package contains the header files and documentation necessary for developing programs
which will manipulate TIFF format image files using the libtiff library. which will manipulate TIFF format image files using the libtiff library.
@ -48,7 +44,7 @@ which will manipulate TIFF format image files using the libtiff library.
%package_help %package_help
%prep %prep
%autosetup -n tiff-%{version} -p1 -S git %autosetup -n tiff-%{version} -p1
libtoolize --force --copy libtoolize --force --copy
aclocal -I . -I m4 aclocal -I . -I m4
@ -123,10 +119,13 @@ find html -name 'Makefile*' | xargs rm
%{_mandir}/man* %{_mandir}/man*
%doc RELEASE-DATE VERSION %doc RELEASE-DATE VERSION
%doc TODO ChangeLog html %doc TODO ChangeLog html
%exclude %{_mandir}/man1/tiffgt.1 %exclude %{_mandir}/man1/*
%exclude %{_datadir}/html/man/tiffgt.1.html %exclude %{_datadir}/html/man/tiffgt.1.html
%changelog %changelog
* Thu Jun 23 2022 wuchaochao <wuchaochao4@h-partners.com> - 4.3.0-1
- update to 4.3.0 for fix CVE-2022-1622,CVE-2022-1623
* Wed May 18 2022 liuyumeng <liuyumeng5@h-partners.com> - 4.1.0-11 * Wed May 18 2022 liuyumeng <liuyumeng5@h-partners.com> - 4.1.0-11
- fix CVE-2022-1355 - fix CVE-2022-1355
@ -153,7 +152,7 @@ find html -name 'Makefile*' | xargs rm
* Thu Mar 10 2022 dongyuzhen <dongyuzhen@h-partners.com> - 4.1.0-5 * Thu Mar 10 2022 dongyuzhen <dongyuzhen@h-partners.com> - 4.1.0-5
- Type:cves - Type:cves
- ID:CVE-2022-22844 - ID:CVE-2022-22844
- SUG:NA - SUG:NA
- DESC:fix CVE-2022-22844 - DESC:fix CVE-2022-22844

BIN
tiff-4.1.0.tar.gz
View File

Binary file not shown.

BIN
tiff-4.3.0.tar.gz Normal file
View File

Binary file not shown.