Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:GA
tiff.35292
tiff-CVE-2023-3164.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tiff-CVE-2023-3164.patch of Package tiff.35292
Index: tiff-4.0.9/tools/tiffcrop.c =================================================================== --- tiff-4.0.9.orig/tools/tiffcrop.c +++ tiff-4.0.9/tools/tiffcrop.c @@ -458,6 +458,7 @@ static uint16 defcompression = (uint16) static uint16 defpredictor = (uint16) -1; static int pageNum = 0; static int little_endian = 1; +static tmsize_t check_buffsize = 0; /* Functions adapted from tiffcp with additions or significant modifications */ static int readContigStripsIntoBuffer (TIFF*, uint8*); @@ -2081,6 +2082,11 @@ void process_command_opts (int argc, ch TIFFError ("Limit for subdivisions, ie rows x columns, exceeded", "%d", MAX_SECTIONS); exit (-1); } + if ((page->cols * page->rows) < 1) + { + TIFFError("No subdivisions", "%d", (page->cols * page->rows)); + exit(EXIT_FAILURE); + } page->mode |= PAGE_MODE_ROWSCOLS; break; case 'U': /* units for measurements and offsets */ @@ -4348,7 +4354,7 @@ combineSeparateTileSamplesBytes (unsigne dst = out + (row * dst_rowsize); src_offset = row * src_rowsize; #ifdef DEVELMODE - TIFFError("","Tile row %4d, Src offset %6d Dst offset %6d", + TIFFError("","Tile row %4d, Src offset %6d Dst offset %6zd", row, src_offset, dst - out); #endif for (col = 0; col < cols; col++) @@ -4943,7 +4949,7 @@ static int readSeparateStripsIntoBuffer break; } #ifdef DEVELMODE - TIFFError("", "Strip %2d, read %5d bytes for %4d scanlines, shift width %d", + TIFFError("", "Strip %2d, read %5zd bytes for %4d scanlines, shift width %d", strip, bytes_read, rows_this_strip, shift_width); #endif } @@ -6304,6 +6310,8 @@ loadImage(TIFF* in, struct image_data *i return (-1); } + check_buffsize = buffsize + NUM_BUFF_OVERSIZE_BYTES; + read_buff[buffsize] = 0; read_buff[buffsize+1] = 0; read_buff[buffsize+2] = 0; @@ -6930,6 +6938,12 @@ extractImageSection(struct image_data *i #ifdef DEVELMODE TIFFError ("", "Src offset: %8d, Dst offset: %8d", src_offset, dst_offset); #endif + if (src_offset + full_bytes >= check_buffsize) + { + printf("Bad input. Preventing reading outside of input buffer.\n"); + return(-1); + } + _TIFFmemcpy (sect_buff + dst_offset, src_buff + src_offset, full_bytes); dst_offset += full_bytes; } @@ -6965,6 +6979,11 @@ extractImageSection(struct image_data *i bytebuff1 = bytebuff2 = 0; if (shift1 == 0) /* the region is byte and sample alligned */ { + if (offset1 + full_bytes >= check_buffsize) + { + printf("Bad input. Preventing reading outside of input buffer.\n"); + return(-1); + } _TIFFmemcpy (sect_buff + dst_offset, src_buff + offset1, full_bytes); #ifdef DEVELMODE @@ -6984,6 +7003,11 @@ extractImageSection(struct image_data *i if (trailing_bits != 0) { /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */ + if (offset1 + full_bytes >= check_buffsize) + { + printf("Bad input. Preventing reading outside of input buffer.\n"); + return(-1); + } bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits)); sect_buff[dst_offset] = bytebuff2; #ifdef DEVELMODE @@ -7009,6 +7033,11 @@ extractImageSection(struct image_data *i { /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */ + if (offset1 + j + 1 >= check_buffsize) + { + printf("Bad input. Preventing reading outside of input buffer.\n"); + return(-1); + } bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1); bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1)); sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor