File tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,... of Package tiff

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799.patch of Package tiff (Revision 36daca0e0162844ee55f795d26bd159b)

Currently displaying revision 36daca0e0162844ee55f795d26bd159b , Show latest

Based on upstream commits:
9c22495e5eeeae9e00a1596720c969656bb8d678
688012dca2c39033aa2dc7bcea9796787cfd1b44
69818e2f2d246e6631ac2a2da692c3706b849c38
Index: tiff-4.0.9/tools/tiffcrop.c
===================================================================
--- tiff-4.0.9.orig/tools/tiffcrop.c
+++ tiff-4.0.9/tools/tiffcrop.c
@@ -278,7 +278,6 @@ struct  region {
   uint32 width;     /* width in pixels */
   uint32 length;    /* length in pixels */
   uint32 buffsize;  /* size of buffer needed to hold the cropped region */
-  unsigned char *buffptr; /* address of start of the region */
 };
 
 /* Cropping parameters from command line and image data 
@@ -533,7 +532,7 @@ static int rotateContigSamples24bits(uin
 static int rotateContigSamples32bits(uint16, uint16, uint16, uint32, 
                                      uint32,   uint32, uint8 *, uint8 *);
 static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
- 		       unsigned char **);
+ 		       unsigned char **, size_t*, int);
 static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
 		       unsigned char *);
 static int invertImage(uint16, uint16, uint16, uint32, uint32,
@@ -5134,7 +5133,6 @@ initCropMasks (struct crop_mask *cps)
      cps->regionlist[i].width = 0;
      cps->regionlist[i].length = 0;
      cps->regionlist[i].buffsize = 0;
-     cps->regionlist[i].buffptr = NULL;
      cps->zonelist[i].position = 0;
      cps->zonelist[i].total = 0;
      }
@@ -6367,7 +6365,12 @@ static int  correct_orientation(struct i
       return (-1);
       }
  
-    if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
+    /* Dummy variable in order not to switch two times the
+     * image->width,->length within rotateImage(),
+     * but switch xres, yres there. */
+    uint32_t width = image->width;
+    uint32_t length = image->length;
+    if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, TRUE))
       {
       TIFFError ("correct_orientation", "Unable to rotate image");
       return (-1);
@@ -6435,7 +6438,6 @@ extractCompositeRegions(struct image_dat
     /* These should not be needed for composite images */
     crop->regionlist[i].width = crop_width;
     crop->regionlist[i].length = crop_length;
-    crop->regionlist[i].buffptr = crop_buff;
 
     src_rowsize = ((img_width * bps * spp) + 7) / 8;
     dst_rowsize = (((crop_width * bps * count) + 7) / 8);
@@ -6672,7 +6674,6 @@ extractSeparateRegion(struct image_data
 
   crop->regionlist[region].width = crop_width;
   crop->regionlist[region].length = crop_length;
-  crop->regionlist[region].buffptr = crop_buff;
 
   src = read_buff;
   dst = crop_buff;
@@ -7549,16 +7550,16 @@ processCropSelections(struct image_data
 
     if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
       {
+      size_t rot_buf_size = 0; 
       if (rotateImage(crop->rotation, image, &crop->combined_width, 
-                      &crop->combined_length, &crop_buff))
+                      &crop->combined_length, &crop_buff, &rot_buf_size, FALSE))
         {
         TIFFError("processCropSelections", 
                   "Failed to rotate composite regions by %d degrees", crop->rotation);
         return (-1);
         }
       seg_buffs[0].buffer = crop_buff;
-      seg_buffs[0].size = (((crop->combined_width * image->bps + 7 ) / 8)
-                            * image->spp) * crop->combined_length; 
+      seg_buffs[0].size = rot_buf_size;
       }
     }
   else  /* Separated Images */
@@ -7655,8 +7656,10 @@ processCropSelections(struct image_data
 
       if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
         {
-	if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, 
-			&crop->regionlist[i].length, &crop_buff))
+            size_t rot_buf_size = 0;
+            if (rotateImage(
+                        crop->rotation, image, &crop->regionlist[i].width,
+                        &crop->regionlist[i].length, &crop_buff, &rot_buf_size, FALSE))
           {
           TIFFError("processCropSelections", 
                     "Failed to rotate crop region by %d degrees", crop->rotation);
@@ -7667,8 +7670,7 @@ processCropSelections(struct image_data
         crop->combined_width = total_width;
         crop->combined_length = total_length;
         seg_buffs[i].buffer = crop_buff;
-        seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
-                               * image->spp) * crop->regionlist[i].length; 
+        seg_buffs[i].size = rot_buf_size;
         }
       }
     }
@@ -7788,7 +7790,7 @@ createCroppedImage(struct image_data *im
   if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
     {
     if (rotateImage(crop->rotation, image, &crop->combined_width, 
-                    &crop->combined_length, crop_buff_ptr))
+                    &crop->combined_length, crop_buff_ptr, NULL, TRUE))
       {
       TIFFError("createCroppedImage", 
                 "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
@@ -8451,13 +8453,15 @@ rotateContigSamples32bits(uint16 rotatio
 /* Rotate an image by a multiple of 90 degrees clockwise */
 static int
 rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width, 
-            uint32 *img_length, unsigned char **ibuff_ptr)
+            uint32 *img_length, unsigned char **ibuff_ptr, size_t *rot_buf_size,
+            int rot_image_params)
   {
   int      shift_width;
   uint32   bytes_per_pixel, bytes_per_sample;
   uint32   row, rowsize, src_offset, dst_offset;
   uint32   i, col, width, length;
-  uint32   colsize, buffsize, col_offset, pix_offset;
+  uint32_t colsize, col_offset, pix_offset;
+  tmsize_t buffsize;
   unsigned char *ibuff;
   unsigned char *src;
   unsigned char *dst;
@@ -8470,12 +8474,41 @@ rotateImage(uint16 rotation, struct imag
   spp = image->spp;
   bps = image->bps;
 
+  if ((spp != 0 && bps != 0 &&
+              width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
+          (spp != 0 && bps != 0 &&
+           length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
+  {
+      TIFFError("rotateImage", "Integer overflow detected.");
+      return (-1);
+  }
   rowsize = ((bps * spp * width) + 7) / 8;
   colsize = ((bps * spp * length) + 7) / 8;
   if ((colsize * width) > (rowsize * length))
-    buffsize = (colsize + 1) * width;
+  {
+      if (((tmsize_t)colsize + 1) != 0 &&
+              (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+                  ((tmsize_t)colsize + 1)))
+      {
+          TIFFError("rotateImage",
+                  "Integer overflow when calculating buffer size.");
+          return (-1);
+      }
+      buffsize = ((tmsize_t)colsize + 1) * width;
+  }
   else
-    buffsize = (rowsize + 1) * length;
+  {
+      if (((tmsize_t)rowsize + 1) != 0 &&
+              (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
+                  ((tmsize_t)rowsize + 1)))
+      {
+          TIFFError("rotateImage",
+                  "Integer overflow when calculating buffer size.");
+          return (-1);
+      }
+
+      buffsize = (rowsize + 1) * length;
+  }
 
   bytes_per_sample = (bps + 7) / 8;
   bytes_per_pixel  = ((bps * spp) + 7) / 8;
@@ -8498,10 +8531,12 @@ rotateImage(uint16 rotation, struct imag
   /* Add 3 padding bytes for extractContigSamplesShifted32bits */
   if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
     {
-    TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
+    TIFFError("rotateImage", "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT "bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
     return (-1);
     }
   _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
+  if (rot_buf_size != NULL)
+      *rot_buf_size = buffsize;
 
   ibuff = *ibuff_ptr;
   switch (rotation)
@@ -8642,11 +8677,15 @@ rotateImage(uint16 rotation, struct imag
 
               *img_width = length;
               *img_length = width;
-              image->width = length;
-              image->length = width;
-              res_temp = image->xres;
-              image->xres = image->yres;
-              image->yres = res_temp;
+              /* Only toggle image parameters if whole input image is rotated. */
+              if (rot_image_params)
+              {
+                  image->width = length;
+                  image->length = width;
+                  res_temp = image->xres;
+                  image->xres = image->yres;
+                  image->yres = res_temp;
+              }
 	      break;
 
     case 270: if ((bps % 8) == 0) /* byte aligned data */
@@ -8719,11 +8758,15 @@ rotateImage(uint16 rotation, struct imag
 
               *img_width = length;
               *img_length = width;
-              image->width = length;
-              image->length = width;
-              res_temp = image->xres;
-              image->xres = image->yres;
-              image->yres = res_temp;
+              /* Only toggle image parameters if whole input image is rotated. */
+              if (rot_image_params)
+              {
+                  image->width = length;
+                  image->length = width;
+                  res_temp = image->xres;
+                  image->xres = image->yres;
+                  image->yres = res_temp;
+              }
               break;
     default:
               break;

Places

File tiff-CVE-2023-0795,CVE-2023-0796,CVE-2023-0797,CVE-2023-0798,CVE-2023-0799.patch of Package tiff (Revision 36daca0e0162844ee55f795d26bd159b)

Places