File tiff-CVE-2023-26965.patch of Package tiff

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-CVE-2023-26965.patch of Package tiff

https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf
Index: tiff-4.0.9/tools/tiffcrop.c
===================================================================
--- tiff-4.0.9.orig/tools/tiffcrop.c
+++ tiff-4.0.9/tools/tiffcrop.c
@@ -5948,9 +5948,7 @@ loadImage(TIFF* in, struct image_data *i
   uint32   tw = 0, tl = 0;       /* Tile width and length */
   tmsize_t   tile_rowsize = 0;
   unsigned char *read_buff = NULL;
-  unsigned char *new_buff  = NULL;
   int      readunit = 0;
-  static   tmsize_t  prev_readsize = 0;
 
   TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
   TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
@@ -6249,39 +6247,24 @@ loadImage(TIFF* in, struct image_data *i
     }
  
   read_buff = *read_ptr;
-  /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
-  /* outside buffer */
-  if (!read_buff)
+  /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
+   * outside buffer */
+  /* Reuse of read_buff from previous image is quite unsafe, because other
+   * functions (like rotateImage() etc.) reallocate that buffer with different
+   * size without updating the local prev_readsize value. */
+  if (read_buff)
   {
-    if( buffsize > 0xFFFFFFFFU - 3 )
-    {
-        TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
-        return (-1);
-    }
-    read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+	  _TIFFfree(read_buff);
   }
-  else
-    {
-    if (prev_readsize < buffsize)
-    {
-      if( buffsize > 0xFFFFFFFFU - 3 )
-      {
-          TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
-          return (-1);
-      }
-      new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
-      if (!new_buff)
-        {
-	free (read_buff);
-        read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
-        }
-      else
-        read_buff = new_buff;
-      }
-    }
+  if (buffsize > 0xFFFFFFFFU - 3)
+  {
+	  TIFFError("loadImage", "Required read buffer size too large");
+      return (-1);
+  }
+  read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
   if (!read_buff)
     {
-    TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+    TIFFError("loadImage", "Unable to allocate read buffer");
     return (-1);
     }
 
@@ -6289,7 +6272,6 @@ loadImage(TIFF* in, struct image_data *i
   read_buff[buffsize+1] = 0;
   read_buff[buffsize+2] = 0;
 
-  prev_readsize = buffsize;
   *read_ptr = read_buff;
 
   /* N.B. The read functions used copy separate plane data into a buffer as interleaved

Places

File tiff-CVE-2023-26965.patch of Package tiff

Places