meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001
From: zhailiangliang <zhailiangliang@loongson.cn>
Date: Thu, 16 Mar 2023 16:16:54 +0800
Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection

CVE: CVE-2023-1916
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535]
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 tools/tiffcrop.c | 44 ++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 40 insertions(+), 4 deletions(-)

diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 05ba4d2..8a08536 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5700,6 +5700,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
              crop->combined_width += (uint32_t)zwidth;
            else
              crop->combined_width = (uint32_t)zwidth;
+
+	   /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+           if (((crop->rotation == 90) || (crop->rotation == 270))
+                && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+           {
+                TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+                return -1;
+           }
+
            break;
       case EDGE_BOTTOM: /* width from left, zones from bottom to top */
            zwidth = offsets.crop_width;
@@ -5735,6 +5744,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
            else
              crop->combined_length = (uint32_t)zlength;
            crop->combined_width = (uint32_t)zwidth;
+
+	   /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+           if (((crop->rotation == 90) || (crop->rotation == 270))
+                && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+           {
+                TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+                return -1;
+           }
+
            break;
       case EDGE_RIGHT: /* zones from right to left, length from top */
 		  zlength = offsets.crop_length;
@@ -5772,6 +5790,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
 			  crop->combined_width += (uint32_t)zwidth;
 		  else
 			  crop->combined_width = (uint32_t)zwidth;
+
+		/* When the degrees clockwise rotation is 90 or 270, check the boundary */
+                if (((crop->rotation == 90) || (crop->rotation == 270))
+                    && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+                {
+                    TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+                    return -1;
+                }
+
 		  break;
       case EDGE_TOP: /* width from left, zones from top to bottom */
       default:
@@ -5818,7 +5845,16 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
            else
              crop->combined_length = (uint32_t)zlength;
            crop->combined_width = (uint32_t)zwidth;
-           break;
+
+	   /* When the degrees clockwise rotation is 90 or 270, check the boundary */
+           if (((crop->rotation == 90) || (crop->rotation == 270))
+                && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
+           {
+                TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
+                return -1;
+           }
+
+	   break;
       } /* end switch statement */
 
     buffsize = (uint32_t)
@@ -7016,9 +7052,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
      * regardless of the way the data are organized in the input file.
      * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 
      */
-    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */
-    full_bytes = (sect_width * spp * bps) / 8;            /* number of COMPLETE bytes per row in section */
-    trailing_bits = (sect_width * spp * bps) % 8;         /* trailing bits within the last byte of destination buffer */
+    img_rowsize = (((img_width * spp * bps) + 7) / 8);  /* row size in full bytes of source image */
+    full_bytes = (sect_width * spp * bps) / 8;          /* number of COMPLETE bytes per row in section */
+    trailing_bits = (sect_width * spp * bps) % 8;       /* trailing bits within the last byte of destination buffer */
 
 #ifdef DEVELMODE
     TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
-- 
2.25.1