packages/libtiff
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport patch for fix CVE-2023-6277 issue

Browse Source 
(cherry picked from commit 726a384f2b8e93d26e6d17809d117f7ef5a773c2)
This commit is contained in:
liningjie 2023-11-29 17:32:01 +08:00 committed by openeuler-sync-bot
parent cae7b80a32
commit e7bf0cb018
2 changed files with 198 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

193
backport-0003-CVE-2023-6277.patch Normal file
View File

@ -0,0 +1,193 @@
From a54a4cb1a177852d4d19012d281ccf3b6c18ccb3 Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 29 Nov 2023 17:11:45 +0800
Subject: [PATCH] backport patch for fix CVE-2023-6277 issue
---
libtiff/tif_dirread.c | 124 +++++++++++++++++++++---------------------
1 file changed, 63 insertions(+), 61 deletions(-)
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index 2428257..ed88e80 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -865,20 +865,22 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit(
*count=(uint32_t)target_count64;
datasize=(*count)*typesize;
assert((tmsize_t)datasize>0);
-
- /* Before allocating a huge amount of memory for corrupted files, check if
- * size of requested memory is not greater than file size.
- */
- uint64_t filesize = TIFFGetFileSize(tif);
- if (datasize > filesize)
+ if (datasize > 100 * 1024 * 1024)
{
- TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
- "Requested memory size for tag %d (0x%x) %" PRIu32
- " is greather than filesize %" PRIu64
- ". Memory not allocated, tag not read",
- direntry->tdir_tag, direntry->tdir_tag, datasize,
- filesize);
- return (TIFFReadDirEntryErrAlloc);
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size.
+ */
+ const uint64_t filesize = TIFFGetFileSize(tif);
+ if (datasize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+ "Requested memory size for tag %d (0x%x) %" PRIu32
+ " is greather than filesize %" PRIu64
+ ". Memory not allocated, tag not read",
+ direntry->tdir_tag, direntry->tdir_tag, datasize,
+ filesize);
+ return (TIFFReadDirEntryErrAlloc);
+ }
}
if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
@@ -4607,18 +4609,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount)
if( !_TIFFFillStrilesInternal( tif, 0 ) )
return -1;
- /* Before allocating a huge amount of memory for corrupted files, check if
- * size of requested memory is not greater than file size. */
- uint64_t filesize = TIFFGetFileSize(tif);
- uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
- if (allocsize > filesize)
+ const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+ uint64_t filesize = 0;
+ if (allocsize > 100 * 1024 * 1024)
{
- TIFFWarningExt(tif->tif_clientdata, module,
- "Requested memory size for StripByteCounts of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- return -1;
+ /* Before allocating a huge amount of memory for corrupted files, check
+ * if size of requested memory is not greater than file size. */
+ filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Requested memory size for StripByteCounts of %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return -1;
+ }
}
if (td->td_stripbytecount_p)
_TIFFfree(td->td_stripbytecount_p);
@@ -4664,6 +4670,8 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount)
return -1;
space+=datasize;
}
+ if (filesize == 0)
+ filesize = TIFFGetFileSize(tif);
if( filesize < space )
/* we should perhaps return in error ? */
space = filesize;
@@ -4938,20 +4946,7 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir,
dircount16 = (uint16_t)dircount64;
dirsize = 20;
}
- /* Before allocating a huge amount of memory for corrupted files, check
- * if size of requested memory is not greater than file size. */
- uint64_t filesize = TIFFGetFileSize(tif);
- uint64_t allocsize = (uint64_t)dircount16 * dirsize;
- if (allocsize > filesize)
- {
- TIFFWarningExt(
- tif->tif_clientdata, module,
- "Requested memory size for TIFF directory of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated, TIFF directory not read",
- allocsize, filesize);
- return 0;
- }
+
origdir = _TIFFCheckMalloc(tif, dircount16,
dirsize, "to read TIFF directory");
if (origdir == NULL)
@@ -5064,7 +5059,7 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir,
TIFFWarningExt(
tif->tif_clientdata, module,
"Requested memory size for TIFF directory of %" PRIu64
- " is greather than filesize %" PRIu64
+ " is greater than filesize %" PRIu64
". Memory not allocated, TIFF directory not read",
allocsize, filesize);
return 0;
@@ -5908,19 +5903,23 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
return(0);
}
- /* Before allocating a huge amount of memory for corrupted files, check
- * if size of requested memory is not greater than file size. */
- uint64_t filesize = TIFFGetFileSize(tif);
- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
- if (allocsize > filesize)
+ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+ if (allocsize > 100 * 1024 * 1024)
{
- TIFFWarningExt(tif->tif_clientdata, module,
- "Requested memory size for StripArray of %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- _TIFFfree(data);
- return (0);
+ /* Before allocating a huge amount of memory for corrupted files,
+ * check if size of requested memory is not greater than file size.
+ */
+ const uint64_t filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, module,
+ "Requested memory size for StripArray of %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ _TIFFfree(data);
+ return (0);
+ }
}
resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
if (resizeddata==0) {
@@ -6021,17 +6020,20 @@ static void allocChoppedUpStripArrays(TIFF* tif, uint32_t nstrips,
* size of StripByteCount and StripOffset tags is not greater than
* file size.
*/
- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
- uint64_t filesize = TIFFGetFileSize(tif);
- if (allocsize > filesize)
+ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+ if (allocsize > 100 * 1024 * 1024)
{
- TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
- "Requested memory size for StripByteCount and "
- "StripOffsets %" PRIu64
- " is greather than filesize %" PRIu64
- ". Memory not allocated",
- allocsize, filesize);
- return;
+ const uint64_t filesize = TIFFGetFileSize(tif);
+ if (allocsize > filesize)
+ {
+ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+ "Requested memory size for StripByteCount and "
+ "StripOffsets %" PRIu64
+ " is greater than filesize %" PRIu64
+ ". Memory not allocated",
+ allocsize, filesize);
+ return;
+ }
}
newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
"for chopped \"StripByteCounts\" array");
--
2.27.0

6
libtiff.spec
View File

@ -1,6 +1,6 @@
Name: libtiff Name: libtiff
Version: 4.3.0 Version: 4.3.0
Release: 35 Release: 36
Summary: TIFF Library and Utilities Summary: TIFF Library and Utilities
License: libtiff License: libtiff
URL: https://www.simplesystems.org/libtiff/ URL: https://www.simplesystems.org/libtiff/
@ -52,6 +52,7 @@ Patch6041: backport-CVE-2023-6228.patch
Patch9000: fix-raw2tiff-floating-point-exception.patch Patch9000: fix-raw2tiff-floating-point-exception.patch
Patch9001: backport-0001-CVE-2023-6277.patch Patch9001: backport-0001-CVE-2023-6277.patch
Patch9002: backport-0002-CVE-2023-6277.patch Patch9002: backport-0002-CVE-2023-6277.patch
Patch9003: backport-0003-CVE-2023-6277.patch
BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel BuildRequires: gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
@ -173,6 +174,9 @@ find html -name 'Makefile*' | xargs rm
%exclude %{_datadir}/html/man/tiffgt.1.html %exclude %{_datadir}/html/man/tiffgt.1.html
%changelog %changelog
* Wed Nov 29 2023 liningjie <liningjie@xfusion.com> - 4.3.0-36
- backport patch for fix CVE-2023-6277 issue
* Sat Nov 25 2023 liningjie <liningjie@xfusion.com> - 4.3.0-35 * Sat Nov 25 2023 liningjie <liningjie@xfusion.com> - 4.3.0-35
- fix CVE-2023-6277 - fix CVE-2023-6277