1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sun, 29 Jan 2023 11:09:26 +0100
Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
image width and length parameters when only cropped image sections are
rotated. Remove buffptr from region structure because never used.
Closes #492 #493 #494 #495 #499 #518 #519
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
CVE: CVE-2023-25434 & CVE-2023-25435
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
tools/tiffcrop.c | 29 +++++++++++++++++------------
1 file changed, 17 insertions(+), 12 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index aab0ec6..ce84414 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
uint32, uint32, uint8 *, uint8 *);
static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
- unsigned char **, size_t *);
+ unsigned char **, size_t *, int);
static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
unsigned char *);
static int invertImage(uint16, uint16, uint16, uint32, uint32,
@@ -6382,10 +6382,11 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
/* Dummy variable in order not to switch two times the
* image->width,->length within rotateImage(),
* but switch xres, yres there. */
- uint32_t width = image->width;
- uint32_t length = image->length;
- if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
- {
+ uint32_t width = image->width;
+ uint32_t length = image->length;
+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,
+ TRUE))
+ {
TIFFError ("correct_orientation", "Unable to rotate image");
return (-1);
}
@@ -7612,7 +7613,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
* accordingly. */
size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff, &rot_buf_size))
+ &crop->combined_length, &crop_buff, &rot_buf_size,
+ FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %d degrees", crop->rotation);
@@ -7721,9 +7723,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
* its size individually. Therefore, seg_buffs size needs to be
* updated accordingly. */
size_t rot_buf_size = 0;
- if (rotateImage(
- crop->rotation, image, &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+ if (rotateImage(crop->rotation, image,
+ &crop->regionlist[i].width,
+ &crop->regionlist[i].length, &crop_buff,
+ &rot_buf_size, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %d degrees", crop->rotation);
@@ -7853,7 +7856,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr, NULL))
+ &crop->combined_length, crop_buff_ptr, NULL, TRUE))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %d degrees", crop->rotation);
@@ -8515,8 +8518,10 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
/* Rotate an image by a multiple of 90 degrees clockwise */
static int
-rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
- uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params)
+rotateImage(uint16 rotation, struct image_data *image,
+ uint32 *img_width, uint32 *img_length,
+ unsigned char **ibuff_ptr, size_t *rot_buf_size,
+ int rot_image_params)
{
int shift_width;
uint32 bytes_per_pixel, bytes_per_sample;
--
2.25.1
|