summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@arm.com>2022-10-25 16:21:45 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-10-28 09:44:52 +0100
commit38be41a6f8eede9f827674ff397091df5ef5a8ac (patch)
treeefcd9bc8ba308db758e785cfbda70ee983a56a42 /meta/recipes-multimedia/libtiff
parente06b7828aeea8d07b6f4d63eb386f85bccddaa47 (diff)
downloadpoky-38be41a6f8eede9f827674ff397091df5ef5a8ac.tar.gz
tiff: fix a number of CVEs
Backport fixes from upstream for the following CVEs: - CVE-2022-3599 - CVE-2022-3597 - CVE-2022-3626 - CVE-2022-3627 - CVE-2022-3570 - CVE-2022-3598 (From OE-Core rev: 722bbb88777cc3c7d1c8273f1279fc18ba33e87c) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-multimedia/libtiff')
-rw-r--r--meta/recipes-multimedia/libtiff/files/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch266
-rw-r--r--meta/recipes-multimedia/libtiff/files/0001-tiffcrop-S-option-Make-decision-simpler.patch36
-rw-r--r--meta/recipes-multimedia/libtiff/files/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch59
-rw-r--r--meta/recipes-multimedia/libtiff/files/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch653
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.4.0.bb5
5 files changed, 1018 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/files/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch b/meta/recipes-multimedia/libtiff/files/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
new file mode 100644
index 0000000000..ce72c86120
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
@@ -0,0 +1,266 @@
1CVE: CVE-2022-3599
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From f00484b9519df933723deb38fff943dc291a793d Mon Sep 17 00:00:00 2001
6From: Su_Laus <sulau@freenet.de>
7Date: Tue, 30 Aug 2022 16:56:48 +0200
8Subject: [PATCH] Revised handling of TIFFTAG_INKNAMES and related
9 TIFFTAG_NUMBEROFINKS value
10
11In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
12
13Behaviour for writing:
14 `NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
15 `NumberOfInks` is automatically set when `InkNames` is set.
16 If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
17 If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
18
19Behaviour for reading:
20 When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
21 If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
22 If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
23
24This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
25
26This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
27
28It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
29---
30 libtiff/tif_dir.c | 119 ++++++++++++++++++++++++-----------------
31 libtiff/tif_dir.h | 2 +
32 libtiff/tif_dirinfo.c | 2 +-
33 libtiff/tif_dirwrite.c | 5 ++
34 libtiff/tif_print.c | 4 ++
35 5 files changed, 82 insertions(+), 50 deletions(-)
36
37diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
38index 793e8a79..816f7756 100644
39--- a/libtiff/tif_dir.c
40+++ b/libtiff/tif_dir.c
41@@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v)
42 }
43
44 /*
45- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
46+ * Count ink names separated by \0. Returns
47 * zero if the ink names are not as expected.
48 */
49-static uint32_t
50-checkInkNamesString(TIFF* tif, uint32_t slen, const char* s)
51+static uint16_t
52+countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
53 {
54- TIFFDirectory* td = &tif->tif_dir;
55- uint16_t i = td->td_samplesperpixel;
56+ uint16_t i = 0;
57+ const char *ep = s + slen;
58+ const char *cp = s;
59
60 if (slen > 0) {
61- const char* ep = s+slen;
62- const char* cp = s;
63- for (; i > 0; i--) {
64+ do {
65 for (; cp < ep && *cp != '\0'; cp++) {}
66 if (cp >= ep)
67 goto bad;
68 cp++; /* skip \0 */
69- }
70- return ((uint32_t)(cp - s));
71+ i++;
72+ } while (cp < ep);
73+ return (i);
74 }
75 bad:
76 TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
77- "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16,
78- tif->tif_name,
79- td->td_samplesperpixel,
80- (uint16_t)(td->td_samplesperpixel-i));
81+ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink",
82+ tif->tif_name, slen, i);
83 return (0);
84 }
85
86@@ -478,13 +476,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
87 _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
88 break;
89 case TIFFTAG_INKNAMES:
90- v = (uint16_t) va_arg(ap, uint16_vap);
91- s = va_arg(ap, char*);
92- v = checkInkNamesString(tif, v, s);
93- status = v > 0;
94- if( v > 0 ) {
95- _TIFFsetNString(&td->td_inknames, s, v);
96- td->td_inknameslen = v;
97+ {
98+ v = (uint16_t) va_arg(ap, uint16_vap);
99+ s = va_arg(ap, char*);
100+ uint16_t ninksinstring;
101+ ninksinstring = countInkNamesString(tif, v, s);
102+ status = ninksinstring > 0;
103+ if(ninksinstring > 0 ) {
104+ _TIFFsetNString(&td->td_inknames, s, v);
105+ td->td_inknameslen = v;
106+ /* Set NumberOfInks to the value ninksinstring */
107+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
108+ {
109+ if (td->td_numberofinks != ninksinstring) {
110+ TIFFErrorExt(tif->tif_clientdata, module,
111+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"",
112+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
113+ td->td_numberofinks = ninksinstring;
114+ }
115+ } else {
116+ td->td_numberofinks = ninksinstring;
117+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
118+ }
119+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
120+ {
121+ if (td->td_numberofinks != td->td_samplesperpixel) {
122+ TIFFErrorExt(tif->tif_clientdata, module,
123+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
124+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
125+ }
126+ }
127+ }
128+ }
129+ break;
130+ case TIFFTAG_NUMBEROFINKS:
131+ v = (uint16_t)va_arg(ap, uint16_vap);
132+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
133+ if (TIFFFieldSet(tif, FIELD_INKNAMES))
134+ {
135+ if (v != td->td_numberofinks) {
136+ TIFFErrorExt(tif->tif_clientdata, module,
137+ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")",
138+ tif->tif_name, fip->field_name, v, td->td_numberofinks);
139+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
140+ status = 0;
141+ }
142+ } else {
143+ td->td_numberofinks = (uint16_t)v;
144+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
145+ {
146+ if (td->td_numberofinks != td->td_samplesperpixel) {
147+ TIFFErrorExt(tif->tif_clientdata, module,
148+ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
149+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
150+ }
151+ }
152 }
153 break;
154 case TIFFTAG_PERSAMPLE:
155@@ -986,34 +1032,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
156 if (fip->field_bit == FIELD_CUSTOM) {
157 standard_tag = 0;
158 }
159-
160- if( standard_tag == TIFFTAG_NUMBEROFINKS )
161- {
162- int i;
163- for (i = 0; i < td->td_customValueCount; i++) {
164- uint16_t val;
165- TIFFTagValue *tv = td->td_customValues + i;
166- if (tv->info->field_tag != standard_tag)
167- continue;
168- if( tv->value == NULL )
169- return 0;
170- val = *(uint16_t *)tv->value;
171- /* Truncate to SamplesPerPixel, since the */
172- /* setting code for INKNAMES assume that there are SamplesPerPixel */
173- /* inknames. */
174- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
175- if( val > td->td_samplesperpixel )
176- {
177- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
178- "Truncating NumberOfInks from %u to %"PRIu16,
179- val, td->td_samplesperpixel);
180- val = td->td_samplesperpixel;
181- }
182- *va_arg(ap, uint16_t*) = val;
183- return 1;
184- }
185- return 0;
186- }
187
188 switch (standard_tag) {
189 case TIFFTAG_SUBFILETYPE:
190@@ -1195,6 +1213,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
191 case TIFFTAG_INKNAMES:
192 *va_arg(ap, const char**) = td->td_inknames;
193 break;
194+ case TIFFTAG_NUMBEROFINKS:
195+ *va_arg(ap, uint16_t *) = td->td_numberofinks;
196+ break;
197 default:
198 {
199 int i;
200diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
201index 09065648..0c251c9e 100644
202--- a/libtiff/tif_dir.h
203+++ b/libtiff/tif_dir.h
204@@ -117,6 +117,7 @@ typedef struct {
205 /* CMYK parameters */
206 int td_inknameslen;
207 char* td_inknames;
208+ uint16_t td_numberofinks; /* number of inks in InkNames string */
209
210 int td_customValueCount;
211 TIFFTagValue *td_customValues;
212@@ -174,6 +175,7 @@ typedef struct {
213 #define FIELD_TRANSFERFUNCTION 44
214 #define FIELD_INKNAMES 46
215 #define FIELD_SUBIFD 49
216+#define FIELD_NUMBEROFINKS 50
217 /* FIELD_CUSTOM (see tiffio.h) 65 */
218 /* end of support for well-known tags; codec-private tags follow */
219 #define FIELD_CODEC 66 /* base of codec-private tags */
220diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
221index 3371cb5c..3b4bcd33 100644
222--- a/libtiff/tif_dirinfo.c
223+++ b/libtiff/tif_dirinfo.c
224@@ -114,7 +114,7 @@ tiffFields[] = {
225 { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
226 { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
227 { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
228- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
229+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
230 { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
231 { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
232 { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
233diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
234index 6c86fdca..062e4610 100644
235--- a/libtiff/tif_dirwrite.c
236+++ b/libtiff/tif_dirwrite.c
237@@ -626,6 +626,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64_t* pdiroff)
238 if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
239 goto bad;
240 }
241+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
242+ {
243+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
244+ goto bad;
245+ }
246 if (TIFFFieldSet(tif,FIELD_SUBIFD))
247 {
248 if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
249diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
250index 16ce5780..a91b9e7b 100644
251--- a/libtiff/tif_print.c
252+++ b/libtiff/tif_print.c
253@@ -397,6 +397,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
254 }
255 fputs("\n", fd);
256 }
257+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
258+ fprintf(fd, " NumberOfInks: %d\n",
259+ td->td_numberofinks);
260+ }
261 if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
262 fprintf(fd, " Thresholding: ");
263 switch (td->td_threshholding) {
264--
2652.34.1
266
diff --git a/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-S-option-Make-decision-simpler.patch b/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-S-option-Make-decision-simpler.patch
new file mode 100644
index 0000000000..02642ecfbc
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-S-option-Make-decision-simpler.patch
@@ -0,0 +1,36 @@
1Upstream-Status: Backport
2Signed-off-by: Ross Burton <ross.burton@arm.com>
3
4From bad48e90b410df32172006c7876da449ba62cdba Mon Sep 17 00:00:00 2001
5From: Su_Laus <sulau@freenet.de>
6Date: Sat, 20 Aug 2022 23:35:26 +0200
7Subject: [PATCH] tiffcrop -S option: Make decision simpler.
8
9---
10 tools/tiffcrop.c | 10 +++++-----
11 1 file changed, 5 insertions(+), 5 deletions(-)
12
13diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
14index c3b758ec..8fd856dc 100644
15--- a/tools/tiffcrop.c
16+++ b/tools/tiffcrop.c
17@@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
18 }
19 /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
20 char XY, Z, R, S;
21- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
22- Z = (crop_data->crop_mode & CROP_ZONES);
23- R = (crop_data->crop_mode & CROP_REGIONS);
24- S = (page->mode & PAGE_MODE_ROWSCOLS);
25- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
26+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
27+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
28+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
29+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
30+ if (XY + Z + R + S > 1) {
31 TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
32 exit(EXIT_FAILURE);
33 }
34--
352.34.1
36
diff --git a/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch b/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch
new file mode 100644
index 0000000000..3e33f4adea
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch
@@ -0,0 +1,59 @@
1CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From 4746f16253b784287bc8a5003990c1c3b9a03a62 Mon Sep 17 00:00:00 2001
6From: Su_Laus <sulau@freenet.de>
7Date: Thu, 25 Aug 2022 16:11:41 +0200
8Subject: [PATCH] tiffcrop: disable incompatibility of -Z, -X, -Y, -z options
9 with any PAGE_MODE_x option (fixes #411 and #413)
10MIME-Version: 1.0
11Content-Type: text/plain; charset=UTF-8
12Content-Transfer-Encoding: 8bit
13
14tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S.
15
16Code analysis:
17
18With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[].
19In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) .
20
21Execution of the else-clause often leads to buffer-overflows.
22
23Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows.
24
25The MR solves issues #411 and #413.
26---
27 doc/tools/tiffcrop.rst | 8 ++++++++
28 tools/tiffcrop.c | 32 +++++++++++++++++++++++++-------
29 2 files changed, 33 insertions(+), 7 deletions(-)
30
31diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
32index 8fd856dc..41a2ea36 100644
33--- a/tools/tiffcrop.c
34+++ b/tools/tiffcrop.c
35@@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
36 R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
37 S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
38 if (XY + Z + R + S > 1) {
39- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
40+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
41 exit(EXIT_FAILURE);
42 }
43+
44+ /* Check for not allowed combination:
45+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
46+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
47+. */
48+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
49+ TIFFError("tiffcrop input error",
50+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
51+ exit(EXIT_FAILURE);
52+ }
53+
54 } /* end process_command_opts */
55
56 /* Start a new output file if one has not been previously opened or
57--
582.34.1
59
diff --git a/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch b/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch
new file mode 100644
index 0000000000..e44b9bc57c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch
@@ -0,0 +1,653 @@
1CVE: CVE-2022-3570 CVE-2022-3598
2Upstream-Status: Backport
3Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5From afd7086090dafd3949afd172822cbcec4ed17d56 Mon Sep 17 00:00:00 2001
6From: Su Laus <sulau@freenet.de>
7Date: Thu, 13 Oct 2022 14:33:27 +0000
8Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271,
9 #381, #386, #388, #389, #435)
10
11---
12 tools/tiffcrop.c | 209 ++++++++++++++++++++++++++---------------------
13 1 file changed, 118 insertions(+), 91 deletions(-)
14
15diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
16index 41a2ea36..deab5feb 100644
17--- a/tools/tiffcrop.c
18+++ b/tools/tiffcrop.c
19@@ -212,6 +212,10 @@ static char tiffcrop_rev_date[] = "26-08-2022";
20
21 #define TIFF_DIR_MAX 65534
22
23+/* Some conversion subroutines require image buffers, which are at least 3 bytes
24+ * larger than the necessary size for the image itself. */
25+#define NUM_BUFF_OVERSIZE_BYTES 3
26+
27 /* Offsets into buffer for margins and fixed width and length segments */
28 struct offset {
29 uint32_t tmargin;
30@@ -233,7 +237,7 @@ struct offset {
31 */
32
33 struct buffinfo {
34- uint32_t size; /* size of this buffer */
35+ size_t size; /* size of this buffer */
36 unsigned char *buffer; /* address of the allocated buffer */
37 };
38
39@@ -810,8 +814,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
40 uint32_t dst_rowsize, shift_width;
41 uint32_t bytes_per_sample, bytes_per_pixel;
42 uint32_t trailing_bits, prev_trailing_bits;
43- uint32_t tile_rowsize = TIFFTileRowSize(in);
44- uint32_t src_offset, dst_offset;
45+ tmsize_t tile_rowsize = TIFFTileRowSize(in);
46+ tmsize_t src_offset, dst_offset;
47 uint32_t row_offset, col_offset;
48 uint8_t *bufp = (uint8_t*) buf;
49 unsigned char *src = NULL;
50@@ -861,7 +865,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
51 TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
52 exit(EXIT_FAILURE);
53 }
54- tilebuf = limitMalloc(tile_buffsize + 3);
55+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
56 if (tilebuf == 0)
57 return 0;
58 tilebuf[tile_buffsize] = 0;
59@@ -1024,7 +1028,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf,
60 for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++)
61 {
62 srcbuffs[sample] = NULL;
63- tbuff = (unsigned char *)limitMalloc(tilesize + 8);
64+ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES);
65 if (!tbuff)
66 {
67 TIFFError ("readSeparateTilesIntoBuffer",
68@@ -1217,7 +1221,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
69 }
70 rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
71
72- obuf = limitMalloc (rowstripsize);
73+ /* Add 3 padding bytes for extractContigSamples32bits */
74+ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
75 if (obuf == NULL)
76 return 1;
77
78@@ -1229,7 +1234,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
79
80 stripsize = TIFFVStripSize(out, nrows);
81 src = buf + (row * rowsize);
82- memset (obuf, '\0', rowstripsize);
83+ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
84 if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
85 {
86 _TIFFfree(obuf);
87@@ -1237,10 +1242,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
88 }
89 if ((dump->outfile != NULL) && (dump->level == 1))
90 {
91- dump_info(dump->outfile, dump->format,"",
92+ if (scanlinesize > 0x0ffffffffULL) {
93+ dump_info(dump->infile, dump->format, "loadImage",
94+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
95+ scanlinesize);
96+ }
97+ dump_info(dump->outfile, dump->format,"",
98 "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d",
99- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf);
100- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf);
101+ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf);
102+ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf);
103 }
104
105 if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0)
106@@ -1267,7 +1277,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
107 uint32_t tl, tw;
108 uint32_t row, col, nrow, ncol;
109 uint32_t src_rowsize, col_offset;
110- uint32_t tile_rowsize = TIFFTileRowSize(out);
111+ tmsize_t tile_rowsize = TIFFTileRowSize(out);
112 uint8_t* bufp = (uint8_t*) buf;
113 tsize_t tile_buffsize = 0;
114 tsize_t tilesize = TIFFTileSize(out);
115@@ -1310,9 +1320,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
116 }
117 src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
118
119- tilebuf = limitMalloc(tile_buffsize);
120+ /* Add 3 padding bytes for extractContigSamples32bits */
121+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
122 if (tilebuf == 0)
123 return 1;
124+ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
125 for (row = 0; row < imagelength; row += tl)
126 {
127 nrow = (row + tl > imagelength) ? imagelength - row : tl;
128@@ -1358,7 +1370,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
129 uint32_t imagewidth, tsample_t spp,
130 struct dump_opts * dump)
131 {
132- tdata_t obuf = limitMalloc(TIFFTileSize(out));
133+ /* Add 3 padding bytes for extractContigSamples32bits */
134+ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
135 uint32_t tl, tw;
136 uint32_t row, col, nrow, ncol;
137 uint32_t src_rowsize, col_offset;
138@@ -1368,6 +1381,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
139
140 if (obuf == NULL)
141 return 1;
142+ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
143
144 if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
145 !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
146@@ -1793,14 +1807,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
147
148 *opt_offset = '\0';
149 /* convert option to lowercase */
150- end = strlen (opt_ptr);
151+ end = (unsigned int)strlen (opt_ptr);
152 for (i = 0; i < end; i++)
153 *(opt_ptr + i) = tolower((int) *(opt_ptr + i));
154 /* Look for dump format specification */
155 if (strncmp(opt_ptr, "for", 3) == 0)
156 {
157 /* convert value to lowercase */
158- end = strlen (opt_offset + 1);
159+ end = (unsigned int)strlen (opt_offset + 1);
160 for (i = 1; i <= end; i++)
161 *(opt_offset + i) = tolower((int) *(opt_offset + i));
162 /* check dump format value */
163@@ -2273,6 +2287,8 @@ main(int argc, char* argv[])
164 size_t length;
165 char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */
166
167+ assert(NUM_BUFF_OVERSIZE_BYTES >= 3);
168+
169 little_endian = *((unsigned char *)&little_endian) & '1';
170
171 initImageData(&image);
172@@ -3227,13 +3243,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
173 /* If we have a full buffer's worth, write it out */
174 if (ready_bits >= 32)
175 {
176- bytebuff1 = (buff2 >> 56);
177+ bytebuff1 = (uint8_t)(buff2 >> 56);
178 *dst++ = bytebuff1;
179- bytebuff2 = (buff2 >> 48);
180+ bytebuff2 = (uint8_t)(buff2 >> 48);
181 *dst++ = bytebuff2;
182- bytebuff3 = (buff2 >> 40);
183+ bytebuff3 = (uint8_t)(buff2 >> 40);
184 *dst++ = bytebuff3;
185- bytebuff4 = (buff2 >> 32);
186+ bytebuff4 = (uint8_t)(buff2 >> 32);
187 *dst++ = bytebuff4;
188 ready_bits -= 32;
189
190@@ -3642,13 +3658,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
191 }
192 else /* If we have a full buffer's worth, write it out */
193 {
194- bytebuff1 = (buff2 >> 56);
195+ bytebuff1 = (uint8_t)(buff2 >> 56);
196 *dst++ = bytebuff1;
197- bytebuff2 = (buff2 >> 48);
198+ bytebuff2 = (uint8_t)(buff2 >> 48);
199 *dst++ = bytebuff2;
200- bytebuff3 = (buff2 >> 40);
201+ bytebuff3 = (uint8_t)(buff2 >> 40);
202 *dst++ = bytebuff3;
203- bytebuff4 = (buff2 >> 32);
204+ bytebuff4 = (uint8_t)(buff2 >> 32);
205 *dst++ = bytebuff4;
206 ready_bits -= 32;
207
208@@ -3825,10 +3841,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3
209 static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
210 {
211 uint8_t* bufp = buf;
212- int32_t bytes_read = 0;
213+ tmsize_t bytes_read = 0;
214 uint32_t strip, nstrips = TIFFNumberOfStrips(in);
215- uint32_t stripsize = TIFFStripSize(in);
216- uint32_t rows = 0;
217+ tmsize_t stripsize = TIFFStripSize(in);
218+ tmsize_t rows = 0;
219 uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
220 tsize_t scanline_size = TIFFScanlineSize(in);
221
222@@ -3841,11 +3857,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
223 bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1);
224 rows = bytes_read / scanline_size;
225 if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize))
226- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32,
227+ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64,
228 strip + 1, bytes_read, stripsize);
229
230 if (bytes_read < 0 && !ignore) {
231- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows",
232+ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows",
233 strip, rows);
234 return 0;
235 }
236@@ -4310,13 +4326,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
237 /* If we have a full buffer's worth, write it out */
238 if (ready_bits >= 32)
239 {
240- bytebuff1 = (buff2 >> 56);
241+ bytebuff1 = (uint8_t)(buff2 >> 56);
242 *dst++ = bytebuff1;
243- bytebuff2 = (buff2 >> 48);
244+ bytebuff2 = (uint8_t)(buff2 >> 48);
245 *dst++ = bytebuff2;
246- bytebuff3 = (buff2 >> 40);
247+ bytebuff3 = (uint8_t)(buff2 >> 40);
248 *dst++ = bytebuff3;
249- bytebuff4 = (buff2 >> 32);
250+ bytebuff4 = (uint8_t)(buff2 >> 32);
251 *dst++ = bytebuff4;
252 ready_bits -= 32;
253
254@@ -4359,10 +4375,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
255 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
256 row + 1, col + 1, src_byte, src_bit, dst - out);
257
258- dump_long (dumpfile, format, "Match bits ", matchbits);
259+ dump_wide (dumpfile, format, "Match bits ", matchbits);
260 dump_data (dumpfile, format, "Src bits ", src, 4);
261- dump_long (dumpfile, format, "Buff1 bits ", buff1);
262- dump_long (dumpfile, format, "Buff2 bits ", buff2);
263+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
264+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
265 dump_byte (dumpfile, format, "Write bits1", bytebuff1);
266 dump_byte (dumpfile, format, "Write bits2", bytebuff2);
267 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
268@@ -4835,13 +4851,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
269 /* If we have a full buffer's worth, write it out */
270 if (ready_bits >= 32)
271 {
272- bytebuff1 = (buff2 >> 56);
273+ bytebuff1 = (uint8_t)(buff2 >> 56);
274 *dst++ = bytebuff1;
275- bytebuff2 = (buff2 >> 48);
276+ bytebuff2 = (uint8_t)(buff2 >> 48);
277 *dst++ = bytebuff2;
278- bytebuff3 = (buff2 >> 40);
279+ bytebuff3 = (uint8_t)(buff2 >> 40);
280 *dst++ = bytebuff3;
281- bytebuff4 = (buff2 >> 32);
282+ bytebuff4 = (uint8_t)(buff2 >> 32);
283 *dst++ = bytebuff4;
284 ready_bits -= 32;
285
286@@ -4884,10 +4900,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
287 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
288 row + 1, col + 1, src_byte, src_bit, dst - out);
289
290- dump_long (dumpfile, format, "Match bits ", matchbits);
291+ dump_wide (dumpfile, format, "Match bits ", matchbits);
292 dump_data (dumpfile, format, "Src bits ", src, 4);
293- dump_long (dumpfile, format, "Buff1 bits ", buff1);
294- dump_long (dumpfile, format, "Buff2 bits ", buff2);
295+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
296+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
297 dump_byte (dumpfile, format, "Write bits1", bytebuff1);
298 dump_byte (dumpfile, format, "Write bits2", bytebuff2);
299 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
300@@ -4910,7 +4926,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
301 {
302 int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
303 uint32_t j;
304- int32_t bytes_read = 0;
305+ tmsize_t bytes_read = 0;
306 uint16_t bps = 0, planar;
307 uint32_t nstrips;
308 uint32_t strips_per_sample;
309@@ -4976,7 +4992,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
310 for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
311 {
312 srcbuffs[s] = NULL;
313- buff = limitMalloc(stripsize + 3);
314+ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES);
315 if (!buff)
316 {
317 TIFFError ("readSeparateStripsIntoBuffer",
318@@ -4999,7 +5015,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
319 buff = srcbuffs[s];
320 strip = (s * strips_per_sample) + j;
321 bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
322- rows_this_strip = bytes_read / src_rowsize;
323+ rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
324 if (bytes_read < 0 && !ignore)
325 {
326 TIFFError(TIFFFileName(in),
327@@ -6062,13 +6078,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
328 uint16_t input_compression = 0, input_photometric = 0;
329 uint16_t subsampling_horiz, subsampling_vert;
330 uint32_t width = 0, length = 0;
331- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0;
332+ tmsize_t stsize = 0, tlsize = 0, buffsize = 0;
333+ tmsize_t scanlinesize = 0;
334 uint32_t tw = 0, tl = 0; /* Tile width and length */
335- uint32_t tile_rowsize = 0;
336+ tmsize_t tile_rowsize = 0;
337 unsigned char *read_buff = NULL;
338 unsigned char *new_buff = NULL;
339 int readunit = 0;
340- static uint32_t prev_readsize = 0;
341+ static tmsize_t prev_readsize = 0;
342
343 TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
344 TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
345@@ -6325,6 +6342,8 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
346 /* The buffsize_check and the possible adaptation of buffsize
347 * has to account also for padding of each line to a byte boundary.
348 * This is assumed by mirrorImage() and rotateImage().
349+ * Furthermore, functions like extractContigSamplesShifted32bits()
350+ * need a buffer, which is at least 3 bytes larger than the actual image.
351 * Otherwise buffer-overflow might occur there.
352 */
353 buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8);
354@@ -6376,7 +6395,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
355 TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
356 return (-1);
357 }
358- read_buff = (unsigned char *)limitMalloc(buffsize+3);
359+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
360 }
361 else
362 {
363@@ -6387,11 +6406,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
364 TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
365 return (-1);
366 }
367- new_buff = _TIFFrealloc(read_buff, buffsize+3);
368+ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
369 if (!new_buff)
370 {
371 free (read_buff);
372- read_buff = (unsigned char *)limitMalloc(buffsize+3);
373+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
374 }
375 else
376 read_buff = new_buff;
377@@ -6464,8 +6483,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
378 dump_info (dump->infile, dump->format, "",
379 "Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp);
380
381+ if (scanlinesize > 0x0ffffffffULL) {
382+ dump_info(dump->infile, dump->format, "loadImage",
383+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
384+ scanlinesize);
385+ }
386 for (i = 0; i < length; i++)
387- dump_buffer(dump->infile, dump->format, 1, scanlinesize,
388+ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize,
389 i, read_buff + (i * scanlinesize));
390 }
391 return (0);
392@@ -7485,13 +7509,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image,
393 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
394 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
395 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
396- int inknameslen = strlen(inknames) + 1;
397+ int inknameslen = (int)strlen(inknames) + 1;
398 const char* cp = inknames;
399 while (ninks > 1) {
400 cp = strchr(cp, '\0');
401 if (cp) {
402 cp++;
403- inknameslen += (strlen(cp) + 1);
404+ inknameslen += ((int)strlen(cp) + 1);
405 }
406 ninks--;
407 }
408@@ -7554,23 +7578,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
409
410 if (!sect_buff)
411 {
412- sect_buff = (unsigned char *)limitMalloc(sectsize);
413+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
414 if (!sect_buff)
415 {
416 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
417 return (-1);
418 }
419- _TIFFmemset(sect_buff, 0, sectsize);
420+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
421 }
422 else
423 {
424 if (prev_sectsize < sectsize)
425 {
426- new_buff = _TIFFrealloc(sect_buff, sectsize);
427+ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES);
428 if (!new_buff)
429 {
430 _TIFFfree (sect_buff);
431- sect_buff = (unsigned char *)limitMalloc(sectsize);
432+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
433 }
434 else
435 sect_buff = new_buff;
436@@ -7580,7 +7604,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
437 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
438 return (-1);
439 }
440- _TIFFmemset(sect_buff, 0, sectsize);
441+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
442 }
443 }
444
445@@ -7611,17 +7635,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
446 cropsize = crop->bufftotal;
447 crop_buff = seg_buffs[0].buffer;
448 if (!crop_buff)
449- crop_buff = (unsigned char *)limitMalloc(cropsize);
450+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
451 else
452 {
453 prev_cropsize = seg_buffs[0].size;
454 if (prev_cropsize < cropsize)
455 {
456- next_buff = _TIFFrealloc(crop_buff, cropsize);
457+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
458 if (! next_buff)
459 {
460 _TIFFfree (crop_buff);
461- crop_buff = (unsigned char *)limitMalloc(cropsize);
462+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
463 }
464 else
465 crop_buff = next_buff;
466@@ -7634,7 +7658,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
467 return (-1);
468 }
469
470- _TIFFmemset(crop_buff, 0, cropsize);
471+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
472 seg_buffs[0].buffer = crop_buff;
473 seg_buffs[0].size = cropsize;
474
475@@ -7714,17 +7738,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
476 cropsize = crop->bufftotal;
477 crop_buff = seg_buffs[i].buffer;
478 if (!crop_buff)
479- crop_buff = (unsigned char *)limitMalloc(cropsize);
480+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
481 else
482 {
483 prev_cropsize = seg_buffs[0].size;
484 if (prev_cropsize < cropsize)
485 {
486- next_buff = _TIFFrealloc(crop_buff, cropsize);
487+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
488 if (! next_buff)
489 {
490 _TIFFfree (crop_buff);
491- crop_buff = (unsigned char *)limitMalloc(cropsize);
492+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
493 }
494 else
495 crop_buff = next_buff;
496@@ -7737,7 +7761,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
497 return (-1);
498 }
499
500- _TIFFmemset(crop_buff, 0, cropsize);
501+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
502 seg_buffs[i].buffer = crop_buff;
503 seg_buffs[i].size = cropsize;
504
505@@ -7853,24 +7877,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
506 crop_buff = *crop_buff_ptr;
507 if (!crop_buff)
508 {
509- crop_buff = (unsigned char *)limitMalloc(cropsize);
510+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
511 if (!crop_buff)
512 {
513 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
514 return (-1);
515 }
516- _TIFFmemset(crop_buff, 0, cropsize);
517+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
518 prev_cropsize = cropsize;
519 }
520 else
521 {
522 if (prev_cropsize < cropsize)
523 {
524- new_buff = _TIFFrealloc(crop_buff, cropsize);
525+ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
526 if (!new_buff)
527 {
528 free (crop_buff);
529- crop_buff = (unsigned char *)limitMalloc(cropsize);
530+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
531 }
532 else
533 crop_buff = new_buff;
534@@ -7879,7 +7903,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
535 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
536 return (-1);
537 }
538- _TIFFmemset(crop_buff, 0, cropsize);
539+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
540 }
541 }
542
543@@ -8177,13 +8201,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
544 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
545 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
546 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
547- int inknameslen = strlen(inknames) + 1;
548+ int inknameslen = (int)strlen(inknames) + 1;
549 const char* cp = inknames;
550 while (ninks > 1) {
551 cp = strchr(cp, '\0');
552 if (cp) {
553 cp++;
554- inknameslen += (strlen(cp) + 1);
555+ inknameslen += ((int)strlen(cp) + 1);
556 }
557 ninks--;
558 }
559@@ -8568,13 +8592,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
560 }
561 else /* If we have a full buffer's worth, write it out */
562 {
563- bytebuff1 = (buff2 >> 56);
564+ bytebuff1 = (uint8_t)(buff2 >> 56);
565 *dst++ = bytebuff1;
566- bytebuff2 = (buff2 >> 48);
567+ bytebuff2 = (uint8_t)(buff2 >> 48);
568 *dst++ = bytebuff2;
569- bytebuff3 = (buff2 >> 40);
570+ bytebuff3 = (uint8_t)(buff2 >> 40);
571 *dst++ = bytebuff3;
572- bytebuff4 = (buff2 >> 32);
573+ bytebuff4 = (uint8_t)(buff2 >> 32);
574 *dst++ = bytebuff4;
575 ready_bits -= 32;
576
577@@ -8643,12 +8667,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
578 return (-1);
579 }
580
581- if (!(rbuff = (unsigned char *)limitMalloc(buffsize)))
582+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
583+ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
584 {
585- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize);
586+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
587 return (-1);
588 }
589- _TIFFmemset(rbuff, '\0', buffsize);
590+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
591
592 ibuff = *ibuff_ptr;
593 switch (rotation)
594@@ -9176,13 +9201,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width,
595 }
596 else /* If we have a full buffer's worth, write it out */
597 {
598- bytebuff1 = (buff2 >> 56);
599+ bytebuff1 = (uint8_t)(buff2 >> 56);
600 *dst++ = bytebuff1;
601- bytebuff2 = (buff2 >> 48);
602+ bytebuff2 = (uint8_t)(buff2 >> 48);
603 *dst++ = bytebuff2;
604- bytebuff3 = (buff2 >> 40);
605+ bytebuff3 = (uint8_t)(buff2 >> 40);
606 *dst++ = bytebuff3;
607- bytebuff4 = (buff2 >> 32);
608+ bytebuff4 = (uint8_t)(buff2 >> 32);
609 *dst++ = bytebuff4;
610 ready_bits -= 32;
611
612@@ -9273,12 +9298,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
613 {
614 case MIRROR_BOTH:
615 case MIRROR_VERT:
616- line_buff = (unsigned char *)limitMalloc(rowsize);
617+ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES);
618 if (line_buff == NULL)
619 {
620- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize);
621+ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES);
622 return (-1);
623 }
624+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
625
626 dst = ibuff + (rowsize * (length - 1));
627 for (row = 0; row < length / 2; row++)
628@@ -9310,11 +9336,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
629 }
630 else
631 { /* non 8 bit per sample data */
632- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1)))
633+ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES)))
634 {
635 TIFFError("mirrorImage", "Unable to allocate mirror line buffer");
636 return (-1);
637 }
638+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
639 bytes_per_sample = (bps + 7) / 8;
640 bytes_per_pixel = ((bps * spp) + 7) / 8;
641 if (bytes_per_pixel < (bytes_per_sample + 1))
642@@ -9326,7 +9353,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
643 {
644 row_offset = row * rowsize;
645 src = ibuff + row_offset;
646- _TIFFmemset (line_buff, '\0', rowsize);
647+ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
648 switch (shift_width)
649 {
650 case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))
651--
6522.34.1
653
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
index caf6f60479..29cb4111d6 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.4.0.bb
@@ -12,6 +12,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
12 file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \ 12 file://0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch \
13 file://CVE-2022-34526.patch \ 13 file://CVE-2022-34526.patch \
14 file://CVE-2022-2953.patch \ 14 file://CVE-2022-2953.patch \
15 file://0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch \
16 file://0001-tiffcrop-S-option-Make-decision-simpler.patch \
17 file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch \
18 file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \
15 " 19 "
16 20
17SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed" 21SRC_URI[sha256sum] = "917223b37538959aca3b790d2d73aa6e626b688e02dcda272aec24c2f498abed"
@@ -25,7 +29,6 @@ CVE_CHECK_IGNORE += "CVE-2015-7313"
25# These issues only affect libtiff post-4.3.0 but before 4.4.0, 29# These issues only affect libtiff post-4.3.0 but before 4.4.0,
26# caused by 3079627e and fixed by b4e79bfa. 30# caused by 3079627e and fixed by b4e79bfa.
27CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623" 31CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
28
29# Issue is in jbig which we don't enable 32# Issue is in jbig which we don't enable
30CVE_CHECK_IGNORE += "CVE-2022-1210" 33CVE_CHECK_IGNORE += "CVE-2022-1210"
31 34
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-10 00:08:51 +0000