From dceabdb822fd6484527af6e146b116fea7f39f63 Mon Sep 17 00:00:00 2001
From: weiwei_150212 <tianwei12@huawei.com>
Date: Thu, 18 Mar 2021 20:08:43 +0800
Subject: [PATCH] fix CVE-2020-35521 CVE-2020-35522

---
 backport-CVE-2020-35521_CVE-2020-35522.patch | 102 +++++++++++++++++++
 libtiff.spec                                 |  10 +-
 2 files changed, 111 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2020-35521_CVE-2020-35522.patch

diff --git a/backport-CVE-2020-35521_CVE-2020-35522.patch b/backport-CVE-2020-35521_CVE-2020-35522.patch
new file mode 100644
index 0000000..91348ec
--- /dev/null
+++ b/backport-CVE-2020-35521_CVE-2020-35522.patch
@@ -0,0 +1,102 @@
+From b5a935d96b21cda0f434230cdf8ca958cd8b4eef Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Sun, 15 Nov 2020 17:02:51 +0100
+Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba
+
+Conflict:NA
+Reference:https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef
+
+---
+ man/tiff2rgba.1   |  4 ++++
+ tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1
+index d9c9baa..fe9ebb2 100644
+--- a/man/tiff2rgba.1
++++ b/man/tiff2rgba.1
+@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file.
+ Currently this does not work if the
+ .B \-b
+ flag is also in effect.
++.TP
++.BI \-M " size"
++Set maximum memory allocation size (in MiB). The default is 256MiB.
++Set to 0 to disable the limit.
+ .SH "SEE ALSO"
+ .BR tiff2bw (1),
+ .BR TIFFReadRGBAImage (3t),
+diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
+index 2eb6f6c..743efe3 100644
+--- a/tools/tiff2rgba.c
++++ b/tools/tiff2rgba.c
+@@ -53,6 +53,10 @@ uint32 rowsperstrip = (uint32) -1;
+ int process_by_block = 0; /* default is whole image at once */
+ int no_alpha = 0;
+ int bigtiff_output = 0;
++#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
++/* malloc size limit (in bytes)
++ * disabled when set to 0 */
++static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
+ 
+ 
+ static int tiffcvt(TIFF* in, TIFF* out);
+@@ -68,8 +72,11 @@ main(int argc, char* argv[])
+ 	extern char *optarg;
+ #endif
+ 
+-	while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
++	while ((c = getopt(argc, argv, "c:r:t:bn8hM")) != -1)
+ 		switch (c) {
++			case 'M':
++				maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
++				break;
+ 			case 'b':
+ 				process_by_block = 1;
+ 				break;
+@@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
+ 		  (unsigned long)pixel_count, (unsigned long)sizeof(uint32));
+         return (0);
+     }
++    if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
++	TIFFError(TIFFFileName(in),
++		  "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
++		  (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
++        return 0;
++    }
+ 
+     /* Read the image in one chunk into an RGBA array */
+     if (!TIFFReadRGBAImageOriented(in, width, height, raster,
+@@ -520,6 +533,13 @@ tiffcvt(TIFF* in, TIFF* out)
+ 	TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
+ 	CopyField(TIFFTAG_DOCUMENTNAME, stringv);
+ 
++	if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
++	{
++		TIFFError(TIFFFileName(in),
++			  "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
++			  (uint64)TIFFStripSize(in), (uint64)maxMalloc);
++		return 0;
++	}
+         if( process_by_block && TIFFIsTiled( in ) )
+             return( cvt_by_tile( in, out ) );
+         else if( process_by_block )
+@@ -529,7 +549,7 @@ tiffcvt(TIFF* in, TIFF* out)
+ }
+ 
+ static char* stuff[] = {
+-    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
++    "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
+     "where comp is one of the following compression algorithms:",
+     " jpeg\t\tJPEG encoding",
+     " zip\t\tZip/Deflate encoding",
+@@ -541,6 +561,7 @@ static char* stuff[] = {
+     " -b (progress by block rather than as a whole image)",
+     " -n don't emit alpha component.",
+     " -8 write BigTIFF file instead of ClassicTIFF",
++    " -M set the memory allocation limit in MiB. 0 to disable limit",
+     NULL
+ };
+ 
+-- 
+2.23.0
\ No newline at end of file
diff --git a/libtiff.spec b/libtiff.spec
index d187321..8a70c4e 100644
--- a/libtiff.spec
+++ b/libtiff.spec
@@ -1,11 +1,13 @@
 Name:           libtiff
 Version:        4.1.0
-Release:        1
+Release:        2
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
 Source0:        https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
 
+Patch6000:      backport-CVE-2020-35521_CVE-2020-35522.patch
+
 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires:  libtool automake autoconf pkgconfig git
 
@@ -111,6 +113,12 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html
 
 %changelog
+* Thu Mar 18 2021 wangye <wangye70@huawei.com> - 4.0.10-2
+- Type:cves
+- ID:CVE-2020-35521 CVE-2020-35522
+- SUG:NA
+- DESC: fix CVE-2020-35521 CVE-2020-35522
+
 * Tue Jan 7 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.1.0-1
 - update to 4.1.0