diff --git a/backport-0003-CVE-2023-6277.patch b/backport-0003-CVE-2023-6277.patch new file mode 100644 index 0000000..d69ca24 --- /dev/null +++ b/backport-0003-CVE-2023-6277.patch @@ -0,0 +1,193 @@ +From a54a4cb1a177852d4d19012d281ccf3b6c18ccb3 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Wed, 29 Nov 2023 17:11:45 +0800 +Subject: [PATCH] backport patch for fix CVE-2023-6277 issue + +--- + libtiff/tif_dirread.c | 124 +++++++++++++++++++++--------------------- + 1 file changed, 63 insertions(+), 61 deletions(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 2428257..ed88e80 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -865,20 +865,22 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit( + *count=(uint32_t)target_count64; + datasize=(*count)*typesize; + assert((tmsize_t)datasize>0); +- +- /* Before allocating a huge amount of memory for corrupted files, check if +- * size of requested memory is not greater than file size. +- */ +- uint64_t filesize = TIFFGetFileSize(tif); +- if (datasize > filesize) ++ if (datasize > 100 * 1024 * 1024) + { +- TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", +- "Requested memory size for tag %d (0x%x) %" PRIu32 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated, tag not read", +- direntry->tdir_tag, direntry->tdir_tag, datasize, +- filesize); +- return (TIFFReadDirEntryErrAlloc); ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. ++ */ ++ const uint64_t filesize = TIFFGetFileSize(tif); ++ if (datasize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", ++ "Requested memory size for tag %d (0x%x) %" PRIu32 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, tag not read", ++ direntry->tdir_tag, direntry->tdir_tag, datasize, ++ filesize); ++ return (TIFFReadDirEntryErrAlloc); ++ } + } + + if (isMapped(tif) && datasize > (uint64_t)tif->tif_size) +@@ -4607,18 +4609,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount) + if( !_TIFFFillStrilesInternal( tif, 0 ) ) + return -1; + +- /* Before allocating a huge amount of memory for corrupted files, check if +- * size of requested memory is not greater than file size. */ +- uint64_t filesize = TIFFGetFileSize(tif); +- uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); +- if (allocsize > filesize) ++ const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t); ++ uint64_t filesize = 0; ++ if (allocsize > 100 * 1024 * 1024) + { +- TIFFWarningExt(tif->tif_clientdata, module, +- "Requested memory size for StripByteCounts of %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated", +- allocsize, filesize); +- return -1; ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "Requested memory size for StripByteCounts of %" PRIu64 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return -1; ++ } + } + if (td->td_stripbytecount_p) + _TIFFfree(td->td_stripbytecount_p); +@@ -4664,6 +4670,8 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount) + return -1; + space+=datasize; + } ++ if (filesize == 0) ++ filesize = TIFFGetFileSize(tif); + if( filesize < space ) + /* we should perhaps return in error ? */ + space = filesize; +@@ -4938,20 +4946,7 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir, + dircount16 = (uint16_t)dircount64; + dirsize = 20; + } +- /* Before allocating a huge amount of memory for corrupted files, check +- * if size of requested memory is not greater than file size. */ +- uint64_t filesize = TIFFGetFileSize(tif); +- uint64_t allocsize = (uint64_t)dircount16 * dirsize; +- if (allocsize > filesize) +- { +- TIFFWarningExt( +- tif->tif_clientdata, module, +- "Requested memory size for TIFF directory of %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated, TIFF directory not read", +- allocsize, filesize); +- return 0; +- } ++ + origdir = _TIFFCheckMalloc(tif, dircount16, + dirsize, "to read TIFF directory"); + if (origdir == NULL) +@@ -5064,7 +5059,7 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir, + TIFFWarningExt( + tif->tif_clientdata, module, + "Requested memory size for TIFF directory of %" PRIu64 +- " is greather than filesize %" PRIu64 ++ " is greater than filesize %" PRIu64 + ". Memory not allocated, TIFF directory not read", + allocsize, filesize); + return 0; +@@ -5908,19 +5903,23 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l + return(0); + } + +- /* Before allocating a huge amount of memory for corrupted files, check +- * if size of requested memory is not greater than file size. */ +- uint64_t filesize = TIFFGetFileSize(tif); +- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); +- if (allocsize > filesize) ++ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t); ++ if (allocsize > 100 * 1024 * 1024) + { +- TIFFWarningExt(tif->tif_clientdata, module, +- "Requested memory size for StripArray of %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated", +- allocsize, filesize); +- _TIFFfree(data); +- return (0); ++ /* Before allocating a huge amount of memory for corrupted files, ++ * check if size of requested memory is not greater than file size. ++ */ ++ const uint64_t filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "Requested memory size for StripArray of %" PRIu64 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ _TIFFfree(data); ++ return (0); ++ } + } + resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array"); + if (resizeddata==0) { +@@ -6021,17 +6020,20 @@ static void allocChoppedUpStripArrays(TIFF* tif, uint32_t nstrips, + * size of StripByteCount and StripOffset tags is not greater than + * file size. + */ +- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; +- uint64_t filesize = TIFFGetFileSize(tif); +- if (allocsize > filesize) ++ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2; ++ if (allocsize > 100 * 1024 * 1024) + { +- TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", +- "Requested memory size for StripByteCount and " +- "StripOffsets %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated", +- allocsize, filesize); +- return; ++ const uint64_t filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", ++ "Requested memory size for StripByteCount and " ++ "StripOffsets %" PRIu64 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return; ++ } + } + newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t), + "for chopped \"StripByteCounts\" array"); +-- +2.27.0 + diff --git a/libtiff.spec b/libtiff.spec index 5c91d68..66afa35 100644 --- a/libtiff.spec +++ b/libtiff.spec @@ -1,6 +1,6 @@ Name: libtiff Version: 4.3.0 -Release: 35 +Release: 36 Summary: TIFF Library and Utilities License: libtiff URL: https://www.simplesystems.org/libtiff/ @@ -52,6 +52,7 @@ Patch6041: backport-CVE-2023-6228.patch Patch9000: fix-raw2tiff-floating-point-exception.patch Patch9001: backport-0001-CVE-2023-6277.patch Patch9002: backport-0002-CVE-2023-6277.patch +Patch9003: backport-0003-CVE-2023-6277.patch BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel @@ -173,6 +174,9 @@ find html -name 'Makefile*' | xargs rm %exclude %{_datadir}/html/man/tiffgt.1.html %changelog +* Wed Nov 29 2023 liningjie - 4.3.0-36 +- backport patch for fix CVE-2023-6277 issue + * Sat Nov 25 2023 liningjie - 4.3.0-35 - fix CVE-2023-6277