!234 [sync] PR-228: backport patch for fix CVE-2023-6277 issue

From: @openeuler-sync-bot Reviewed-by: @open-bot Signed-off-by: @open-bot
2023-12-04 08:30:17 +00:00 · 2023-12-04 08:30:17 +00:00 · ef058ee000
commit ef058ee000
parent cae7b80a32 e7bf0cb018
2 changed files with 198 additions and 1 deletions
--- a/backport-0003-CVE-2023-6277.patch
+++ b/backport-0003-CVE-2023-6277.patch
@ -0,0 +1,193 @@
+From a54a4cb1a177852d4d19012d281ccf3b6c18ccb3 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Wed, 29 Nov 2023 17:11:45 +0800
+Subject: [PATCH] backport patch for fix CVE-2023-6277 issue
+
+---
+ libtiff/tif_dirread.c | 124 +++++++++++++++++++++---------------------
+ 1 file changed, 63 insertions(+), 61 deletions(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 2428257..ed88e80 100644
+--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
+@@ -865,20 +865,22 @@ static enum TIFFReadDirEntryErr TIFFReadDirEntryArrayWithLimit(
+ 	*count=(uint32_t)target_count64;
+ 	datasize=(*count)*typesize;
+ 	assert((tmsize_t)datasize>0);
+-
+-    /* Before allocating a huge amount of memory for corrupted files, check if
+-     * size of requested memory is not greater than file size.
+-     */
+-    uint64_t filesize = TIFFGetFileSize(tif);
+-    if (datasize > filesize)
+    if (datasize > 100 * 1024 * 1024)
+     {
+-        TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+-                        "Requested memory size for tag %d (0x%x) %" PRIu32
+-                        " is greather than filesize %" PRIu64
+-                        ". Memory not allocated, tag not read",
+-                        direntry->tdir_tag, direntry->tdir_tag, datasize,
+-                        filesize);
+-        return (TIFFReadDirEntryErrAlloc);
+        /* Before allocating a huge amount of memory for corrupted files, check
+         * if size of requested memory is not greater than file size.
+         */
+        const uint64_t filesize = TIFFGetFileSize(tif);
+        if (datasize > filesize) 
+        {
+            TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+                            "Requested memory size for tag %d (0x%x) %" PRIu32
+                            " is greather than filesize %" PRIu64
+                            ". Memory not allocated, tag not read",
+                            direntry->tdir_tag, direntry->tdir_tag, datasize,
+                            filesize);
+            return (TIFFReadDirEntryErrAlloc);
+        }
+     }
+ 
+     if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
+@@ -4607,18 +4609,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount)
+         if( !_TIFFFillStrilesInternal( tif, 0 ) )
+             return -1;
+ 
+-    /* Before allocating a huge amount of memory for corrupted files, check if
+-     * size of requested memory is not greater than file size. */
+-    uint64_t filesize = TIFFGetFileSize(tif);
+-    uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+-    if (allocsize > filesize)
+    const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+    uint64_t filesize = 0;
+    if (allocsize > 100 * 1024 * 1024)
+     {
+-        TIFFWarningExt(tif->tif_clientdata, module,
+-                        "Requested memory size for StripByteCounts of %" PRIu64
+-                        " is greather than filesize %" PRIu64
+-                        ". Memory not allocated",
+-                        allocsize, filesize);
+-        return -1;
+        /* Before allocating a huge amount of memory for corrupted files, check
+         * if size of requested memory is not greater than file size. */
+        filesize = TIFFGetFileSize(tif);
+        if (allocsize > filesize) 
+        {
+            TIFFWarningExt(tif->tif_clientdata, module,
+                "Requested memory size for StripByteCounts of %" PRIu64
+                " is greater than filesize %" PRIu64
+                ". Memory not allocated",
+                allocsize, filesize);
+            return -1;
+        }
+     }
+ 	if (td->td_stripbytecount_p)
+ 		_TIFFfree(td->td_stripbytecount_p);
+@@ -4664,6 +4670,8 @@ EstimateStripByteCounts(TIFF* tif, TIFFDirEntry* dir, uint16_t dircount)
+                             return -1;
+ 			space+=datasize;
+ 		}
+        if (filesize == 0)
+            filesize = TIFFGetFileSize(tif);
+ 		if( filesize < space )
+                     /* we should perhaps return in error ? */
+                     space = filesize;
+@@ -4938,20 +4946,7 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir,
+ 			dircount16 = (uint16_t)dircount64;
+ 			dirsize = 20;
+ 		}
+-        /* Before allocating a huge amount of memory for corrupted files, check
+-         * if size of requested memory is not greater than file size. */
+-        uint64_t filesize = TIFFGetFileSize(tif);
+-        uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+-        if (allocsize > filesize)
+-        {
+-            TIFFWarningExt(
+-                tif->tif_clientdata, module,
+-                "Requested memory size for TIFF directory of %" PRIu64
+-                " is greather than filesize %" PRIu64
+-                ". Memory not allocated, TIFF directory not read",
+-                allocsize, filesize);
+-            return 0;
+-        }
+
+ 		origdir = _TIFFCheckMalloc(tif, dircount16,
+ 		    dirsize, "to read TIFF directory");
+ 		if (origdir == NULL)
+@@ -5064,7 +5059,7 @@ TIFFFetchDirectory(TIFF* tif, uint64_t diroff, TIFFDirEntry** pdir,
+             TIFFWarningExt(
+                 tif->tif_clientdata, module,
+                 "Requested memory size for TIFF directory of %" PRIu64
+-                " is greather than filesize %" PRIu64
+                " is greater than filesize %" PRIu64
+                 ". Memory not allocated, TIFF directory not read",
+                 allocsize, filesize);
+             return 0;
+@@ -5908,19 +5903,23 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l
+ 			return(0);
+ 		}
+ 
+-        /* Before allocating a huge amount of memory for corrupted files, check
+-         * if size of requested memory is not greater than file size. */
+-        uint64_t filesize = TIFFGetFileSize(tif);
+-        uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+-        if (allocsize > filesize)
+        const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+        if (allocsize > 100 * 1024 * 1024)
+         {
+-            TIFFWarningExt(tif->tif_clientdata, module,
+-                            "Requested memory size for StripArray of %" PRIu64
+-                            " is greather than filesize %" PRIu64
+-                            ". Memory not allocated",
+-                            allocsize, filesize);
+-            _TIFFfree(data);
+-            return (0);
+            /* Before allocating a huge amount of memory for corrupted files,
+             * check if size of requested memory is not greater than file size.
+             */
+            const uint64_t filesize = TIFFGetFileSize(tif);
+            if (allocsize > filesize) 
+            {
+                TIFFWarningExt(tif->tif_clientdata, module,
+                    "Requested memory size for StripArray of %" PRIu64
+                    " is greater than filesize %" PRIu64
+                    ". Memory not allocated",
+                    allocsize, filesize);
+                _TIFFfree(data);
+                return (0);
+            }
+         }
+ 		resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
+ 		if (resizeddata==0) {
+@@ -6021,17 +6020,20 @@ static void allocChoppedUpStripArrays(TIFF* tif, uint32_t nstrips,
+      * size of StripByteCount and StripOffset tags is not greater than
+      * file size.
+      */
+-    uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+-    uint64_t filesize = TIFFGetFileSize(tif);
+-    if (allocsize > filesize)
+    const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+    if (allocsize > 100 * 1024 * 1024)
+     {
+-        TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+-                        "Requested memory size for StripByteCount and "
+-                        "StripOffsets %" PRIu64
+-                        " is greather than filesize %" PRIu64
+-                        ". Memory not allocated",
+-                        allocsize, filesize);
+-        return;
+        const uint64_t filesize = TIFFGetFileSize(tif);
+        if (allocsize > filesize)
+        {
+            TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+                            "Requested memory size for StripByteCount and "
+                            "StripOffsets %" PRIu64
+                            " is greater than filesize %" PRIu64
+                            ". Memory not allocated",
+                            allocsize, filesize);
+            return;
+        }
+     }
+     newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
+                                              "for chopped \"StripByteCounts\" array");
+-- 
+2.27.0
+
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.3.0
-Release:        35
+Release:        36
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@ -52,6 +52,7 @@ Patch6041:      backport-CVE-2023-6228.patch
 Patch9000:	fix-raw2tiff-floating-point-exception.patch
 Patch9001:	backport-0001-CVE-2023-6277.patch
 Patch9002:	backport-0002-CVE-2023-6277.patch
+Patch9003:	backport-0003-CVE-2023-6277.patch


 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
@ -173,6 +174,9 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html

 %changelog
+* Wed Nov 29 2023 liningjie <liningjie@xfusion.com> - 4.3.0-36
+- backport patch for fix CVE-2023-6277 issue
+
 * Sat Nov 25 2023 liningjie <liningjie@xfusion.com> - 4.3.0-35
 - fix CVE-2023-6277