File tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,... of Package tiff

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch of Package tiff (Revision f4d4544e308d335ab408610c8aa08253)

Currently displaying revision f4d4544e308d335ab408610c8aa08253 , Show latest

Upstream commit:
33aee1275d9d1384791d2206776eb8152d397f00
Index: tiff-4.0.9/tools/tiffcrop.c
===================================================================
--- tiff-4.0.9.orig/tools/tiffcrop.c
+++ tiff-4.0.9/tools/tiffcrop.c
@@ -5181,18 +5181,42 @@ computeInputPixelOffsets(struct crop_mas
 
       crop->regionlist[i].buffsize = buffsize;
       crop->bufftotal += buffsize;
+      
+      /* For composite images with more than one region, the
+       * combined_length or combined_width always needs to be equal,
+       * respectively.
+       * Otherwise, even the first section/region copy
+       * action might cause buffer overrun. */
       if (crop->img_mode == COMPOSITE_IMAGES)
         {
         switch (crop->edge_ref)
           {
           case EDGE_LEFT:
           case EDGE_RIGHT:
+              if (i > 0 && zlength != crop->combined_length)
+              {
+                  TIFFError(
+                          "computeInputPixelOffsets",
+                          "Only equal length regions can be combined for "
+                          "-E left or right");
+                  return (-1);
+              }
+
                crop->combined_length = zlength;
                crop->combined_width += zwidth;
                break;
           case EDGE_BOTTOM:
           case EDGE_TOP:  /* width from left, length from top */
           default:
+               if (i > 0 && zwidth != crop->combined_width)
+               {
+                   TIFFError("computeInputPixelOffsets",
+                           "Only equal width regions can be "
+                           "combined for -E "
+                           "top or bottom");
+                   return (-1);
+               }
+
                crop->combined_width = zwidth;
                crop->combined_length += zlength;
 	       break;
@@ -6321,6 +6345,46 @@ extractCompositeRegions(struct image_dat
   crop->combined_width = 0;
   crop->combined_length = 0;
 
+  /* If there is more than one region, check beforehand whether all the width
+   * and length values of the regions are the same, respectively. */
+  switch (crop->edge_ref)
+  {
+      default:
+      case EDGE_TOP:
+      case EDGE_BOTTOM:
+          for (i = 1; i < crop->selections; i++)
+          {
+              uint32_t crop_width0 =
+                  crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
+              uint32_t crop_width1 =
+                  crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+              if (crop_width0 != crop_width1)
+              {
+                  TIFFError("extractCompositeRegions",
+                          "Only equal width regions can be combined for -E "
+                          "top or bottom");
+                  return (1);
+              }
+          }
+          break;
+      case EDGE_LEFT:
+      case EDGE_RIGHT:
+          for (i = 1; i < crop->selections; i++)
+          {
+              uint32_t crop_length0 =
+                  crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
+              uint32_t crop_length1 =
+                  crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+              if (crop_length0 != crop_length1)
+              {
+                  TIFFError("extractCompositeRegions",
+                          "Only equal length regions can be combined for "
+                          "-E left or right");
+                  return (1);
+              }
+          }
+  }
+
   for (i = 0; i < crop->selections; i++)
     {
     /* rows, columns, width, length are expressed in pixels */
@@ -6345,7 +6409,7 @@ extractCompositeRegions(struct image_dat
       default:
       case EDGE_TOP:
       case EDGE_BOTTOM:
-	   if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
+          if ((crop->selections > i + 1) && (crop_width != crop->regionlist[i + 1].width))
              {
 	     TIFFError ("extractCompositeRegions", 
                           "Only equal width regions can be combined for -E top or bottom");
@@ -6426,7 +6490,7 @@ extractCompositeRegions(struct image_dat
 	   break;
       case EDGE_LEFT:  /* splice the pieces of each row together, side by side */
       case EDGE_RIGHT:
-	   if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
+       if ((crop->selections > i + 1) && (crop_length != crop->regionlist[i + 1].length))
              {
 	     TIFFError ("extractCompositeRegions", 
                           "Only equal length regions can be combined for -E left or right");

Places

File tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch of Package tiff (Revision f4d4544e308d335ab408610c8aa08253)

Places