From 3d2e462e6b6b3a636b7f59f16e45240eb40d00372117626e7e5dc2c4e114a77b Mon Sep 17 00:00:00 2001
From: Michael Vetter <jubalh@iodoru.org>
Date: Fri, 26 Jan 2024 10:24:28 +0000
Subject: [PATCH] - security update:   * CVE-2023-52356 [bsc#1219213]     Fix
 segfault in TIFFReadRGBATileExt()     + tiff-CVE-2023-52356.patch

OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=178
---
 tiff-CVE-2023-52356.patch | 33 +++++++++++++++++++++++++++++++++
 tiff.changes              |  8 ++++++++
 tiff.spec                 |  3 ++-
 3 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 tiff-CVE-2023-52356.patch

diff --git a/tiff-CVE-2023-52356.patch b/tiff-CVE-2023-52356.patch
new file mode 100644
index 0000000..dc5ba6f
--- /dev/null
+++ b/tiff-CVE-2023-52356.patch
@@ -0,0 +1,33 @@
+Index: tiff-4.6.0/libtiff/tif_getimage.c
+===================================================================
+--- tiff-4.6.0.orig/libtiff/tif_getimage.c
++++ tiff-4.6.0/libtiff/tif_getimage.c
+@@ -3224,6 +3224,13 @@ int TIFFReadRGBAStripExt(TIFF *tif, uint
+     if (TIFFRGBAImageOK(tif, emsg) &&
+         TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg))
+     {
++		if (row >= img.height)
++        {
++            TIFFErrorExtR(tif, TIFFFileName(tif),
++                          "Invalid row passed to TIFFReadRGBAStrip().");
++            TIFFRGBAImageEnd(&img);
++            return (0);
++        }
+ 
+         img.row_offset = row;
+         img.col_offset = 0;
+@@ -3301,6 +3308,14 @@ int TIFFReadRGBATileExt(TIFF *tif, uint3
+         return (0);
+     }
+ 
++	if (col >= img.width || row >= img.height)
++    {
++        TIFFErrorExtR(tif, TIFFFileName(tif),
++                      "Invalid row/col passed to TIFFReadRGBATile().");
++        TIFFRGBAImageEnd(&img);
++        return (0);
++    }
++
+     /*
+      * The TIFFRGBAImageGet() function doesn't allow us to get off the
+      * edge of the image, even to fill an otherwise valid tile.  So we
diff --git a/tiff.changes b/tiff.changes
index 47813a1..ab0033b 100644
--- a/tiff.changes
+++ b/tiff.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Jan 26 09:59:33 UTC 2024 - Michael Vetter <mvetter@suse.com>
+
+- security update:
+  * CVE-2023-52356 [bsc#1219213]
+    Fix segfault in TIFFReadRGBATileExt()
+    + tiff-CVE-2023-52356.patch
+
 -------------------------------------------------------------------
 Fri Sep 15 05:55:34 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
 
diff --git a/tiff.spec b/tiff.spec
index d65b345..df26871 100644
--- a/tiff.spec
+++ b/tiff.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package tiff
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -31,6 +31,7 @@ Source2:        README.SUSE
 Source3:        baselibs.conf
 Source99:       tiff.keyring
 Patch0:         tiff-4.0.3-seek.patch
+Patch1:         tiff-CVE-2023-52356.patch
 BuildRequires:  gcc-c++
 BuildRequires:  libjbig-devel
 BuildRequires:  libjpeg-devel