b69ad69187
* CVE-2022-0907 [bsc#1197070] + tiff-CVE-2022-0907.patch - security update * CVE-2022-0561 [bsc#1195964] + tiff-CVE-2022-0561.patch * CVE-2022-0562 [bsc#1195965] + tiff-CVE-2022-0562.patch * CVE-2022-0865 [bsc#1197066] + tiff-CVE-2022-0865.patch * CVE-2022-0909 [bsc#1197072] + tiff-CVE-2022-0909.patch * CVE-2022-0924 [bsc#1197073] + tiff-CVE-2022-0924.patch * CVE-2022-0908 [bsc#1197074] + tiff-CVE-2022-0908.patch OBS-URL: https://build.opensuse.org/package/show/graphics/tiff?expand=0&rev=150
54 lines
1.7 KiB
Diff
54 lines
1.7 KiB
Diff
From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
|
|
From: 4ugustus <wangdw.augustus@qq.com>
|
|
Date: Thu, 10 Mar 2022 08:48:00 +0000
|
|
Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
|
|
|
|
---
|
|
tools/tiffcp.c | 17 ++++++++++++++++-
|
|
1 file changed, 16 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
|
|
index 224583e0..aa32b118 100644
|
|
--- a/tools/tiffcp.c
|
|
+++ b/tools/tiffcp.c
|
|
@@ -1667,12 +1667,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
|
|
tdata_t obuf;
|
|
tstrip_t strip = 0;
|
|
tsample_t s;
|
|
+ uint16_t bps = 0, bytes_per_sample;
|
|
|
|
obuf = limitMalloc(stripsize);
|
|
if (obuf == NULL)
|
|
return (0);
|
|
_TIFFmemset(obuf, 0, stripsize);
|
|
(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
|
|
+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
|
|
+ if( bps == 0 )
|
|
+ {
|
|
+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
|
|
+ _TIFFfree(obuf);
|
|
+ return 0;
|
|
+ }
|
|
+ if( (bps % 8) != 0 )
|
|
+ {
|
|
+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
|
|
+ _TIFFfree(obuf);
|
|
+ return 0;
|
|
+ }
|
|
+ bytes_per_sample = bps/8;
|
|
for (s = 0; s < spp; s++) {
|
|
uint32_t row;
|
|
for (row = 0; row < imagelength; row += rowsperstrip) {
|
|
@@ -1682,7 +1697,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
|
|
|
|
cpContigBufToSeparateBuf(
|
|
obuf, (uint8_t*) buf + row * rowsize + s,
|
|
- nrows, imagewidth, 0, 0, spp, 1);
|
|
+ nrows, imagewidth, 0, 0, spp, bytes_per_sample);
|
|
if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
|
|
TIFFError(TIFFFileName(out),
|
|
"Error, can't write strip %"PRIu32,
|
|
--
|
|
GitLab
|
|
|