!10 fix CVE-2020-35523 CVE-2020-35524

From: @yeah_wang
Reviewed-by: @orange-snn
Signed-off-by: @orange-snn

backport-CVE-2020-35523.patch

@@ -0,0 +1,50 @@
+From c8d613ef497058fe653c467fc84c70a62a4a71b2 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 10 Nov 2020 01:54:30 +0100
+Subject: [PATCH] gtTileContig(): check Tile width for overflow
+
+fixes #211
+---
+ libtiff/tif_getimage.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 4da785d3..96ab1460 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -29,6 +29,7 @@
+  */
+ #include "tiffiop.h"
+ #include <stdio.h>
++#include <limits.h>
+ 
+ static int gtTileContig(TIFFRGBAImage*, uint32*, uint32, uint32);
+ static int gtTileSeparate(TIFFRGBAImage*, uint32*, uint32, uint32);
+@@ -645,12 +646,20 @@ gtTileContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 
+     flip = setorientation(img);
+     if (flip & FLIP_VERTICALLY) {
+-	    y = h - 1;
+-	    toskew = -(int32)(tw + w);
++        if ((tw + w) > INT_MAX) {
++            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
++            return (0);
++        }
++        y = h - 1;
++        toskew = -(int32)(tw + w);
+     }
+     else {
+-	    y = 0;
+-	    toskew = -(int32)(tw - w);
++        if (tw > (INT_MAX + w)) {
++            TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", "unsupported tile size (too wide)");
++            return (0);
++        }
++        y = 0;
++        toskew = -(int32)(tw - w);
+     }
+      
+     /*
+-- 
+GitLab
+

backport-CVE-2020-35524.patch

@@ -0,0 +1,34 @@
+From 7be2e452ddcf6d7abca88f41d3761e6edab72b22 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sat, 14 Nov 2020 12:53:01 +0000
+Subject: [PATCH] tiff2pdf.c: properly calculate datasize when saving to JPEG
+ YCbCr
+
+fixes #220
+---
+ tools/tiff2pdf.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -2063,9 +2063,17 @@ void t2p_read_tiff_size(T2P* t2p, TIFF*
+ #endif
+ 		(void) 0;
+ 	}
+-	k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
+-	if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
+-		k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
++#ifdef JPEG_SUPPORT
++	if(t2p->pdf_compression == T2P_COMPRESS_JPEG
++	   && t2p->tiff_photometric == PHOTOMETRIC_YCBCR) {
++		k = checkMultiply64(TIFFNumberOfStrips(input), TIFFStripSize(input), t2p);
++	} else
++#endif
++	{
++		k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p);
++		if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){
++			k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p);
++		}
+ 	}
+ 	if (k == 0) {
+ 		/* Assume we had overflow inside TIFFScanlineSize */

libtiff.spec

@@ -1,12 +1,14 @@
 Name:           libtiff
 Version:        4.1.0
-Release:        2
+Release:        3
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
 Source0:        https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
 
 Patch6000:      backport-CVE-2020-35521_CVE-2020-35522.patch
+Patch6001:      backport-CVE-2020-35523.patch
+Patch6002:      backport-CVE-2020-35524.patch
 
 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires:  libtool automake autoconf pkgconfig git
@@ -113,7 +115,13 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html
 
 %changelog
-* Thu Mar 18 2021 wangye <wangye70@huawei.com> - 4.0.10-2
+* Mon Mar 22 2021 wangye <wangye70@huawei.com> - 4.1.0-3
+- Type:cves
+- ID:CVE-2020-35523 CVE-2020-35524
+- SUG:NA
+- DESC: fix CVE-2020-35523 CVE-2020-35524
+
+* Thu Mar 18 2021 wangye <wangye70@huawei.com> - 4.1.0-2
 - Type:cves
 - ID:CVE-2020-35521 CVE-2020-35522
 - SUG:NA