File tiff-CVE-2022-2056,CVE-2022-2057,CVE-2022-2058.... of Package tiff

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-CVE-2022-2056,CVE-2022-2057,CVE-2022-2058.patch of Package tiff (Revision edc273f0f88f964fef441b383faaa028)

Currently displaying revision edc273f0f88f964fef441b383faaa028 , Show latest

Index: tiff-4.0.9/libtiff/tif_aux.c
===================================================================
--- tiff-4.0.9.orig/libtiff/tif_aux.c
+++ tiff-4.0.9/libtiff/tif_aux.c
@@ -398,6 +398,15 @@ _TIFFUInt64ToDouble(uint64 ui64)
 	}
 }
 
+uint32 _TIFFClampDoubleToUInt32(double val)
+{
+    if( val < 0 )
+        return 0;
+    if( val > 0xFFFFFFFFU || val != val )
+        return 0xFFFFFFFFU;
+    return (uint32)val;
+}
+
 int _TIFFSeekOK(TIFF* tif, toff_t off)
 {
     /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
Index: tiff-4.0.9/libtiff/tiffiop.h
===================================================================
--- tiff-4.0.9.orig/libtiff/tiffiop.h
+++ tiff-4.0.9/libtiff/tiffiop.h
@@ -376,6 +376,8 @@ extern void* _TIFFCheckRealloc(TIFF*, vo
 extern double _TIFFUInt64ToDouble(uint64);
 extern float _TIFFUInt64ToFloat(uint64);
 
+extern uint32 _TIFFClampDoubleToUInt32(double);
+
 extern tmsize_t
 _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32 strip,
                                     void **buf, tmsize_t bufsizetoalloc,
Index: tiff-4.0.9/tools/tiffcrop.c
===================================================================
--- tiff-4.0.9.orig/tools/tiffcrop.c
+++ tiff-4.0.9/tools/tiffcrop.c
@@ -5145,17 +5145,17 @@ computeInputPixelOffsets(struct crop_mas
       {
       if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
         {
-	x1 = (uint32) (crop->corners[i].X1 * scale * xres);
-	x2 = (uint32) (crop->corners[i].X2 * scale * xres);
-	y1 = (uint32) (crop->corners[i].Y1 * scale * yres);
-	y2 = (uint32) (crop->corners[i].Y2 * scale * yres);
+        x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
+	x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
+	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
+	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
         }
       else
         {
-	x1 = (uint32) (crop->corners[i].X1);
-	x2 = (uint32) (crop->corners[i].X2);
-	y1 = (uint32) (crop->corners[i].Y1);
-	y2 = (uint32) (crop->corners[i].Y2);       
+        x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
+	x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
+	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
 	}
       if (x1 < 1)
         crop->regionlist[i].x1 = 0;
@@ -5218,17 +5218,17 @@ computeInputPixelOffsets(struct crop_mas
     {
     if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
       { /* User has specified pixels as reference unit */
-      tmargin = (uint32)(crop->margins[0]);
-      lmargin = (uint32)(crop->margins[1]);
-      bmargin = (uint32)(crop->margins[2]);
-      rmargin = (uint32)(crop->margins[3]);
+      tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
+      lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
+      bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
+      rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
       }
     else
       { /* inches or centimeters specified */
-      tmargin = (uint32)(crop->margins[0] * scale * yres);
-      lmargin = (uint32)(crop->margins[1] * scale * xres);
-      bmargin = (uint32)(crop->margins[2] * scale * yres);
-      rmargin = (uint32)(crop->margins[3] * scale * xres);
+      tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
+      lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
+      bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
+      rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
       }
 
     if ((lmargin + rmargin) > image->width)
@@ -5258,24 +5258,24 @@ computeInputPixelOffsets(struct crop_mas
   if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
     {
     if (crop->crop_mode & CROP_WIDTH)
-      width = (uint32)crop->width;
+      width = _TIFFClampDoubleToUInt32(crop->width);
     else
       width = image->width - lmargin - rmargin;
 
     if (crop->crop_mode & CROP_LENGTH)
-      length  = (uint32)crop->length;
+      length  = _TIFFClampDoubleToUInt32(crop->length);
     else
       length = image->length - tmargin - bmargin;
     }
   else
     {
     if (crop->crop_mode & CROP_WIDTH)
-      width = (uint32)(crop->width * scale * image->xres);
+      width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
     else
       width = image->width - lmargin - rmargin;
 
     if (crop->crop_mode & CROP_LENGTH)
-      length  = (uint32)(crop->length * scale * image->yres);
+      length  = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
     else
       length = image->length - tmargin - bmargin;
     }
@@ -5674,13 +5674,13 @@ computeOutputPixelOffsets (struct crop_m
     {
     if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
       { /* inches or centimeters specified */
-      hmargin = (uint32)(page->hmargin * scale * page->hres * ((image->bps + 7)/ 8));
-      vmargin = (uint32)(page->vmargin * scale * page->vres * ((image->bps + 7)/ 8));
+      hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
+      vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
       }
     else
       { /* Otherwise user has specified pixels as reference unit */
-      hmargin = (uint32)(page->hmargin * scale * ((image->bps + 7)/ 8));
-      vmargin = (uint32)(page->vmargin * scale * ((image->bps + 7)/ 8));
+      hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
+      vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
       }
 
     if ((hmargin * 2.0) > (pwidth * page->hres))
@@ -5718,13 +5718,13 @@ computeOutputPixelOffsets (struct crop_m
     {
     if (page->mode & PAGE_MODE_PAPERSIZE )
       {
-      owidth  = (uint32)((pwidth * page->hres) - (hmargin * 2));
-      olength = (uint32)((plength * page->vres) - (vmargin * 2));
+      owidth  = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
+      olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
       }
     else
       {
-      owidth = (uint32)(iwidth - (hmargin * 2 * page->hres));
-      olength = (uint32)(ilength - (vmargin * 2 * page->vres));
+      owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
+      olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
       }
     }
 
@@ -5733,6 +5733,12 @@ computeOutputPixelOffsets (struct crop_m
   if (olength > ilength)
     olength = ilength;
 
+  if (owidth == 0 || olength == 0)
+  {
+    TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
+    exit(EXIT_FAILURE);
+  }
+
   /* Compute the number of pages required for Portrait or Landscape */
   switch (page->orient)
     {
Index: tiff-4.0.9/libtiff/libtiff.def
===================================================================
--- tiff-4.0.9.orig/libtiff/libtiff.def
+++ tiff-4.0.9/libtiff/libtiff.def
@@ -157,6 +157,7 @@ EXPORTS	TIFFAccessTagMethods
 	TIFFYCbCrtoRGB
 	_TIFFCheckMalloc
 	_TIFFCheckRealloc
+        _TIFFClampDoubleToUInt32
 	_TIFFRewriteField
 	_TIFFfree
 	_TIFFmalloc

Places

File tiff-CVE-2022-2056,CVE-2022-2057,CVE-2022-2058.patch of Package tiff (Revision edc273f0f88f964fef441b383faaa028)

Places