1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
From f7c06c395daf1b2c52ab431e00db2d9fc2ac993e Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 10 May 2022 20:03:17 +0000
Subject: [PATCH] tiffcrop: Fix issue #330 and some more from 320 to 349
Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Origin: https://gitlab.com/libtiff/libtiff/-/commit/e319508023580e2f70e6e626f745b5b2a1707313
Origin: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf
Origin: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba
Origin: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-01-17
---
tools/tiffcrop.c | 50 ++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 42 insertions(+), 8 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index c923920..a0789a3 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -103,7 +103,12 @@
* selects which functions dump data, with higher numbers selecting
* lower level, scanline level routines. Debug reports a limited set
* of messages to monitor progess without enabling dump logs.
- */
+ *
+ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
+ * In no case should the options be applied to a given selection successively.
+ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
+ */
static char tiffcrop_version_id[] = "2.4.1";
static char tiffcrop_rev_date[] = "03-03-2010";
@@ -176,12 +181,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
#define ROTATECW_270 32
#define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
-#define CROP_NONE 0
-#define CROP_MARGINS 1
-#define CROP_WIDTH 2
-#define CROP_LENGTH 4
-#define CROP_ZONES 8
-#define CROP_REGIONS 16
+#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
+#define CROP_MARGINS 1 /* "-m" */
+#define CROP_WIDTH 2 /* "-X" */
+#define CROP_LENGTH 4 /* "-Y" */
+#define CROP_ZONES 8 /* "-Z" */
+#define CROP_REGIONS 16 /* "-z" */
#define CROP_ROTATE 32
#define CROP_MIRROR 64
#define CROP_INVERT 128
@@ -323,7 +328,7 @@ struct crop_mask {
#define PAGE_MODE_RESOLUTION 1
#define PAGE_MODE_PAPERSIZE 2
#define PAGE_MODE_MARGINS 4
-#define PAGE_MODE_ROWSCOLS 8
+#define PAGE_MODE_ROWSCOLS 8 /* for -S option */
#define INVERT_DATA_ONLY 10
#define INVERT_DATA_AND_TAG 11
@@ -754,6 +759,12 @@ static char* usage_info[] = {
" The four debug/dump options are independent, though it makes little sense to",
" specify a dump file without specifying a detail level.",
" ",
+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.",
+" In no case should the options be applied to a given selection successively.",
+" ",
+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options",
+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.",
+" ",
NULL
};
@@ -2112,6 +2123,27 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
/*NOTREACHED*/
}
}
+ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
+ char XY, Z, R, S;
+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
+ if (XY + Z + R + S > 1) {
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
+ exit(EXIT_FAILURE);
+ }
+
+ /* Check for not allowed combination:
+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
+. */
+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
+ TIFFError("tiffcrop input error",
+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
+ exit(EXIT_FAILURE);
+ }
+
} /* end process_command_opts */
/* Start a new output file if one has not been previously opened or
@@ -2384,6 +2416,7 @@ main(int argc, char* argv[])
exit (-1);
}
+ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */
if (crop.selections > 0)
{
if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
@@ -2400,6 +2433,7 @@ main(int argc, char* argv[])
exit (-1);
}
}
+ /* Format and write selected image parts to output file(s). */
if (page.mode == PAGE_MODE_NONE)
{ /* Whole image or sections not based on output page size */
if (crop.selections > 0)
|