File tiff-CVE-2023-1916.patch of Package tiff.32962

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-CVE-2023-1916.patch of Package tiff.32962

https://gitlab.com/libtiff/libtiff/-/merge_requests/535
Index: tiff-4.0.9/tools/tiffcrop.c
===================================================================
--- tiff-4.0.9.orig/tools/tiffcrop.c
+++ tiff-4.0.9/tools/tiffcrop.c
@@ -5590,6 +5590,15 @@ getCropOffsets(struct image_data *image,
              crop->combined_width += (uint32)zwidth;
            else
              crop->combined_width = (uint32)zwidth;
+
+		   /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+		   if (((crop->rotation == 90) || (crop->rotation == 270))
+				   && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+		   {
+			   TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+			   return -1;
+		   }
+
            break;
       case EDGE_BOTTOM: /* width from left, zones from bottom to top */
            zwidth = offsets.crop_width;
@@ -5619,7 +5628,16 @@ getCropOffsets(struct image_data *image,
              crop->combined_length += (uint32)zlength;
            else
              crop->combined_length = (uint32)zlength;
-           crop->combined_width = (uint32)zwidth;
+		   crop->combined_width = (uint32)zwidth;
+
+		   /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+		   if (((crop->rotation == 90) || (crop->rotation == 270))
+				   && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+		   {
+			   TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+			   return -1;
+		   }
+
            break;
       case EDGE_RIGHT: /* zones from right to left, length from top */
            zlength = offsets.crop_length;
@@ -5647,6 +5665,15 @@ getCropOffsets(struct image_data *image,
              crop->combined_width += (uint32)zwidth;
            else
              crop->combined_width = (uint32)zwidth;
+
+		   /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+		   if (((crop->rotation == 90) || (crop->rotation == 270))
+				   && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+		   {
+			   TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+			   return -1;
+		   }
+
            break;
       case EDGE_TOP: /* width from left, zones from top to bottom */
       default:
@@ -5671,10 +5698,19 @@ getCropOffsets(struct image_data *image,
            if (crop->exp_mode == COMPOSITE_IMAGES)
              crop->combined_length += (uint32)zlength;
            else
-             crop->combined_length = (uint32)zlength;
-           crop->combined_width = (uint32)zwidth;
-           break;
-      } /* end switch statement */
+			   crop->combined_length = (uint32)zlength;
+		   crop->combined_width = (uint32)zwidth;
+
+		   /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+		   if (((crop->rotation == 90) || (crop->rotation == 270))
+				   && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+		   {
+			   TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+			   return -1;
+		   }
+
+		   break;
+	  } /* end switch statement */
 
     buffsize = (uint32)
           ((((zwidth * image->bps * image->spp) + 7 ) / 8) * (zlength + 1));
@@ -6870,9 +6906,9 @@ extractImageSection(struct image_data *i
      * regardless of the way the data are organized in the input file.
      * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 
      */
-    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */
-    full_bytes = (sect_width * spp * bps) / 8;            /* number of COMPLETE bytes per row in section */
-    trailing_bits = (sect_width * spp * bps) % 8;         /* trailing bits within the last byte of destination buffer */
+  img_rowsize = (((img_width * spp * bps) + 7) / 8);  /* row size in full bytes of source image */
+    full_bytes = (sect_width * spp * bps) / 8;          /* number of COMPLETE bytes per row in section */
+    trailing_bits = (sect_width * spp * bps) % 8;       /* trailing bits within the last byte of destination buffer */
 
 #ifdef DEVELMODE
     TIFFError ("", "First row: %d, last row: %d, First col: %d, last col: %d\n",
@@ -6899,13 +6935,14 @@ extractImageSection(struct image_data *i
       }        
     }
   else
-    { /* bps != 8 */
-    shift1 = ((first_col * spp * bps) % 8);           /* shift1 = bits to skip in the first byte of source buffer*/
+  {   /* bps != 8 */
+	shift1 = ((first_col * spp * bps) % 8); /* shift1 = bits to skip in the first byte of source buffer*/
     for (row = first_row; row <= last_row; row++)
       {
       /* pull out the first byte */
       row_offset = row * img_rowsize;
-      offset1 = row_offset + ((first_col * spp * bps) / 8);   /* offset1 = offset into source of byte with first bits to be extracted */
+	  offset1 = row_offset + ((first_col * spp * bps) / 8); /* offset1 = offset into source of byte
+                                                                     with first bits to be extracted */
 
 #ifdef DEVELMODE
       for (j = 0, k = 7; j < 8; j++, k--)
@@ -7859,7 +7896,7 @@ createCroppedImage(struct image_data *im
     }
 
   if (crop_buff == read_buff) /* we used the read buffer for the crop buffer */
-    *read_buff_ptr = NULL;    /* so we don't try to free it later */
+	  *read_buff_ptr = NULL;  /* so we don't try to free it later */
 
   return (0);
   } /* end createCroppedImage */

Places

File tiff-CVE-2023-1916.patch of Package tiff.32962

Places