packages/libtiff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-1916 CVE-2023-3164

Browse Source 
(cherry picked from commit 8387e6379b05715d15e43c3ae566e4068fb59da6)
This commit is contained in:
lingsheng 2024-05-20 09:01:23 +00:00 committed by openeuler-sync-bot
parent ef058ee000
commit 08212283b3
2 changed files with 122 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
backport-CVE-2023-1916-CVE-2023-3164.patch Normal file
View File

@ -0,0 +1,114 @@
From a20298c4785c369469510613dfbc5bf230164fed Mon Sep 17 00:00:00 2001
From: Lee Howard <faxguy@howardsilvan.com>
Date: Fri, 17 May 2024 15:11:10 +0000
Subject: [PATCH] tiffcrop: fixes #542, #550, #552 (buffer overflows, use after
free)
Reference:https://gitlab.com/libtiff/libtiff/-/commit/a20298c4785c369469510613dfbc5bf230164fed
Conflict:Adapt context
---
tools/tiffcrop.c | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index b11fec93..aaf6bb28 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -451,6 +451,7 @@ static uint16_t defcompression = (uint16_t) -1;
static uint16_t defpredictor = (uint16_t) -1;
static int pageNum = 0;
static int little_endian = 1;
+static tmsize_t check_buffsize = 0;
/* Functions adapted from tiffcp with additions or significant modifications */
static int readContigStripsIntoBuffer (TIFF*, uint8_t*);
@@ -2084,6 +2085,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
TIFFError ("Limit for subdivisions, ie rows x columns, exceeded", "%d", MAX_SECTIONS);
exit (EXIT_FAILURE);
}
+ if ((page->cols * page->rows) < 1)
+ {
+ TIFFError("No subdivisions", "%d", (page->cols * page->rows));
+ exit(EXIT_FAILURE);
+ }
page->mode |= PAGE_MODE_ROWSCOLS;
break;
case 'U': /* units for measurements and offsets */
@@ -4438,7 +4444,7 @@ combineSeparateTileSamplesBytes (unsigned char *srcbuffs[], unsigned char *out,
dst = out + (row * dst_rowsize);
src_offset = row * src_rowsize;
#ifdef DEVELMODE
- TIFFError("","Tile row %4d, Src offset %6d Dst offset %6d",
+ TIFFError("","Tile row %4d, Src offset %6d Dst offset %6zd",
row, src_offset, dst - out);
#endif
for (col = 0; col < cols; col++)
@@ -5033,7 +5039,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
break;
}
#ifdef DEVELMODE
- TIFFError("", "Strip %2"PRIu32", read %5"PRId32" bytes for %4"PRIu32" scanlines, shift width %d",
+ TIFFError("", "Strip %2"PRIu32", read %5zd"" bytes for %4"PRIu32" scanlines, shift width %d",
strip, bytes_read, rows_this_strip, shift_width);
#endif
}
@@ -6434,6 +6440,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFError("loadImage", "Unable to allocate read buffer");
return (-1);
}
+ check_buffsize = buffsize + NUM_BUFF_OVERSIZE_BYTES;
read_buff[buffsize] = 0;
read_buff[buffsize+1] = 0;
@@ -7064,6 +7071,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
#ifdef DEVELMODE
TIFFError ("", "Src offset: %8"PRIu32", Dst offset: %8"PRIu32, src_offset, dst_offset);
#endif
+ if (src_offset + full_bytes >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
_TIFFmemcpy (sect_buff + dst_offset, src_buff + src_offset, full_bytes);
dst_offset += full_bytes;
}
@@ -7098,6 +7110,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
bytebuff1 = bytebuff2 = 0;
if (shift1 == 0) /* the region is byte and sample aligned */
{
+ if (offset1 + full_bytes >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
_TIFFmemcpy (sect_buff + dst_offset, src_buff + offset1, full_bytes);
#ifdef DEVELMODE
@@ -7117,6 +7134,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
if (trailing_bits != 0)
{
/* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
+ if (offset1 + full_bytes >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
sect_buff[dst_offset] = bytebuff2;
#ifdef DEVELMODE
@@ -7142,6 +7164,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
{
/* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
/* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
+ if (offset1 + j + 1 >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
--
GitLab

9
libtiff.spec
View File

@ -1,6 +1,6 @@
Name: libtiff
Version: 4.3.0
Release: 36
Release: 37
Summary: TIFF Library and Utilities
License: libtiff
URL: https://www.simplesystems.org/libtiff/
@ -48,6 +48,7 @@ Patch6038: backport-CVE-2023-3618.patch
Patch6039: backport-CVE-2022-40090.patch
Patch6040: backport-CVE-2022-34526.patch
Patch6041: backport-CVE-2023-6228.patch
Patch6042: backport-CVE-2023-1916-CVE-2023-3164.patch
Patch9000: fix-raw2tiff-floating-point-exception.patch
Patch9001: backport-0001-CVE-2023-6277.patch
@ -174,6 +175,12 @@ find html -name 'Makefile*' | xargs rm
%exclude %{_datadir}/html/man/tiffgt.1.html
%changelog
* Mon May 20 2024 lingsheng <lingsheng1@h-partners.com> - 4.3.0-37
- Type:CVE
- ID:CVE-2023-1916,CVE-2023-3164
- SUG:NA
- DESC:fix CVE-2023-1916 CVE-2023-3164
* Wed Nov 29 2023 liningjie <liningjie@xfusion.com> - 4.3.0-36
- backport patch for fix CVE-2023-6277 issue