fix CVE-2023-1916 CVE-2023-3164
(cherry picked from commit 8387e6379b05715d15e43c3ae566e4068fb59da6)
This commit is contained in:
lingsheng
openeuler-sync-bot
parent
ef058ee000
commit
08212283b3
114
backport-CVE-2023-1916-CVE-2023-3164.patch
Normal file
114
backport-CVE-2023-1916-CVE-2023-3164.patch
Normal file
@ -0,0 +1,114 @@
|
|||||||
|
From a20298c4785c369469510613dfbc5bf230164fed Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lee Howard <faxguy@howardsilvan.com>
|
||||||
|
Date: Fri, 17 May 2024 15:11:10 +0000
|
||||||
|
Subject: [PATCH] tiffcrop: fixes #542, #550, #552 (buffer overflows, use after
|
||||||
|
free)
|
||||||
|
|
||||||
|
Reference:https://gitlab.com/libtiff/libtiff/-/commit/a20298c4785c369469510613dfbc5bf230164fed
|
||||||
|
Conflict:Adapt context
|
||||||
|
|
||||||
|
---
|
||||||
|
tools/tiffcrop.c | 31 +++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 29 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
||||||
|
index b11fec93..aaf6bb28 100644
|
||||||
|
--- a/tools/tiffcrop.c
|
||||||
|
+++ b/tools/tiffcrop.c
|
||||||
|
@@ -451,6 +451,7 @@ static uint16_t defcompression = (uint16_t) -1;
|
||||||
|
static uint16_t defpredictor = (uint16_t) -1;
|
||||||
|
static int pageNum = 0;
|
||||||
|
static int little_endian = 1;
|
||||||
|
+static tmsize_t check_buffsize = 0;
|
||||||
|
|
||||||
|
/* Functions adapted from tiffcp with additions or significant modifications */
|
||||||
|
static int readContigStripsIntoBuffer (TIFF*, uint8_t*);
|
||||||
|
@@ -2084,6 +2085,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
|
||||||
|
TIFFError ("Limit for subdivisions, ie rows x columns, exceeded", "%d", MAX_SECTIONS);
|
||||||
|
exit (EXIT_FAILURE);
|
||||||
|
}
|
||||||
|
+ if ((page->cols * page->rows) < 1)
|
||||||
|
+ {
|
||||||
|
+ TIFFError("No subdivisions", "%d", (page->cols * page->rows));
|
||||||
|
+ exit(EXIT_FAILURE);
|
||||||
|
+ }
|
||||||
|
page->mode |= PAGE_MODE_ROWSCOLS;
|
||||||
|
break;
|
||||||
|
case 'U': /* units for measurements and offsets */
|
||||||
|
@@ -4438,7 +4444,7 @@ combineSeparateTileSamplesBytes (unsigned char *srcbuffs[], unsigned char *out,
|
||||||
|
dst = out + (row * dst_rowsize);
|
||||||
|
src_offset = row * src_rowsize;
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
- TIFFError("","Tile row %4d, Src offset %6d Dst offset %6d",
|
||||||
|
+ TIFFError("","Tile row %4d, Src offset %6d Dst offset %6zd",
|
||||||
|
row, src_offset, dst - out);
|
||||||
|
#endif
|
||||||
|
for (col = 0; col < cols; col++)
|
||||||
|
@@ -5033,7 +5039,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
- TIFFError("", "Strip %2"PRIu32", read %5"PRId32" bytes for %4"PRIu32" scanlines, shift width %d",
|
||||||
|
+ TIFFError("", "Strip %2"PRIu32", read %5zd"" bytes for %4"PRIu32" scanlines, shift width %d",
|
||||||
|
strip, bytes_read, rows_this_strip, shift_width);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
@@ -6434,6 +6440,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
|
||||||
|
TIFFError("loadImage", "Unable to allocate read buffer");
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
+ check_buffsize = buffsize + NUM_BUFF_OVERSIZE_BYTES;
|
||||||
|
|
||||||
|
read_buff[buffsize] = 0;
|
||||||
|
read_buff[buffsize+1] = 0;
|
||||||
|
@@ -7064,6 +7071,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
TIFFError ("", "Src offset: %8"PRIu32", Dst offset: %8"PRIu32, src_offset, dst_offset);
|
||||||
|
#endif
|
||||||
|
+ if (src_offset + full_bytes >= check_buffsize)
|
||||||
|
+ {
|
||||||
|
+ printf("Bad input. Preventing reading outside of input buffer.\n");
|
||||||
|
+ return(-1);
|
||||||
|
+ }
|
||||||
|
_TIFFmemcpy (sect_buff + dst_offset, src_buff + src_offset, full_bytes);
|
||||||
|
dst_offset += full_bytes;
|
||||||
|
}
|
||||||
|
@@ -7098,6 +7110,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
bytebuff1 = bytebuff2 = 0;
|
||||||
|
if (shift1 == 0) /* the region is byte and sample aligned */
|
||||||
|
{
|
||||||
|
+ if (offset1 + full_bytes >= check_buffsize)
|
||||||
|
+ {
|
||||||
|
+ printf("Bad input. Preventing reading outside of input buffer.\n");
|
||||||
|
+ return(-1);
|
||||||
|
+ }
|
||||||
|
_TIFFmemcpy (sect_buff + dst_offset, src_buff + offset1, full_bytes);
|
||||||
|
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
@@ -7117,6 +7134,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
if (trailing_bits != 0)
|
||||||
|
{
|
||||||
|
/* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
|
||||||
|
+ if (offset1 + full_bytes >= check_buffsize)
|
||||||
|
+ {
|
||||||
|
+ printf("Bad input. Preventing reading outside of input buffer.\n");
|
||||||
|
+ return(-1);
|
||||||
|
+ }
|
||||||
|
bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
|
||||||
|
sect_buff[dst_offset] = bytebuff2;
|
||||||
|
#ifdef DEVELMODE
|
||||||
|
@@ -7142,6 +7164,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
|
||||||
|
{
|
||||||
|
/* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
|
||||||
|
/* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
|
||||||
|
+ if (offset1 + j + 1 >= check_buffsize)
|
||||||
|
+ {
|
||||||
|
+ printf("Bad input. Preventing reading outside of input buffer.\n");
|
||||||
|
+ return(-1);
|
||||||
|
+ }
|
||||||
|
bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
|
||||||
|
bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
|
||||||
|
sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
||||||
@ -1,6 +1,6 @@
|
|||||||
Name: libtiff
|
Name: libtiff
|
||||||
Version: 4.3.0
|
Version: 4.3.0
|
||||||
Release: 36
|
Release: 37
|
||||||
Summary: TIFF Library and Utilities
|
Summary: TIFF Library and Utilities
|
||||||
License: libtiff
|
License: libtiff
|
||||||
URL: https://www.simplesystems.org/libtiff/
|
URL: https://www.simplesystems.org/libtiff/
|
||||||
@ -48,6 +48,7 @@ Patch6038: backport-CVE-2023-3618.patch
|
|||||||
Patch6039: backport-CVE-2022-40090.patch
|
Patch6039: backport-CVE-2022-40090.patch
|
||||||
Patch6040: backport-CVE-2022-34526.patch
|
Patch6040: backport-CVE-2022-34526.patch
|
||||||
Patch6041: backport-CVE-2023-6228.patch
|
Patch6041: backport-CVE-2023-6228.patch
|
||||||
|
Patch6042: backport-CVE-2023-1916-CVE-2023-3164.patch
|
||||||
|
|
||||||
Patch9000: fix-raw2tiff-floating-point-exception.patch
|
Patch9000: fix-raw2tiff-floating-point-exception.patch
|
||||||
Patch9001: backport-0001-CVE-2023-6277.patch
|
Patch9001: backport-0001-CVE-2023-6277.patch
|
||||||
@ -174,6 +175,12 @@ find html -name 'Makefile*' | xargs rm
|
|||||||
%exclude %{_datadir}/html/man/tiffgt.1.html
|
%exclude %{_datadir}/html/man/tiffgt.1.html
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 20 2024 lingsheng <lingsheng1@h-partners.com> - 4.3.0-37
|
||||||
|
- Type:CVE
|
||||||
|
- ID:CVE-2023-1916,CVE-2023-3164
|
||||||
|
- SUG:NA
|
||||||
|
- DESC:fix CVE-2023-1916 CVE-2023-3164
|
||||||
|
|
||||||
* Wed Nov 29 2023 liningjie <liningjie@xfusion.com> - 4.3.0-36
|
* Wed Nov 29 2023 liningjie <liningjie@xfusion.com> - 4.3.0-36
|
||||||
- backport patch for fix CVE-2023-6277 issue
|
- backport patch for fix CVE-2023-6277 issue
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user