Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
tiff.34105
tiff-CVE-2023-1916.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tiff-CVE-2023-1916.patch of Package tiff.34105
https://gitlab.com/libtiff/libtiff/-/merge_requests/535 Index: tiff-4.0.9/tools/tiffcrop.c =================================================================== --- tiff-4.0.9.orig/tools/tiffcrop.c +++ tiff-4.0.9/tools/tiffcrop.c @@ -5590,6 +5590,15 @@ getCropOffsets(struct image_data *image, crop->combined_width += (uint32)zwidth; else crop->combined_width = (uint32)zwidth; + + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ + if (((crop->rotation == 90) || (crop->rotation == 270)) + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) + { + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); + return -1; + } + break; case EDGE_BOTTOM: /* width from left, zones from bottom to top */ zwidth = offsets.crop_width; @@ -5619,7 +5628,16 @@ getCropOffsets(struct image_data *image, crop->combined_length += (uint32)zlength; else crop->combined_length = (uint32)zlength; - crop->combined_width = (uint32)zwidth; + crop->combined_width = (uint32)zwidth; + + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ + if (((crop->rotation == 90) || (crop->rotation == 270)) + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) + { + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); + return -1; + } + break; case EDGE_RIGHT: /* zones from right to left, length from top */ zlength = offsets.crop_length; @@ -5647,6 +5665,15 @@ getCropOffsets(struct image_data *image, crop->combined_width += (uint32)zwidth; else crop->combined_width = (uint32)zwidth; + + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ + if (((crop->rotation == 90) || (crop->rotation == 270)) + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) + { + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); + return -1; + } + break; case EDGE_TOP: /* width from left, zones from top to bottom */ default: @@ -5671,10 +5698,19 @@ getCropOffsets(struct image_data *image, if (crop->exp_mode == COMPOSITE_IMAGES) crop->combined_length += (uint32)zlength; else - crop->combined_length = (uint32)zlength; - crop->combined_width = (uint32)zwidth; - break; - } /* end switch statement */ + crop->combined_length = (uint32)zlength; + crop->combined_width = (uint32)zwidth; + + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ + if (((crop->rotation == 90) || (crop->rotation == 270)) + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) + { + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); + return -1; + } + + break; + } /* end switch statement */ buffsize = (uint32) ((((zwidth * image->bps * image->spp) + 7 ) / 8) * (zlength + 1)); @@ -6870,9 +6906,9 @@ extractImageSection(struct image_data *i * regardless of the way the data are organized in the input file. * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 */ - img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ - full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ - trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ + img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ + full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ + trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ #ifdef DEVELMODE TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n", @@ -6899,13 +6935,14 @@ extractImageSection(struct image_data *i } } else - { /* bps != 8 */ - shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ + { /* bps != 8 */ + shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/ for (row = first_row; row <= last_row; row++) { /* pull out the first byte */ row_offset = row * img_rowsize; - offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte with first bits to be extracted */ + offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte + with first bits to be extracted */ #ifdef DEVELMODE for (j = 0, k = 7; j < 8; j++, k--) @@ -7859,7 +7896,7 @@ createCroppedImage(struct image_data *im } if (crop_buff == read_buff) /* we used the read buffer for the crop buffer */ - *read_buff_ptr = NULL; /* so we don't try to free it later */ + *read_buff_ptr = NULL; /* so we don't try to free it later */ return (0); } /* end createCroppedImage */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor