Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
tiff
tiff-CVE-2023-26965.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tiff-CVE-2023-26965.patch of Package tiff
https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Index: tiff-4.0.9/tools/tiffcrop.c =================================================================== --- tiff-4.0.9.orig/tools/tiffcrop.c +++ tiff-4.0.9/tools/tiffcrop.c @@ -5948,9 +5948,7 @@ loadImage(TIFF* in, struct image_data *i uint32 tw = 0, tl = 0; /* Tile width and length */ tmsize_t tile_rowsize = 0; unsigned char *read_buff = NULL; - unsigned char *new_buff = NULL; int readunit = 0; - static tmsize_t prev_readsize = 0; TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); @@ -6249,39 +6247,24 @@ loadImage(TIFF* in, struct image_data *i } read_buff = *read_ptr; - /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */ - /* outside buffer */ - if (!read_buff) + /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit + * outside buffer */ + /* Reuse of read_buff from previous image is quite unsafe, because other + * functions (like rotateImage() etc.) reallocate that buffer with different + * size without updating the local prev_readsize value. */ + if (read_buff) { - if( buffsize > 0xFFFFFFFFU - 3 ) - { - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); - return (-1); - } - read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); + _TIFFfree(read_buff); } - else - { - if (prev_readsize < buffsize) - { - if( buffsize > 0xFFFFFFFFU - 3 ) - { - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); - return (-1); - } - new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); - if (!new_buff) - { - free (read_buff); - read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); - } - else - read_buff = new_buff; - } - } + if (buffsize > 0xFFFFFFFFU - 3) + { + TIFFError("loadImage", "Required read buffer size too large"); + return (-1); + } + read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); if (!read_buff) { - TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + TIFFError("loadImage", "Unable to allocate read buffer"); return (-1); } @@ -6289,7 +6272,6 @@ loadImage(TIFF* in, struct image_data *i read_buff[buffsize+1] = 0; read_buff[buffsize+2] = 0; - prev_readsize = buffsize; *read_ptr = read_buff; /* N.B. The read functions used copy separate plane data into a buffer as interleaved
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor