From 9ece223941ad5a01de774e2b7affdc47a8d3cf10 Mon Sep 17 00:00:00 2001 From: zhouwenpei Date: Tue, 23 Aug 2022 14:12:45 +0800 Subject: [PATCH] fix CVE-2022-2867,CVE-2022-2868,CVE-2022-2869 (cherry picked from commit ab64273dfcef9b915c24286041df76f011b97632) --- ...022-2867-CVE-2022-2868-CVE-2022-2869.patch | 146 ++++++++++++++++++ libtiff.spec | 7 +- 2 files changed, 151 insertions(+), 2 deletions(-) create mode 100644 backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch diff --git a/backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch b/backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch new file mode 100644 index 0000000..f930929 --- /dev/null +++ b/backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch @@ -0,0 +1,146 @@ +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 0da3157743aaabc2f874fdaeb9f46e94cb00efd8..e4a08ca96c03923a49a71aab0f0cfba906ffdf29 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5192,29 +5192,45 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + y1 = (uint32_t) (crop->corners[i].Y1); + y2 = (uint32_t) (crop->corners[i].Y2); + } +- if (x1 < 1) +- crop->regionlist[i].x1 = 0; +- else +- crop->regionlist[i].x1 = (uint32_t) (x1 - 1); ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 ++ * b) Corners are expected to be submitted as top-left to bottom-right. ++ * Therefore, check that and reorder input. ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) ++ */ ++ uint32_t aux; ++ if (x1 > x2) { ++ aux = x1; ++ x1 = x2; ++ x2 = aux; ++ } ++ if (y1 > y2) { ++ aux = y1; ++ y1 = y2; ++ y2 = aux; ++ } ++ if (x1 > image->width - 1) ++ crop->regionlist[i].x1 = image->width - 1; ++ else if (x1 > 0) ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1); + + if (x2 > image->width - 1) + crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = (uint32_t) (x2 - 1); +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ else if (x2 > 0) ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); + +- if (y1 < 1) +- crop->regionlist[i].y1 = 0; +- else +- crop->regionlist[i].y1 = (uint32_t) (y1 - 1); ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ ++ if (y1 > image->length - 1) ++ crop->regionlist[i].y1 = image->length - 1; ++ else if (y1 > 0) ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1); + + if (y2 > image->length - 1) + crop->regionlist[i].y2 = image->length - 1; +- else +- crop->regionlist[i].y2 = (uint32_t) (y2 - 1); +- +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ else if (y2 > 0) ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1); + ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + if (zwidth > max_width) + max_width = zwidth; + if (zlength > max_length) +@@ -5244,7 +5260,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + } + } + return (0); +- } ++ } /* crop_mode == CROP_REGIONS */ + + /* Convert crop margins into offsets into image + * Margins are expressed as pixel rows and columns, not bytes +@@ -5280,7 +5296,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + bmargin = (uint32_t) 0; + return (-1); + } +- } ++ } /* crop_mode == CROP_MARGINS */ + else + { /* no margins requested */ + tmargin = (uint32_t) 0; +@@ -5371,24 +5387,23 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + off->endx = endx; + off->endy = endy; + +- crop_width = endx - startx + 1; +- crop_length = endy - starty + 1; +- +- if (crop_width <= 0) ++ if (endx + 1 <= startx) + { + TIFFError("computeInputPixelOffsets", + "Invalid left/right margins and /or image crop width requested"); + return (-1); + } ++ crop_width = endx - startx + 1; + if (crop_width > image->width) + crop_width = image->width; + +- if (crop_length <= 0) ++ if (endy + 1 <= starty) + { + TIFFError("computeInputPixelOffsets", + "Invalid top/bottom margins and /or image crop length requested"); + return (-1); + } ++ crop_length = endy - starty + 1; + if (crop_length > image->length) + crop_length = image->length; + +@@ -5488,10 +5503,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + else + crop->selections = crop->zones; + +- for (i = 0; i < crop->zones; i++) ++ /* Initialize regions iterator i */ ++ i = 0; ++ for (int j = 0; j < crop->zones; j++) + { +- seg = crop->zonelist[i].position; +- total = crop->zonelist[i].total; ++ seg = crop->zonelist[j].position; ++ total = crop->zonelist[j].total; ++ ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ ++ if (seg == 0 || total == 0 || seg > total) { ++ continue; ++ } + + switch (crop->edge_ref) + { +@@ -5620,8 +5642,11 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + i + 1, zwidth, zlength, + crop->regionlist[i].x1, crop->regionlist[i].x2, + crop->regionlist[i].y1, crop->regionlist[i].y2); ++ /* increment regions iterator */ ++ i++; + } +- ++ /* set number of generated regions out of given zones */ ++ crop->selections = i; + return (0); + } /* end getCropOffsets */ + \ No newline at end of file diff --git a/libtiff.spec b/libtiff.spec index b13ef1b..3cbb301 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,6 +1,6 @@ Name: libtiff Version: 4.3.0 -Release: 16 +Release: 17 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ @@ -21,7 +21,7 @@ Patch6011: backport-CVE-2022-1355.patch Patch6012: backport-0001-CVE-2022-1622-CVE-2022-1623.patch Patch6013: backport-0002-CVE-2022-1622-CVE-2022-1623.patch Patch6014: backport-CVE-2022-1354.patch - +Patch6015: backport-CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch Patch9000: fix-raw2tiff-floating-point-exception.patch @@ -144,6 +144,9 @@ find html -name 'Makefile*' | xargs rm %exclude %{_datadir}/html/man/tiffgt.1.html %changelog +* Tue Aug 23 2022 zhouwenpei - 4.3.0-17 +- fix CVE-2022-2867,CVE-2022-2868,CVE-2022-2869 + * Tue Jul 05 2022 zhouwenpei - 4.3.0-16 - fix CVE-2022-1354