fix CVE-2023-26965

(cherry picked from commit 328a1cc5d47569b824ede88eba21973d999a0913)
2023-06-15 06:29:23 +00:00 · 2023-06-15 06:29:23 +00:00 · 9fb4409b3f
commit 9fb4409b3f
parent 0e8d85c6f5
2 changed files with 100 additions and 1 deletions
--- a/backport-CVE-2023-26965.patch
+++ b/backport-CVE-2023-26965.patch
@ -0,0 +1,95 @@
+From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Tue, 14 Feb 2023 20:43:43 +0100
+Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
+ Fix issue 527
+
+Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
+
+Closes #527
+
+Reference:https://gitlab.com/libtiff/libtiff/-/merge_requests/472/diffs
+Conflict:Context adaptation
+
+---
+ tools/tiffcrop.c | 43 +++++++++++++------------------------------
+ 1 file changed, 13 insertions(+), 30 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index a3fc41b..55269d6 100644
+--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
+@@ -6093,9 +6093,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+   uint32_t   tw = 0, tl = 0;       /* Tile width and length */
+   tmsize_t   tile_rowsize = 0;
+   unsigned char *read_buff = NULL;
+-  unsigned char *new_buff  = NULL;
+   int      readunit = 0;
+-  static   tmsize_t  prev_readsize = 0;
+ 
+   TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+   TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -6396,39 +6394,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+     }
+  
+   read_buff = *read_ptr;
+-  /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
+-  /* outside buffer */
+-  if (!read_buff)
+  /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
+   * outside buffer */
+  /* Reuse of read_buff from previous image is quite unsafe, because other
+   * functions (like rotateImage() etc.) reallocate that buffer with different
+   * size without updating the local prev_readsize value. */
+  if (read_buff)
+   {
+-    if( buffsize > 0xFFFFFFFFU - 3 )
+-    {
+-        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-        return (-1);
+-    }
+-    read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+    _TIFFfree(read_buff);
+   }
+-  else
+  if (buffsize > 0xFFFFFFFFU - 3)
+     {
+-    if (prev_readsize < buffsize)
+-    {
+-      if( buffsize > 0xFFFFFFFFU - 3 )
+-      {
+-          TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+-          return (-1);
+-      }
+-      new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-      if (!new_buff)
+-        {
+-	free (read_buff);
+-        read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+-        }
+-      else
+-        read_buff = new_buff;
+-      }
+      TIFFError("loadImage", "Required read buffer size too large");
+      return (-1);
+     }
+  read_buff =
+      (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+   if (!read_buff)
+     {
+-    TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+    TIFFError("loadImage", "Unable to allocate read buffer");
+     return (-1);
+     }
+ 
+@@ -6436,7 +6420,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+   read_buff[buffsize+1] = 0;
+   read_buff[buffsize+2] = 0;
+ 
+-  prev_readsize = buffsize;
+   *read_ptr = read_buff;
+ 
+   /* N.B. The read functions used copy separate plane data into a buffer as interleaved
+-- 
+2.33.0
+
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.3.0
-Release:        25
+Release:        26
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@ -36,6 +36,7 @@ Patch6026:      backport-0001-CVE-2023-0795-0796-0797-0798-0799.patch
 Patch6027:      backport-0002-CVE-2023-0795-0796-0797-0798-0799.patch
 Patch6028:      backport-CVE-2023-0800-0801-0802-0803-0804.patch
 Patch6029:      backport-CVE-2023-2731.patch
+Patch6030:      backport-CVE-2023-26965.patch

 Patch9000:	fix-raw2tiff-floating-point-exception.patch

@ -159,6 +160,9 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html

 %changelog
+* Thu Jun 15 2023 zhangpan <zhangpan103@h-partners.com> - 4.3.0-26
+- fix CVE-2023-26965
+
 * Wed May 24 2023 zhangpan <zhangpan103@h-partners.com> - 4.3.0-25
 - fix CVE-2023-2731