!6 fix CVE-2020-35521 CVE-2020-35522
From: @yeah_wang Reviewed-by: @orange-snn Signed-off-by: @orange-snn
This commit is contained in:
openeuler-ci-bot
Gitee
commit
de1796cd3f
102
backport-CVE-2020-35521_CVE-2020-35522.patch
Normal file
102
backport-CVE-2020-35521_CVE-2020-35522.patch
Normal file
@ -0,0 +1,102 @@
|
||||
From b5a935d96b21cda0f434230cdf8ca958cd8b4eef Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Bernard <miniupnp@free.fr>
|
||||
Date: Sun, 15 Nov 2020 17:02:51 +0100
|
||||
Subject: [PATCH 1/2] enforce (configurable) memory limit in tiff2rgba
|
||||
|
||||
Conflict:NA
|
||||
Reference:https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef
|
||||
|
||||
---
|
||||
man/tiff2rgba.1 | 4 ++++
|
||||
tools/tiff2rgba.c | 25 +++++++++++++++++++++++--
|
||||
2 files changed, 27 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/man/tiff2rgba.1 b/man/tiff2rgba.1
|
||||
index d9c9baa..fe9ebb2 100644
|
||||
--- a/man/tiff2rgba.1
|
||||
+++ b/man/tiff2rgba.1
|
||||
@@ -87,6 +87,10 @@ Drop the alpha component from the output file, producing a pure RGB file.
|
||||
Currently this does not work if the
|
||||
.B \-b
|
||||
flag is also in effect.
|
||||
+.TP
|
||||
+.BI \-M " size"
|
||||
+Set maximum memory allocation size (in MiB). The default is 256MiB.
|
||||
+Set to 0 to disable the limit.
|
||||
.SH "SEE ALSO"
|
||||
.BR tiff2bw (1),
|
||||
.BR TIFFReadRGBAImage (3t),
|
||||
diff --git a/tools/tiff2rgba.c b/tools/tiff2rgba.c
|
||||
index 2eb6f6c..743efe3 100644
|
||||
--- a/tools/tiff2rgba.c
|
||||
+++ b/tools/tiff2rgba.c
|
||||
@@ -53,6 +53,10 @@ uint32 rowsperstrip = (uint32) -1;
|
||||
int process_by_block = 0; /* default is whole image at once */
|
||||
int no_alpha = 0;
|
||||
int bigtiff_output = 0;
|
||||
+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
|
||||
+/* malloc size limit (in bytes)
|
||||
+ * disabled when set to 0 */
|
||||
+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
|
||||
|
||||
|
||||
static int tiffcvt(TIFF* in, TIFF* out);
|
||||
@@ -68,8 +72,11 @@ main(int argc, char* argv[])
|
||||
extern char *optarg;
|
||||
#endif
|
||||
|
||||
- while ((c = getopt(argc, argv, "c:r:t:bn8")) != -1)
|
||||
+ while ((c = getopt(argc, argv, "c:r:t:bn8hM")) != -1)
|
||||
switch (c) {
|
||||
+ case 'M':
|
||||
+ maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
|
||||
+ break;
|
||||
case 'b':
|
||||
process_by_block = 1;
|
||||
break;
|
||||
@@ -405,6 +412,12 @@ cvt_whole_image( TIFF *in, TIFF *out )
|
||||
(unsigned long)pixel_count, (unsigned long)sizeof(uint32));
|
||||
return (0);
|
||||
}
|
||||
+ if (maxMalloc != 0 && (tmsize_t)pixel_count * (tmsize_t)sizeof(uint32) > maxMalloc) {
|
||||
+ TIFFError(TIFFFileName(in),
|
||||
+ "Raster size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT "), try -b option.",
|
||||
+ (uint64)pixel_count * sizeof(uint32), (uint64)maxMalloc);
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
/* Read the image in one chunk into an RGBA array */
|
||||
if (!TIFFReadRGBAImageOriented(in, width, height, raster,
|
||||
@@ -520,6 +533,13 @@ tiffcvt(TIFF* in, TIFF* out)
|
||||
TIFFSetField(out, TIFFTAG_SOFTWARE, TIFFGetVersion());
|
||||
CopyField(TIFFTAG_DOCUMENTNAME, stringv);
|
||||
|
||||
+ if (maxMalloc != 0 && TIFFStripSize(in) > maxMalloc)
|
||||
+ {
|
||||
+ TIFFError(TIFFFileName(in),
|
||||
+ "Strip Size " TIFF_UINT64_FORMAT " over memory limit (" TIFF_UINT64_FORMAT ")",
|
||||
+ (uint64)TIFFStripSize(in), (uint64)maxMalloc);
|
||||
+ return 0;
|
||||
+ }
|
||||
if( process_by_block && TIFFIsTiled( in ) )
|
||||
return( cvt_by_tile( in, out ) );
|
||||
else if( process_by_block )
|
||||
@@ -529,7 +549,7 @@ tiffcvt(TIFF* in, TIFF* out)
|
||||
}
|
||||
|
||||
static char* stuff[] = {
|
||||
- "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] input... output",
|
||||
+ "usage: tiff2rgba [-c comp] [-r rows] [-b] [-n] [-8] [-M size] input... output",
|
||||
"where comp is one of the following compression algorithms:",
|
||||
" jpeg\t\tJPEG encoding",
|
||||
" zip\t\tZip/Deflate encoding",
|
||||
@@ -541,6 +561,7 @@ static char* stuff[] = {
|
||||
" -b (progress by block rather than as a whole image)",
|
||||
" -n don't emit alpha component.",
|
||||
" -8 write BigTIFF file instead of ClassicTIFF",
|
||||
+ " -M set the memory allocation limit in MiB. 0 to disable limit",
|
||||
NULL
|
||||
};
|
||||
|
||||
--
|
||||
2.23.0
|
||||
10
libtiff.spec
10
libtiff.spec
@ -1,11 +1,13 @@
|
||||
Name: libtiff
|
||||
Version: 4.1.0
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: TIFF Library and Utilities
|
||||
License: libtiff
|
||||
URL: https://www.simplesystems.org/libtiff/
|
||||
Source0: https://download.osgeo.org/libtiff/tiff-%{version}.tar.gz
|
||||
|
||||
Patch6000: backport-CVE-2020-35521_CVE-2020-35522.patch
|
||||
|
||||
BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
|
||||
BuildRequires: libtool automake autoconf pkgconfig git
|
||||
|
||||
@ -111,6 +113,12 @@ find html -name 'Makefile*' | xargs rm
|
||||
%exclude %{_datadir}/html/man/tiffgt.1.html
|
||||
|
||||
%changelog
|
||||
* Thu Mar 18 2021 wangye <wangye70@huawei.com> - 4.0.10-2
|
||||
- Type:cves
|
||||
- ID:CVE-2020-35521 CVE-2020-35522
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2020-35521 CVE-2020-35522
|
||||
|
||||
* Tue Jan 7 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.1.0-1
|
||||
- update to 4.1.0
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user