From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
From: 4ugustus <wangdw.augustus@qq.com>
Date: Thu, 10 Mar 2022 08:48:00 +0000
Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)

CVE: CVE-2022-0924
Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0924.patch/]
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Comment: No change in any hunk

---
 tools/tiffcp.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 224583e0..aa32b118 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -1524,12 +1524,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt
 	tdata_t obuf;
 	tstrip_t strip = 0;
 	tsample_t s;
+	uint16 bps = 0, bytes_per_sample;
 
 	obuf = _TIFFmalloc(stripsize);
 	if (obuf == NULL)
 		return (0);
 	_TIFFmemset(obuf, 0, stripsize);
 	(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
+	(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
+	if( bps == 0 )
+        {
+            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
+            _TIFFfree(obuf);
+            return 0;
+        }
+        if( (bps % 8) != 0 )
+        {
+            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
+            _TIFFfree(obuf);
+            return 0;
+        }
+	bytes_per_sample = bps/8;
 	for (s = 0; s < spp; s++) {
 		uint32 row;
 		for (row = 0; row < imagelength; row += rowsperstrip) {
@@ -1539,7 +1539,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt
 
 			cpContigBufToSeparateBuf(
 			    obuf, (uint8*) buf + row*rowsize + s,
-			    nrows, imagewidth, 0, 0, spp, 1);
+			    nrows, imagewidth, 0, 0, spp, bytes_per_sample);
 			if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
 				TIFFError(TIFFFileName(out),
 				    "Error, can't write strip %u",
-- 
GitLab