packages/libtiff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:9c434dcb53fe3b44131501a1ea5a37cfe27fe72b
Branches Tags
packages:main
...
compare: packages:ae2badaad4134e0be7c13e007a1c0976cc36c694
Branches Tags
packages:main

10 Commits
9c434dcb53 ... ae2badaad4

Author SHA1 Message Date
openeuler-ci-bot
ae2badaad4
!257 [sync] PR-253: fix CVE-2024-7006 
From: @openeuler-sync-bot 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2024-08-16 02:10:51 +00:00
baiguo
ac02a92b90 fix CVE-2024-7006 
(cherry picked from commit 7ad5daf6c827818c60ea51ee4851b489e5c5fc88)
 2024-08-13 11:06:40 +08:00
openeuler-ci-bot
1426d4a7c2
!245 [sync] PR-240: fix CVE-2023-1916 CVE-2023-3164 
From: @openeuler-sync-bot 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2024-05-21 02:00:16 +00:00
lingsheng
2fe2ea38c0 fix CVE-2023-1916 CVE-2023-3164 
(cherry picked from commit 8387e6379b05715d15e43c3ae566e4068fb59da6)
 2024-05-20 20:33:37 +08:00
openeuler-ci-bot
2c4dabc9b7
!233 [sync] PR-228: backport patch for fix CVE-2023-6277 issue 
From: @openeuler-sync-bot 
Reviewed-by: @open-bot 
Signed-off-by: @open-bot
 2023-12-04 08:30:20 +00:00
liningjie
20798fcae1 backport patch for fix CVE-2023-6277 issue 
(cherry picked from commit 726a384f2b8e93d26e6d17809d117f7ef5a773c2)
 2023-12-01 16:52:02 +08:00
openeuler-ci-bot
177928121e
!224 [sync] PR-219: fix CVE-2023-6277 
From: @openeuler-sync-bot 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2023-12-01 03:43:35 +00:00
liningjie
72360478fd fix CVE-2023-6277 
(cherry picked from commit fd06322809338e9e2fb8ead6edb308d2c8d9d22c)
 2023-11-27 10:41:49 +08:00
openeuler-ci-bot
fa5baf47a8
!217 [sync] PR-210: fix CVE-2023-6228 
From: @openeuler-sync-bot 
Reviewed-by: @open-bot 
Signed-off-by: @open-bot
 2023-11-22 08:11:34 +00:00
liningjie
bcbdad88a6 fix CVE-2023-6228 
(cherry picked from commit 680716ea2c39399e269e593191434a74fde9bfe2)
 2023-11-22 16:10:28 +08:00
7 changed files with 644 additions and 2 deletions
Show Stats Expand all files Collapse all files

172
backport-0001-CVE-2023-6277.patch Normal file
View File

@ -0,0 +1,172 @@
From 284ae90ae567de4ca53a3f32b472096f0da573a5 Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Sun, 5 Nov 2023 03:50:21 +0800
Subject: [PATCH 1/2] Prevent some out-of-memory attacks
Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
---
libtiff/tif_dirread.c | 94 +++++++++++++++++++++++++++++++++++++++++--
1 file changed, 90 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index a762c67..2428257 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -866,8 +866,23 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit(
datasize=(*count)*typesize;
assert((tmsize_t)datasize>0);
- if( isMapped(tif) && datasize > (uint64_t)tif->tif_size )
- return TIFFReadDirEntryErrIo;
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of requested memory is not greater than file size.
+ */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ if (datasize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+ "Requested memory size for tag %d (0x%x) %" PRIu32
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, tag not read",
+ direntry->tdir_tag, direntry->tdir_tag, datasize,
+ filesize);
+ return (TIFFReadDirEntryErrAlloc);
+ }
+
+ if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
+ return TIFFReadDirEntryErrIo;
if( !isMapped(tif) &&
(((tif->tif_flags&TIFF_BIGTIFF) && datasize > 8) ||
@@ -4592,6 +4607,19 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount)
if( !_TIFFFillStrilesInternal( tif, 0 ) )
return -1;
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Requested memory size for StripByteCounts of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return -1;
+ }
if (td->td_stripbytecount_p)
_TIFFfree(td->td_stripbytecount_p);
td->td_stripbytecount_p = (uint64_t*)
@@ -4602,9 +4630,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount)
if (td->td_compression != COMPRESSION_NONE) {
uint64_t space;
- uint64_t filesize;
uint16_t n;
- filesize = TIFFGetFileSize(tif);
if (!(tif->tif_flags&TIFF_BIGTIFF))
space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
else
@@ -4912,6 +4938,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir,
dircount16 = (uint16_t)dircount64;
dirsize = 20;
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(
+ tif->tif_clientdata, module,
+ "Requested memory size for TIFF directory of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, TIFF directory not read",
+ allocsize, filesize);
+ return 0;
+ }
origdir = _TIFFCheckMalloc(tif, dircount16,
dirsize, "to read TIFF directory");
if (origdir == NULL)
@@ -5015,6 +5055,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir,
"Sanity check on directory count failed, zero tag directories not supported");
return 0;
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(
+ tif->tif_clientdata, module,
+ "Requested memory size for TIFF directory of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, TIFF directory not read",
+ allocsize, filesize);
+ return 0;
+ }
origdir = _TIFFCheckMalloc(tif, dircount16,
dirsize,
"to read TIFF directory");
@@ -5058,6 +5112,8 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir,
}
}
}
+ /* No check against filesize needed here because "dir" should have same size
+ * than "origdir" checked above. */
dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
sizeof(TIFFDirEntry),
"to read TIFF directory");
@@ -5852,6 +5908,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
return(0);
}
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ uint64_t filesize = TIFFGetFileSize(tif);
+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Requested memory size for StripArray of %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ _TIFFfree(data);
+ return (0);
+ }
resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
if (resizeddata==0) {
_TIFFfree(data);
@@ -5947,6 +6017,22 @@ static void allocChoppedUpStripArrays(TIFF* tif, uint32_t nstrips,
}
bytecount = last_offset + last_bytecount - offset;
+ /* Before allocating a huge amount of memory for corrupted files, check if
+ * size of StripByteCount and StripOffset tags is not greater than
+ * file size.
+ */
+ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+ uint64_t filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+ "Requested memory size for StripByteCount and "
+ "StripOffsets %" PRIu64
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return;
+ }
newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
"for chopped \"StripByteCounts\" array");
newoffsets = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
--
2.33.0

46
backport-0002-CVE-2023-6277.patch Normal file
View File

@ -0,0 +1,46 @@
From fcfa5b516c43c0a8eabede226ec8df7852328339 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Sun, 5 Nov 2023 04:42:11 +0800
Subject: [PATCH 2/2] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation
of col/row (fixes #622)
---
libtiff/tif_getimage.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 9a2e0c5..ca4d227 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -2942,6 +2942,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t row, uint32_t * raster, int stop_on_err
}
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
+ if (row >= img.height)
+ {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+ "Invalid row passed to TIFFReadRGBAStrip().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
img.row_offset = row;
img.col_offset = 0;
@@ -3018,6 +3025,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
return( 0 );
}
+ if (col >= img.width || row >= img.height)
+ {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+ "Invalid row/col passed to TIFFReadRGBATile().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
+
/*
* The TIFFRGBAImageGet() function doesn't allow us to get off the
* edge of the image, even to fill an otherwise valid tile. So we
--
2.33.0

193
backport-0003-CVE-2023-6277.patch Normal file
View File

@ -0,0 +1,193 @@
From a54a4cb1a177852d4d19012d281ccf3b6c18ccb3 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 29 Nov 2023 17:11:45 +0800
Subject: [PATCH] backport patch for fix CVE-2023-6277 issue
---
libtiff/tif_dirread.c | 124 +++++++++++++++++++++---------------------
1 file changed, 63 insertions(+), 61 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 2428257..ed88e80 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -865,20 +865,22 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit(
*count=(uint32_t)target_count64;
datasize=(*count)*typesize;
assert((tmsize_t)datasize>0);
-
- /* Before allocating a huge amount of memory for corrupted files, check if
- * size of requested memory is not greater than file size.
- */
- uint64_t filesize = TIFFGetFileSize(tif);
- if (datasize > filesize)
+ if (datasize > 100 * 1024 * 1024)
{
- TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
- "Requested memory size for tag %d (0x%x) %" PRIu32
- " is greather than filesize %" PRIu64
- ". Memory not allocated, tag not read",
- direntry->tdir_tag, direntry->tdir_tag, datasize,
- filesize);
- return (TIFFReadDirEntryErrAlloc);
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size.
+ */
+ const uint64_t filesize = TIFFGetFileSize(tif);
+ if (datasize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+ "Requested memory size for tag %d (0x%x) %" PRIu32
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, tag not read",
+ direntry->tdir_tag, direntry->tdir_tag, datasize,
+ filesize);
+ return (TIFFReadDirEntryErrAlloc);
+ }
}
if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
@@ -4607,18 +4609,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount)
if( !_TIFFFillStrilesInternal( tif, 0 ) )
return -1;
- /* Before allocating a huge amount of memory for corrupted files, check if
- * size of requested memory is not greater than file size. */
- uint64_t filesize = TIFFGetFileSize(tif);
- uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
- if (allocsize > filesize)
+ const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+ uint64_t filesize = 0;
+ if (allocsize > 100 * 1024 * 1024)
{
- TIFFWarningExt(tif->tif_clientdata, module,
- "Requested memory size for StripByteCounts of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- return -1;
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Requested memory size for StripByteCounts of %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return -1;
+ }
}
if (td->td_stripbytecount_p)
_TIFFfree(td->td_stripbytecount_p);
@@ -4664,6 +4670,8 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount)
return -1;
space+=datasize;
}
+ if (filesize == 0)
+ filesize = TIFFGetFileSize(tif);
if( filesize < space )
/* we should perhaps return in error ? */
space = filesize;
@@ -4938,20 +4946,7 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir,
dircount16 = (uint16_t)dircount64;
dirsize = 20;
}
- /* Before allocating a huge amount of memory for corrupted files, check
- * if size of requested memory is not greater than file size. */
- uint64_t filesize = TIFFGetFileSize(tif);
- uint64_t allocsize = (uint64_t)dircount16 * dirsize;
- if (allocsize > filesize)
- {
- TIFFWarningExt(
- tif->tif_clientdata, module,
- "Requested memory size for TIFF directory of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated, TIFF directory not read",
- allocsize, filesize);
- return 0;
- }
+
origdir = _TIFFCheckMalloc(tif, dircount16,
dirsize, "to read TIFF directory");
if (origdir == NULL)
@@ -5064,7 +5059,7 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir,
TIFFWarningExt(
tif->tif_clientdata, module,
"Requested memory size for TIFF directory of %" PRIu64
- " is greather than filesize %" PRIu64
+ " is greater than filesize %" PRIu64
". Memory not allocated, TIFF directory not read",
allocsize, filesize);
return 0;
@@ -5908,19 +5903,23 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
return(0);
}
- /* Before allocating a huge amount of memory for corrupted files, check
- * if size of requested memory is not greater than file size. */
- uint64_t filesize = TIFFGetFileSize(tif);
- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
- if (allocsize > filesize)
+ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+ if (allocsize > 100 * 1024 * 1024)
{
- TIFFWarningExt(tif->tif_clientdata, module,
- "Requested memory size for StripArray of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- _TIFFfree(data);
- return (0);
+ /* Before allocating a huge amount of memory for corrupted files,
+ * check if size of requested memory is not greater than file size.
+ */
+ const uint64_t filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Requested memory size for StripArray of %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ _TIFFfree(data);
+ return (0);
+ }
}
resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
if (resizeddata==0) {
@@ -6021,17 +6020,20 @@ static void allocChoppedUpStripArrays(TIFF* tif, uint32_t nstrips,
* size of StripByteCount and StripOffset tags is not greater than
* file size.
*/
- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
- uint64_t filesize = TIFFGetFileSize(tif);
- if (allocsize > filesize)
+ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+ if (allocsize > 100 * 1024 * 1024)
{
- TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
- "Requested memory size for StripByteCount and "
- "StripOffsets %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- return;
+ const uint64_t filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+ "Requested memory size for StripByteCount and "
+ "StripOffsets %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return;
+ }
}
newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
"for chopped \"StripByteCounts\" array");
--
2.27.0

114
backport-CVE-2023-1916-CVE-2023-3164.patch Normal file
View File

@ -0,0 +1,114 @@
From a20298c4785c369469510613dfbc5bf230164fed Mon Sep 17 00:00:00 2001
From: Lee Howard <faxguy@howardsilvan.com>
Date: Fri, 17 May 2024 15:11:10 +0000
Subject: [PATCH] tiffcrop: fixes #542, #550, #552 (buffer overflows, use after
free)
Reference:https://gitlab.com/libtiff/libtiff/-/commit/a20298c4785c369469510613dfbc5bf230164fed
Conflict:Adapt context
---
tools/tiffcrop.c | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index b11fec93..aaf6bb28 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -451,6 +451,7 @@ static uint16_t defcompression = (uint16_t) -1;
static uint16_t defpredictor = (uint16_t) -1;
static int pageNum = 0;
static int little_endian = 1;
+static tmsize_t check_buffsize = 0;
/* Functions adapted from tiffcp with additions or significant modifications */
static int readContigStripsIntoBuffer (TIFF*, uint8_t*);
@@ -2084,6 +2085,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
TIFFError ("Limit for subdivisions, ie rows x columns, exceeded", "%d", MAX_SECTIONS);
exit (EXIT_FAILURE);
}
+ if ((page->cols * page->rows) < 1)
+ {
+ TIFFError("No subdivisions", "%d", (page->cols * page->rows));
+ exit(EXIT_FAILURE);
+ }
page->mode |= PAGE_MODE_ROWSCOLS;
break;
case 'U': /* units for measurements and offsets */
@@ -4438,7 +4444,7 @@ combineSeparateTileSamplesBytes (unsigned char *srcbuffs[], unsigned char *out,
dst = out + (row * dst_rowsize);
src_offset = row * src_rowsize;
#ifdef DEVELMODE
- TIFFError("","Tile row %4d, Src offset %6d Dst offset %6d",
+ TIFFError("","Tile row %4d, Src offset %6d Dst offset %6zd",
row, src_offset, dst - out);
#endif
for (col = 0; col < cols; col++)
@@ -5033,7 +5039,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
break;
}
#ifdef DEVELMODE
- TIFFError("", "Strip %2"PRIu32", read %5"PRId32" bytes for %4"PRIu32" scanlines, shift width %d",
+ TIFFError("", "Strip %2"PRIu32", read %5zd"" bytes for %4"PRIu32" scanlines, shift width %d",
strip, bytes_read, rows_this_strip, shift_width);
#endif
}
@@ -6434,6 +6440,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFError("loadImage", "Unable to allocate read buffer");
return (-1);
}
+ check_buffsize = buffsize + NUM_BUFF_OVERSIZE_BYTES;
read_buff[buffsize] = 0;
read_buff[buffsize+1] = 0;
@@ -7064,6 +7071,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
TIFFError ("", "Src offset: %8"PRIu32", Dst offset: %8"PRIu32, src_offset, dst_offset);
#endif
+ if (src_offset + full_bytes >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
_TIFFmemcpy (sect_buff + dst_offset, src_buff + src_offset, full_bytes);
dst_offset += full_bytes;
}
@@ -7098,6 +7110,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
bytebuff1 = bytebuff2 = 0;
if (shift1 == 0) /* the region is byte and sample aligned */
{
+ if (offset1 + full_bytes >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
_TIFFmemcpy (sect_buff + dst_offset, src_buff + offset1, full_bytes);
#ifdef DEVELMODE
@@ -7117,6 +7134,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if (trailing_bits != 0)
{
/* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
+ if (offset1 + full_bytes >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
sect_buff[dst_offset] = bytebuff2;
#ifdef DEVELMODE
@@ -7142,6 +7164,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
{
/* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
/* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
+ if (offset1 + j + 1 >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
--
GitLab

27
backport-CVE-2023-6228.patch Normal file
View File

@ -0,0 +1,27 @@
From a239f91e7146d35082ffb594c1d6a279020cc8b4 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Tue, 21 Nov 2023 16:58:05 +0800
Subject: [PATCH] Check also if codec of input image is available,
independently from codec check of output image and return with error if not.
Fixes #606.
---
tools/tiffcp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 7120837..5b2e879 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -724,6 +724,8 @@ tiffcp(TIFF* in, TIFF* out)
else
CopyField(TIFFTAG_COMPRESSION, compression);
TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, &input_compression);
+ if (!TIFFIsCODECConfigured(input_compression))
+ return FALSE;
TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, &input_photometric);
if (input_compression == COMPRESSION_JPEG) {
/* Force conversion to RGB */
--
2.27.0

64
backport-CVE-2024-7006.patch Normal file
View File

@ -0,0 +1,64 @@
From a91566b32d107e86c4ea0b10bbcb5ce089005cb7 Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 13 Aug 2024 09:42:15 +0800
Subject: [PATCH] fix CVE-2024-7006
Reference:https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e
Check return value of _TIFFCreateAnonField().
Fixes #624 (closed)
---
libtiff/tif_dirinfo.c | 2 +-
libtiff/tif_dirread.c | 17 ++++++++---------
2 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
index a212d01..755693c 100644
--- a/libtiff/tif_dirinfo.c
+++ b/libtiff/tif_dirinfo.c
@@ -797,7 +797,7 @@ _TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, TIFFDataType dt)
fld = TIFFFindField(tif, tag, dt);
if (fld == NULL) {
fld = _TIFFCreateAnonField(tif, tag, dt);
- if (!_TIFFMergeFields(tif, fld, 1))
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
return NULL;
}
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index ed88e80..4e2b53e 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -3734,11 +3734,10 @@ TIFFReadDirectory(TIFF* tif)
dp->tdir_tag,dp->tdir_tag);
/* the following knowingly leaks the
anonymous field structure */
- if (!_TIFFMergeFields(tif,
- _TIFFCreateAnonField(tif,
- dp->tdir_tag,
- (TIFFDataType) dp->tdir_type),
- 1)) {
+ const TIFFField *fld = _TIFFCreateAnonField(
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+ {
TIFFWarningExt(tif->tif_clientdata,
module,
"Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
@@ -4500,10 +4499,10 @@ TIFFReadCustomDirectory(TIFF* tif, toff_t diroff,
TIFFWarningExt(tif->tif_clientdata, module,
"Unknown field with tag %"PRIu16" (0x%"PRIx16") encountered",
dp->tdir_tag, dp->tdir_tag);
- if (!_TIFFMergeFields(tif, _TIFFCreateAnonField(tif,
- dp->tdir_tag,
- (TIFFDataType) dp->tdir_type),
- 1)) {
+ const TIFFField *fld = _TIFFCreateAnonField(
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
+ {
TIFFWarningExt(tif->tif_clientdata, module,
"Registering anonymous field with tag %"PRIu16" (0x%"PRIx16") failed",
dp->tdir_tag, dp->tdir_tag);
--
2.27.0

30
libtiff.spec
View File

@ -1,6 +1,6 @@
Name: libtiff
Version: 4.3.0
Release: 33
Release: 38
Summary: TIFF Library and Utilities
License: libtiff
URL: https://www.simplesystems.org/libtiff/
@ -47,9 +47,14 @@ Patch6037: backport-CVE-2023-38289.patch
Patch6038: backport-CVE-2023-3618.patch
Patch6039: backport-CVE-2022-40090.patch
Patch6040: backport-CVE-2022-34526.patch
Patch6041: backport-CVE-2023-6228.patch
Patch6042: backport-CVE-2023-1916-CVE-2023-3164.patch
Patch9000: fix-raw2tiff-floating-point-exception.patch
Patch9001: backport-0001-CVE-2023-6277.patch
Patch9002: backport-0002-CVE-2023-6277.patch
Patch9003: backport-0003-CVE-2023-6277.patch
Patch9004: backport-CVE-2024-7006.patch
BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
BuildRequires: libtool automake autoconf pkgconfig
@ -170,6 +175,27 @@ find html -name 'Makefile*' | xargs rm
%exclude %{_datadir}/html/man/tiffgt.1.html
%changelog
* Tue Aug 13 2024 baiguo <baiguo@kylinos.cn> - 4.3.0-38
- Type:CVE
- ID:CVE-2024-7006
- SUG:NA
- DESC:fix CVE-2024-7006
* Mon May 20 2024 lingsheng <lingsheng1@h-partners.com> - 4.3.0-37
- Type:CVE
- ID:CVE-2023-1916,CVE-2023-3164
- SUG:NA
- DESC:fix CVE-2023-1916 CVE-2023-3164
* Wed Nov 29 2023 liningjie <liningjie@xfusion.com> - 4.3.0-36
- backport patch for fix CVE-2023-6277 issue
* Sat Nov 25 2023 liningjie <liningjie@xfusion.com> - 4.3.0-35
- fix CVE-2023-6277
* Tue Nov 21 2023 liningjie <liningjie@xfusion.com> - 4.3.0-34
- fix CVE-2023-6228
* Thu Sep 07 2023 zhangpan <zhangpan103@h-partners.com> - 4.3.0-33
- fix CVE-2022-34526