File tiff-CVE-2022-3598,3570.patch of Package tiff

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-CVE-2022-3598,3570.patch of Package tiff (Revision 113fc44428fb6ee709efb70e46d4db58)

Currently displaying revision 113fc44428fb6ee709efb70e46d4db58 , Show latest

--- tiff-4.0.9/man/tiffcrop.1	2022-11-17 08:28:10.110681393 +0100
+++ tiff-4.0.9/man/tiffcrop.1	2022-11-17 09:14:34.552680320 +0100
@@ -352,6 +352,10 @@
 .B \-i
 Ignore non\-fatal read errors and continue processing of the input file.
 .TP 
+.B "\-k size"
+Set maximum memory allocation size (in MiB). The default is 256MiB.
+Set to 0 to disable the limit.
+.TP 
 .B \-l
 Specify the length of a tile (in pixels).
 .I Tiffcrop
--- tiff-4.0.9/tools/tiffcrop.c	2022-11-17 08:28:09.974680521 +0100
+++ tiff-4.0.9/tools/tiffcrop.c	2022-11-17 09:23:28.028284215 +0100
@@ -219,6 +219,10 @@
 
 #define TIFF_DIR_MAX  65534
 
+/* Some conversion subroutines require image buffers, which are at least 3 bytes
+ * larger than the necessary size for the image itself. */
+#define NUM_BUFF_OVERSIZE_BYTES   3
+
 /* Offsets into buffer for margins and fixed width and length segments */
 struct offset {
   uint32  tmargin;
@@ -240,7 +244,7 @@
  */
 
 struct  buffinfo {
-  uint32 size;           /* size of this buffer */
+  size_t size;           /* size of this buffer */
   unsigned char *buffer; /* address of the allocated buffer */
 };
 
@@ -340,7 +344,7 @@
 /* European page sizes corrected from update sent by 
  * thomas . jarosch @ intra2net . com on 5/7/2010
  * Paper Size       Width   Length  Aspect Ratio */
-struct paperdef PaperTable[MAX_PAPERNAMES] = {
+const struct paperdef PaperTable[MAX_PAPERNAMES] = {
   {"default",         8.500,  14.000,  0.607},
   {"pa4",             8.264,  11.000,  0.751},
   {"letter",          8.500,  11.000,  0.773},
@@ -624,6 +628,27 @@
 /* Functions derived in whole or in part from tiffcp */
 /* The following functions are taken largely intact from tiffcp */
 
+#define DEFAULT_MAX_MALLOC (256 * 1024 * 1024)
+
+/* malloc size limit (in bytes)
+ * disabled when set to 0 */
+static tmsize_t maxMalloc = DEFAULT_MAX_MALLOC;
+
+/**
+ * This custom malloc function enforce a maximum allocation size
+ */
+static void* limitMalloc(tmsize_t s)
+{
+  if (maxMalloc && (s > maxMalloc)) {
+    fprintf(stderr, "MemoryLimitError: allocation of " TIFF_UINT64_FORMAT " bytes is forbidden. Limit is " TIFF_UINT64_FORMAT ".\n",
+            (uint64)s, (uint64)maxMalloc);
+    fprintf(stderr, "                  use -k option to change limit.\n"); return NULL;
+  }
+  return _TIFFmalloc(s);
+}
+
+
+
 static   char* usage_info[] = {
 "usage: tiffcrop [options] source1 ... sourceN  destination",
 "where options are:",
@@ -637,6 +662,7 @@
 " -s		Write output in strips",
 " -t		Write output in tiles",
 " -i		Ignore read errors",
+" -k size       set the memory allocation limit in MiB. 0 to disable limit",
 " ",
 " -r #		Make each strip have no more than # rows",
 " -w #		Set output tile width (pixels)",
@@ -783,8 +809,8 @@
   uint32 dst_rowsize, shift_width;
   uint32 bytes_per_sample, bytes_per_pixel;
   uint32 trailing_bits, prev_trailing_bits;
-  uint32 tile_rowsize  = TIFFTileRowSize(in);
-  uint32 src_offset, dst_offset;
+  tmsize_t tile_rowsize  = TIFFTileRowSize(in);
+  tmsize_t src_offset, dst_offset;
   uint32 row_offset, col_offset;
   uint8 *bufp = (uint8*) buf;
   unsigned char *src = NULL;
@@ -834,7 +860,7 @@
       TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
       exit(-1);
   }
-  tilebuf = _TIFFmalloc(tile_buffsize + 3);
+  tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
   if (tilebuf == 0)
     return 0;
   tilebuf[tile_buffsize] = 0;
@@ -998,7 +1024,7 @@
   for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++)
     {
     srcbuffs[sample] = NULL;
-    tbuff = (unsigned char *)_TIFFmalloc(tilesize + 8);
+    tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES);
     if (!tbuff)
       {
       TIFFError ("readSeparateTilesIntoBuffer", 
@@ -1193,7 +1219,8 @@
   }
   rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); 
 
-  obuf = _TIFFmalloc (rowstripsize);
+  /* Add 3 padding bytes for extractContigSamples32bits */
+  obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
   if (obuf == NULL)
     return 1;
   
@@ -1206,7 +1233,7 @@
       stripsize = TIFFVStripSize(out, nrows);
       src = buf + (row * rowsize);
       total_bytes += stripsize;
-      memset (obuf, '\0', rowstripsize);
+      memset (obuf, '\0', rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
       if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
         {
         _TIFFfree(obuf);
@@ -1214,10 +1241,15 @@
 	}
       if ((dump->outfile != NULL) && (dump->level == 1))
         {
+          if (scanlinesize > 0x0ffffffffULL) {
+              dump_info(dump->infile, dump->format, "loadImage",
+                  "Attention: scanlinesize %lu is larger than UINT32_MAX.\nFollowing dump might be wrong.",
+                  scanlinesize);
+          }
         dump_info(dump->outfile, dump->format,"", 
                   "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d", 
-                  s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf);
-        dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf);
+                  s + 1, strip + 1, stripsize, row + 1, (uint32)scanlinesize, src - buf);
+        dump_buffer(dump->outfile, dump->format, nrows, (uint32)scanlinesize, row, obuf);
 	}
 
       if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0)
@@ -1244,7 +1276,7 @@
   uint32 tl, tw;
   uint32 row, col, nrow, ncol;
   uint32 src_rowsize, col_offset;
-  uint32 tile_rowsize  = TIFFTileRowSize(out);
+  tmsize_t tile_rowsize  = TIFFTileRowSize(out);
   uint8* bufp = (uint8*) buf;
   tsize_t tile_buffsize = 0;
   tsize_t tilesize = TIFFTileSize(out);
@@ -1287,9 +1319,11 @@
   }
   src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
 
-  tilebuf = _TIFFmalloc(tile_buffsize);
+  /* Add 3 padding bytes for extractContigSamples32bits */
+  tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
   if (tilebuf == 0)
     return 1;
+  memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
   for (row = 0; row < imagelength; row += tl)
     {
     nrow = (row + tl > imagelength) ? imagelength - row : tl;
@@ -1335,7 +1369,8 @@
 				       uint32 imagewidth, tsample_t spp, 
                                        struct dump_opts * dump)
   {
-  tdata_t obuf = _TIFFmalloc(TIFFTileSize(out));
+  /* Add 3 padding bytes for extractContigSamples32bits */
+  tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
   uint32 tl, tw;
   uint32 row, col, nrow, ncol;
   uint32 src_rowsize, col_offset;
@@ -1345,6 +1380,7 @@
 
   if (obuf == NULL)
     return 1;
+  memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
 
   TIFFGetField(out, TIFFTAG_TILELENGTH, &tl);
   TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw);
@@ -1623,7 +1659,7 @@
     *mp++ = 'w';
     *mp = '\0';
     while ((c = getopt(argc, argv,
-       "ac:d:e:f:hil:m:p:r:stvw:z:BCD:E:F:H:I:J:K:LMN:O:P:R:S:U:V:X:Y:Z:")) != -1)
+       "ac:d:e:f:hik:l:m:p:r:stvw:z:BCD:E:F:H:I:J:K:LMN:O:P:R:S:U:V:X:Y:Z:")) != -1)
       {
     good_args++;
     switch (c) {
@@ -1682,6 +1718,8 @@
 		break;
       case 'i':	ignore = TRUE;		/* ignore errors */
 		break;
+      case 'k':	maxMalloc = (tmsize_t)strtoul(optarg, NULL, 0) << 20;
+		break;
       case 'l':	outtiled = TRUE;	 /* tile length */
 		*deftilelength = atoi(optarg);
 		break;
@@ -1766,14 +1804,14 @@
                       
                     *opt_offset = '\0';
                     /* convert option to lowercase */
-                    end = strlen (opt_ptr);
+                    end = (unsigned int)strlen (opt_ptr);
                     for (i = 0; i < end; i++)
                       *(opt_ptr + i) = tolower((int) *(opt_ptr + i));
                     /* Look for dump format specification */
                     if (strncmp(opt_ptr, "for", 3) == 0)
                       {
 		      /* convert value to lowercase */
-                      end = strlen (opt_offset + 1);
+                      end = (unsigned int)strlen (opt_offset + 1);
                       for (i = 1; i <= end; i++)
                         *(opt_offset + i) = tolower((int) *(opt_offset + i));
                       /* check dump format value */
@@ -2243,6 +2281,8 @@
   int    seg, length;
   char   temp_filename[PATH_MAX + 1];
 
+  assert(NUM_BUFF_OVERSIZE_BYTES >= 3);
+
   little_endian = *((unsigned char *)&little_endian) & '1';
 
   initImageData(&image);
@@ -3146,13 +3186,13 @@
       /* If we have a full buffer's worth, write it out */
       if (ready_bits >= 32)
         {
-        bytebuff1 = (buff2 >> 56);
+        bytebuff1 = (uint8_t)(buff2 >> 56);
         *dst++ = bytebuff1;
-        bytebuff2 = (buff2 >> 48);
+        bytebuff2 = (uint8_t)(buff2 >> 48);
         *dst++ = bytebuff2;
-        bytebuff3 = (buff2 >> 40);
+        bytebuff3 = (uint8_t)(buff2 >> 40);
         *dst++ = bytebuff3;
-        bytebuff4 = (buff2 >> 32);
+        bytebuff4 = (uint8_t)(buff2 >> 32);
         *dst++ = bytebuff4;
         ready_bits -= 32;
                     
@@ -3527,13 +3567,13 @@
         }
       else  /* If we have a full buffer's worth, write it out */
         {
-        bytebuff1 = (buff2 >> 56);
+        bytebuff1 = (uint8_t)(buff2 >> 56);
         *dst++ = bytebuff1;
-        bytebuff2 = (buff2 >> 48);
+        bytebuff2 = (uint8_t)(buff2 >> 48);
         *dst++ = bytebuff2;
-        bytebuff3 = (buff2 >> 40);
+        bytebuff3 = (uint8_t)(buff2 >> 40);
         *dst++ = bytebuff3;
-        bytebuff4 = (buff2 >> 32);
+        bytebuff4 = (uint8_t)(buff2 >> 32);
         *dst++ = bytebuff4;
         ready_bits -= 32;
                     
@@ -3710,10 +3750,10 @@
 static int readContigStripsIntoBuffer (TIFF* in, uint8* buf)
 {
         uint8* bufp = buf;
-        int32  bytes_read = 0;
+        tmsize_t  bytes_read = 0;
         uint32 strip, nstrips   = TIFFNumberOfStrips(in);
-        uint32 stripsize = TIFFStripSize(in);
-        uint32 rows = 0;
+        tmsize_t stripsize = TIFFStripSize(in);
+        tmsize_t rows = 0;
         uint32 rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
         tsize_t scanline_size = TIFFScanlineSize(in);
 
@@ -4196,13 +4236,13 @@
 	/* If we have a full buffer's worth, write it out */
 	if (ready_bits >= 32)
 	  {
-	  bytebuff1 = (buff2 >> 56);
+	  bytebuff1 = (uint8_t)(buff2 >> 56);
 	  *dst++ = bytebuff1;
-	  bytebuff2 = (buff2 >> 48);
+	  bytebuff2 = (uint8_t)(buff2 >> 48);
 	  *dst++ = bytebuff2;
-	  bytebuff3 = (buff2 >> 40);
+	  bytebuff3 = (uint8_t)(buff2 >> 40);
 	  *dst++ = bytebuff3;
-	  bytebuff4 = (buff2 >> 32);
+	  bytebuff4 = (uint8_t)(buff2 >> 32);
 	  *dst++ = bytebuff4;
 	  ready_bits -= 32;
                     
@@ -4245,10 +4285,10 @@
 	         "Row %3d, Col %3d, Src byte offset %3d  bit offset %2d  Dst offset %3d",
 		 row + 1, col + 1, src_byte, src_bit, dst - out);
 
-      dump_long (dumpfile, format, "Match bits ", matchbits);
+      dump_wide (dumpfile, format, "Match bits ", matchbits);
       dump_data (dumpfile, format, "Src   bits ", src, 4);
-      dump_long (dumpfile, format, "Buff1 bits ", buff1);
-      dump_long (dumpfile, format, "Buff2 bits ", buff2);
+      dump_wide (dumpfile, format, "Buff1 bits ", buff1);
+      dump_wide (dumpfile, format, "Buff2 bits ", buff2);
       dump_byte (dumpfile, format, "Write bits1", bytebuff1);
       dump_byte (dumpfile, format, "Write bits2", bytebuff2);
       dump_info (dumpfile, format, "", "Ready bits:  %2d", ready_bits); 
@@ -4721,13 +4761,13 @@
 	/* If we have a full buffer's worth, write it out */
 	if (ready_bits >= 32)
 	  {
-	  bytebuff1 = (buff2 >> 56);
+	  bytebuff1 = (uint8_t)(buff2 >> 56);
 	  *dst++ = bytebuff1;
-	  bytebuff2 = (buff2 >> 48);
+	  bytebuff2 = (uint8_t)(buff2 >> 48);
 	  *dst++ = bytebuff2;
-	  bytebuff3 = (buff2 >> 40);
+	  bytebuff3 = (uint8_t)(buff2 >> 40);
 	  *dst++ = bytebuff3;
-	  bytebuff4 = (buff2 >> 32);
+	  bytebuff4 = (uint8_t)(buff2 >> 32);
 	  *dst++ = bytebuff4;
 	  ready_bits -= 32;
                     
@@ -4770,10 +4810,10 @@
 	         "Row %3d, Col %3d, Src byte offset %3d  bit offset %2d  Dst offset %3d",
 		 row + 1, col + 1, src_byte, src_bit, dst - out);
 
-      dump_long (dumpfile, format, "Match bits ", matchbits);
+      dump_wide (dumpfile, format, "Match bits ", matchbits);
       dump_data (dumpfile, format, "Src   bits ", src, 4);
-      dump_long (dumpfile, format, "Buff1 bits ", buff1);
-      dump_long (dumpfile, format, "Buff2 bits ", buff2);
+      dump_wide (dumpfile, format, "Buff1 bits ", buff1);
+      dump_wide (dumpfile, format, "Buff2 bits ", buff2);
       dump_byte (dumpfile, format, "Write bits1", bytebuff1);
       dump_byte (dumpfile, format, "Write bits2", bytebuff2);
       dump_info (dumpfile, format, "", "Ready bits:  %2d", ready_bits); 
@@ -4796,7 +4836,7 @@
   {
   int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
   uint32 j;
-  int32  bytes_read = 0;
+  tmsize_t  bytes_read = 0;
   uint16 bps = 0, planar;
   uint32 nstrips;
   uint32 strips_per_sample;
@@ -4862,7 +4902,7 @@
   for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
     {
     srcbuffs[s] = NULL;
-    buff = _TIFFmalloc(stripsize + 3);
+    buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES);
     if (!buff)
       {
       TIFFError ("readSeparateStripsIntoBuffer", 
@@ -4885,7 +4925,7 @@
       buff = srcbuffs[s];
       strip = (s * strips_per_sample) + j; 
       bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
-      rows_this_strip = bytes_read / src_rowsize;
+      rows_this_strip = (uint32)(bytes_read / src_rowsize);
       if (bytes_read < 0 && !ignore)
         {
         TIFFError(TIFFFileName(in),
@@ -5872,13 +5912,14 @@
   uint16   input_compression = 0, input_photometric = 0;
   uint16   subsampling_horiz, subsampling_vert;
   uint32   width = 0, length = 0;
-  uint32   stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0;
+  tmsize_t   stsize = 0, tlsize = 0, buffsize = 0;
+  tmsize_t   scanlinesize = 0;
   uint32   tw = 0, tl = 0;       /* Tile width and length */
-  uint32   tile_rowsize = 0;
+  tmsize_t   tile_rowsize = 0;
   unsigned char *read_buff = NULL;
   unsigned char *new_buff  = NULL;
   int      readunit = 0;
-  static   uint32  prev_readsize = 0;
+  static   tmsize_t  prev_readsize = 0;
 
   TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
   TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -6132,9 +6173,15 @@
 	TIFFError("loadImage", "Integer overflow detected.");
 	exit(-1);
     }
-    if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
+    /* The buffsize_check and the possible adaptation of buffsize 
+     * has to account also for padding of each line to a byte boundary. 
+     * This is assumed by mirrorImage() and rotateImage().
+     * Otherwise buffer-overflow might occur there.
+     */
+    buffsize_check = length * (uint32)(((width * spp * bps) + 7) / 8);
+    if (buffsize < buffsize_check)
       {
-      buffsize =  ((length * width * spp * bps) + 7) / 8;
+      buffsize = buffsize_check;
 #ifdef DEBUG2
       TIFFError("loadImage",
 	        "Stripsize %u is too small, using imagelength * width * spp * bps / 8 = %lu",
@@ -6180,7 +6227,7 @@
         TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
         return (-1);
     }
-    read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
+    read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
   }
   else
     {
@@ -6191,11 +6238,11 @@
           TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
           return (-1);
       }
-      new_buff = _TIFFrealloc(read_buff, buffsize+3);
+      new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
       if (!new_buff)
         {
 	free (read_buff);
-        read_buff = (unsigned char *)_TIFFmalloc(buffsize+3);
+        read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
         }
       else
         read_buff = new_buff;
@@ -6268,8 +6315,13 @@
     dump_info  (dump->infile, dump->format, "", 
                 "Bits per sample %d, Samples per pixel %d", bps, spp);
 
+    if (scanlinesize > 0x0ffffffffULL) {
+        dump_info(dump->infile, dump->format, "loadImage",
+            "Attention: scanlinesize %lu is larger than UINT32_MAX.\nFollowing dump might be wrong.",
+            scanlinesize);
+    }
     for (i = 0; i < length; i++)
-      dump_buffer(dump->infile, dump->format, 1, scanlinesize, 
+      dump_buffer(dump->infile, dump->format, 1, (uint32)scanlinesize, 
                   i, read_buff + (i * scanlinesize));
     }
   return (0);
@@ -7289,13 +7341,13 @@
      if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
        TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
        if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
-	 int inknameslen = strlen(inknames) + 1;
+	 int inknameslen = (int)strlen(inknames) + 1;
 	 const char* cp = inknames;
 	 while (ninks > 1) {
 	   cp = strchr(cp, '\0');
 	   if (cp) {
 	     cp++;
-	     inknameslen += (strlen(cp) + 1);
+	     inknameslen += ((int)strlen(cp) + 1);
 	   }
 	   ninks--;
          }
@@ -7358,32 +7410,36 @@
 
   if (!sect_buff)
     {
-    sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
-    *sect_buff_ptr = sect_buff;
+    sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
+    if (!sect_buff)
+    {
+        TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+        return (-1);
+    }
     _TIFFmemset(sect_buff, 0, sectsize);
     }
   else
     {
-    if (prev_sectsize < sectsize)
+    if (prev_sectsize < sectsize + NUM_BUFF_OVERSIZE_BYTES)
       {
-      new_buff = _TIFFrealloc(sect_buff, sectsize);
+      new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES);
       if (!new_buff)
         {
-	free (sect_buff);
-        sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
+          _TIFFfree (sect_buff);
+        sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
         }
       else
         sect_buff = new_buff;
 
-      _TIFFmemset(sect_buff, 0, sectsize);
-      }
-    }
-
   if (!sect_buff)
     {
     TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
     return (-1);
     }
+      _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
+      }
+    }
+
   prev_sectsize = sectsize;
   *sect_buff_ptr = sect_buff;
 
@@ -7411,17 +7467,17 @@
     cropsize = crop->bufftotal;
     crop_buff = seg_buffs[0].buffer; 
     if (!crop_buff)
-      crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
+      crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
     else
       {
       prev_cropsize = seg_buffs[0].size;
       if (prev_cropsize < cropsize)
         {
-        next_buff = _TIFFrealloc(crop_buff, cropsize);
+        next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
         if (! next_buff)
           {
           _TIFFfree (crop_buff);
-          crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
+          crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
           }
         else
           crop_buff = next_buff;
@@ -7434,7 +7490,7 @@
       return (-1);
       }
  
-    _TIFFmemset(crop_buff, 0, cropsize);
+    _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
     seg_buffs[0].buffer = crop_buff;
     seg_buffs[0].size = cropsize;
 
@@ -7513,17 +7569,17 @@
       cropsize = crop->bufftotal;
       crop_buff = seg_buffs[i].buffer; 
       if (!crop_buff)
-        crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
+        crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
       else
         {
         prev_cropsize = seg_buffs[0].size;
         if (prev_cropsize < cropsize)
           {
-          next_buff = _TIFFrealloc(crop_buff, cropsize);
+          next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
           if (! next_buff)
             {
             _TIFFfree (crop_buff);
-            crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
+            crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
             }
           else
             crop_buff = next_buff;
@@ -7536,7 +7592,7 @@
         return (-1);
         }
  
-      _TIFFmemset(crop_buff, 0, cropsize);
+      _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
       seg_buffs[i].buffer = crop_buff;
       seg_buffs[i].size = cropsize;
 
@@ -7649,32 +7705,36 @@
   crop_buff = *crop_buff_ptr;
   if (!crop_buff)
     {
-    crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
-    *crop_buff_ptr = crop_buff;
-    _TIFFmemset(crop_buff, 0, cropsize);
+    crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
+    if (!crop_buff)
+    {
+        TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+        return (-1);
+    }
+    _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
     prev_cropsize = cropsize;
     }
   else
     {
     if (prev_cropsize < cropsize)
       {
-      new_buff = _TIFFrealloc(crop_buff, cropsize);
+      new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
       if (!new_buff)
         {
 	free (crop_buff);
-        crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
+        crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
         }
       else
         crop_buff = new_buff;
-      _TIFFmemset(crop_buff, 0, cropsize);
-      }
-    }
-
   if (!crop_buff)
     {
     TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
     return (-1);
     }
+      _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
+      }
+    }
+
   *crop_buff_ptr = crop_buff;
 
   if (crop->crop_mode & CROP_INVERT)
@@ -7969,13 +8029,13 @@
      if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
        TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
        if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
-	 int inknameslen = strlen(inknames) + 1;
+	 int inknameslen = (int)strlen(inknames) + 1;
 	 const char* cp = inknames;
 	 while (ninks > 1) {
 	   cp = strchr(cp, '\0');
 	   if (cp) {
 	     cp++;
-	     inknameslen += (strlen(cp) + 1);
+	     inknameslen += ((int)strlen(cp) + 1);
 	   }
 	   ninks--;
          }
@@ -8360,13 +8420,13 @@
         }
       else /* If we have a full buffer's worth, write it out */
         {
-        bytebuff1 = (buff2 >> 56);
+        bytebuff1 = (uint8_t)(buff2 >> 56);
         *dst++ = bytebuff1;
-        bytebuff2 = (buff2 >> 48);
+        bytebuff2 = (uint8_t)(buff2 >> 48);
         *dst++ = bytebuff2;
-        bytebuff3 = (buff2 >> 40);
+        bytebuff3 = (uint8_t)(buff2 >> 40);
         *dst++ = bytebuff3;
-        bytebuff4 = (buff2 >> 32);
+        bytebuff4 = (uint8_t)(buff2 >> 32);
         *dst++ = bytebuff4;
         ready_bits -= 32;
                     
@@ -8435,12 +8495,13 @@
               return (-1);
     }
 
-  if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize)))
+  /* Add 3 padding bytes for extractContigSamplesShifted32bits */
+  if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
     {
-    TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize);
+    TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
     return (-1);
     }
-  _TIFFmemset(rbuff, '\0', buffsize);
+  _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
 
   ibuff = *ibuff_ptr;
   switch (rotation)
@@ -8968,13 +9029,13 @@
         }
       else /* If we have a full buffer's worth, write it out */
         {
-        bytebuff1 = (buff2 >> 56);
+        bytebuff1 = (uint8_t)(buff2 >> 56);
         *dst++ = bytebuff1;
-        bytebuff2 = (buff2 >> 48);
+        bytebuff2 = (uint8_t)(buff2 >> 48);
         *dst++ = bytebuff2;
-        bytebuff3 = (buff2 >> 40);
+        bytebuff3 = (uint8_t)(buff2 >> 40);
         *dst++ = bytebuff3;
-        bytebuff4 = (buff2 >> 32);
+        bytebuff4 = (uint8_t)(buff2 >> 32);
         *dst++ = bytebuff4;
         ready_bits -= 32;
                     
@@ -9065,12 +9126,13 @@
     {
     case MIRROR_BOTH:
     case MIRROR_VERT: 
-             line_buff = (unsigned char *)_TIFFmalloc(rowsize);
+             line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES);
              if (line_buff == NULL)
                {
-	       TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize);
+	       TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES);
                return (-1);
                }
+             _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
 
              dst = ibuff + (rowsize * (length - 1));
              for (row = 0; row < length / 2; row++)
@@ -9101,11 +9163,12 @@
 		}
 	      else
                 { /* non 8 bit per sample  data */
-                if (!(line_buff = (unsigned char *)_TIFFmalloc(rowsize + 1)))
+                if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES)))
                   {
                   TIFFError("mirrorImage", "Unable to allocate mirror line buffer");
                   return (-1);
                   }
+                _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
                 bytes_per_sample = (bps + 7) / 8;
                 bytes_per_pixel  = ((bps * spp) + 7) / 8;
                 if (bytes_per_pixel < (bytes_per_sample + 1))
@@ -9117,7 +9180,7 @@
                   {
 		  row_offset = row * rowsize;
                   src = ibuff + row_offset;
-                  _TIFFmemset (line_buff, '\0', rowsize);
+                  _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
                   switch (shift_width)
                     {
                     case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))

Places

File tiff-CVE-2022-3598,3570.patch of Package tiff (Revision 113fc44428fb6ee709efb70e46d4db58)

Places