1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
[Ubuntu note: Backport of the following patch from upstream, with a few changes
to match the current version of the file in the present Ubuntu release:
. using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
-- Rodrigo Figueiredo Zaiden]
Backport of:
From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 31 Oct 2023 15:58:41 +0100
Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
col/row (fixes #622)
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security
Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
CVE: CVE-2023-52356
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
libtiff/tif_getimage.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c
+++ tiff-4.1.0+git191117/libtiff/tif_getimage.c
@@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r
}
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
+ if (row >= img.height)
+ {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+ "Invalid row passed to TIFFReadRGBAStrip().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
img.row_offset = row;
img.col_offset = 0;
@@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co
return( 0 );
}
+ if (col >= img.width || row >= img.height)
+ {
+ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
+ "Invalid row/col passed to TIFFReadRGBATile().");
+ TIFFRGBAImageEnd(&img);
+ return (0);
+ }
+
/*
* The TIFFRGBAImageGet() function doesn't allow us to get off the
* edge of the image, even to fill an otherwise valid tile. So we
|