summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@arm.com>2022-11-28 20:01:52 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-12-07 15:02:45 +0000
commit0f37d51b2c11b35a7679818c05e039d55e7cd315 (patch)
tree3f258b250cc9e4dfbe506c73c953926619202ceb
parent809591e49c51a3a362707c88d25ff0ae87cbaa00 (diff)
downloadpoky-0f37d51b2c11b35a7679818c05e039d55e7cd315.tar.gz
tiff: fix a number of CVEs
Backport fixes from upstream for the following CVEs: - CVE-2022-3599 - CVE-2022-3597 - CVE-2022-3626 - CVE-2022-3627 - CVE-2022-3570 - CVE-2022-3598 (From OE-Core rev: ad0780059a105b74313eb6a357360f5ad32333a4) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch266
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch36
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch59
-rw-r--r--meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch640
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.3.0.bb5
5 files changed, 1005 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch b/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
new file mode 100644
index 0000000000..37859c9192
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
@@ -0,0 +1,266 @@
1From f00484b9519df933723deb38fff943dc291a793d Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Tue, 30 Aug 2022 16:56:48 +0200
4Subject: [PATCH] Revised handling of TIFFTAG_INKNAMES and related
5 TIFFTAG_NUMBEROFINKS value
6
7In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed:
8
9Behaviour for writing:
10 `NumberOfInks` MUST fit to the number of inks in the `InkNames` string.
11 `NumberOfInks` is automatically set when `InkNames` is set.
12 If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
13 If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
14
15Behaviour for reading:
16 When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string.
17 If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued.
18 If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued.
19
20This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow
21
22This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456.
23
24It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
25
26CVE: CVE-2022-3599
27Upstream-Status: Backport
28Signed-off-by: Ross Burton <ross.burton@arm.com>
29---
30 libtiff/tif_dir.c | 119 ++++++++++++++++++++++++-----------------
31 libtiff/tif_dir.h | 2 +
32 libtiff/tif_dirinfo.c | 2 +-
33 libtiff/tif_dirwrite.c | 5 ++
34 libtiff/tif_print.c | 4 ++
35 5 files changed, 82 insertions(+), 50 deletions(-)
36
37diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
38index 793e8a79..816f7756 100644
39--- a/libtiff/tif_dir.c
40+++ b/libtiff/tif_dir.c
41@@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v)
42 }
43
44 /*
45- * Confirm we have "samplesperpixel" ink names separated by \0. Returns
46+ * Count ink names separated by \0. Returns
47 * zero if the ink names are not as expected.
48 */
49-static uint32_t
50-checkInkNamesString(TIFF* tif, uint32_t slen, const char* s)
51+static uint16_t
52+countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
53 {
54- TIFFDirectory* td = &tif->tif_dir;
55- uint16_t i = td->td_samplesperpixel;
56+ uint16_t i = 0;
57+ const char *ep = s + slen;
58+ const char *cp = s;
59
60 if (slen > 0) {
61- const char* ep = s+slen;
62- const char* cp = s;
63- for (; i > 0; i--) {
64+ do {
65 for (; cp < ep && *cp != '\0'; cp++) {}
66 if (cp >= ep)
67 goto bad;
68 cp++; /* skip \0 */
69- }
70- return ((uint32_t)(cp - s));
71+ i++;
72+ } while (cp < ep);
73+ return (i);
74 }
75 bad:
76 TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
77- "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16,
78- tif->tif_name,
79- td->td_samplesperpixel,
80- (uint16_t)(td->td_samplesperpixel-i));
81+ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink",
82+ tif->tif_name, slen, i);
83 return (0);
84 }
85
86@@ -478,13 +476,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
87 _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
88 break;
89 case TIFFTAG_INKNAMES:
90- v = (uint16_t) va_arg(ap, uint16_vap);
91- s = va_arg(ap, char*);
92- v = checkInkNamesString(tif, v, s);
93- status = v > 0;
94- if( v > 0 ) {
95- _TIFFsetNString(&td->td_inknames, s, v);
96- td->td_inknameslen = v;
97+ {
98+ v = (uint16_t) va_arg(ap, uint16_vap);
99+ s = va_arg(ap, char*);
100+ uint16_t ninksinstring;
101+ ninksinstring = countInkNamesString(tif, v, s);
102+ status = ninksinstring > 0;
103+ if(ninksinstring > 0 ) {
104+ _TIFFsetNString(&td->td_inknames, s, v);
105+ td->td_inknameslen = v;
106+ /* Set NumberOfInks to the value ninksinstring */
107+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
108+ {
109+ if (td->td_numberofinks != ninksinstring) {
110+ TIFFErrorExt(tif->tif_clientdata, module,
111+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"",
112+ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
113+ td->td_numberofinks = ninksinstring;
114+ }
115+ } else {
116+ td->td_numberofinks = ninksinstring;
117+ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
118+ }
119+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
120+ {
121+ if (td->td_numberofinks != td->td_samplesperpixel) {
122+ TIFFErrorExt(tif->tif_clientdata, module,
123+ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
124+ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
125+ }
126+ }
127+ }
128+ }
129+ break;
130+ case TIFFTAG_NUMBEROFINKS:
131+ v = (uint16_t)va_arg(ap, uint16_vap);
132+ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */
133+ if (TIFFFieldSet(tif, FIELD_INKNAMES))
134+ {
135+ if (v != td->td_numberofinks) {
136+ TIFFErrorExt(tif->tif_clientdata, module,
137+ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")",
138+ tif->tif_name, fip->field_name, v, td->td_numberofinks);
139+ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */
140+ status = 0;
141+ }
142+ } else {
143+ td->td_numberofinks = (uint16_t)v;
144+ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
145+ {
146+ if (td->td_numberofinks != td->td_samplesperpixel) {
147+ TIFFErrorExt(tif->tif_clientdata, module,
148+ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
149+ tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
150+ }
151+ }
152 }
153 break;
154 case TIFFTAG_PERSAMPLE:
155@@ -986,34 +1032,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
156 if (fip->field_bit == FIELD_CUSTOM) {
157 standard_tag = 0;
158 }
159-
160- if( standard_tag == TIFFTAG_NUMBEROFINKS )
161- {
162- int i;
163- for (i = 0; i < td->td_customValueCount; i++) {
164- uint16_t val;
165- TIFFTagValue *tv = td->td_customValues + i;
166- if (tv->info->field_tag != standard_tag)
167- continue;
168- if( tv->value == NULL )
169- return 0;
170- val = *(uint16_t *)tv->value;
171- /* Truncate to SamplesPerPixel, since the */
172- /* setting code for INKNAMES assume that there are SamplesPerPixel */
173- /* inknames. */
174- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
175- if( val > td->td_samplesperpixel )
176- {
177- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
178- "Truncating NumberOfInks from %u to %"PRIu16,
179- val, td->td_samplesperpixel);
180- val = td->td_samplesperpixel;
181- }
182- *va_arg(ap, uint16_t*) = val;
183- return 1;
184- }
185- return 0;
186- }
187
188 switch (standard_tag) {
189 case TIFFTAG_SUBFILETYPE:
190@@ -1195,6 +1213,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
191 case TIFFTAG_INKNAMES:
192 *va_arg(ap, const char**) = td->td_inknames;
193 break;
194+ case TIFFTAG_NUMBEROFINKS:
195+ *va_arg(ap, uint16_t *) = td->td_numberofinks;
196+ break;
197 default:
198 {
199 int i;
200diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h
201index 09065648..0c251c9e 100644
202--- a/libtiff/tif_dir.h
203+++ b/libtiff/tif_dir.h
204@@ -117,6 +117,7 @@ typedef struct {
205 /* CMYK parameters */
206 int td_inknameslen;
207 char* td_inknames;
208+ uint16_t td_numberofinks; /* number of inks in InkNames string */
209
210 int td_customValueCount;
211 TIFFTagValue *td_customValues;
212@@ -174,6 +175,7 @@ typedef struct {
213 #define FIELD_TRANSFERFUNCTION 44
214 #define FIELD_INKNAMES 46
215 #define FIELD_SUBIFD 49
216+#define FIELD_NUMBEROFINKS 50
217 /* FIELD_CUSTOM (see tiffio.h) 65 */
218 /* end of support for well-known tags; codec-private tags follow */
219 #define FIELD_CODEC 66 /* base of codec-private tags */
220diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
221index 3371cb5c..3b4bcd33 100644
222--- a/libtiff/tif_dirinfo.c
223+++ b/libtiff/tif_dirinfo.c
224@@ -114,7 +114,7 @@ tiffFields[] = {
225 { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray },
226 { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
227 { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
228- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL },
229+ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL },
230 { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL },
231 { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL },
232 { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL },
233diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
234index 6c86fdca..062e4610 100644
235--- a/libtiff/tif_dirwrite.c
236+++ b/libtiff/tif_dirwrite.c
237@@ -626,6 +626,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64_t* pdiroff)
238 if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames))
239 goto bad;
240 }
241+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
242+ {
243+ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks))
244+ goto bad;
245+ }
246 if (TIFFFieldSet(tif,FIELD_SUBIFD))
247 {
248 if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir))
249diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
250index 16ce5780..a91b9e7b 100644
251--- a/libtiff/tif_print.c
252+++ b/libtiff/tif_print.c
253@@ -397,6 +397,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
254 }
255 fputs("\n", fd);
256 }
257+ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) {
258+ fprintf(fd, " NumberOfInks: %d\n",
259+ td->td_numberofinks);
260+ }
261 if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) {
262 fprintf(fd, " Thresholding: ");
263 switch (td->td_threshholding) {
264--
2652.34.1
266
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch
new file mode 100644
index 0000000000..79b4ff3f6e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch
@@ -0,0 +1,36 @@
1From bad48e90b410df32172006c7876da449ba62cdba Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Sat, 20 Aug 2022 23:35:26 +0200
4Subject: [PATCH] tiffcrop -S option: Make decision simpler.
5
6Upstream-Status: Backport
7Signed-off-by: Ross Burton <ross.burton@arm.com>
8
9---
10 tools/tiffcrop.c | 10 +++++-----
11 1 file changed, 5 insertions(+), 5 deletions(-)
12
13diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
14index c3b758ec..8fd856dc 100644
15--- a/tools/tiffcrop.c
16+++ b/tools/tiffcrop.c
17@@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
18 }
19 /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
20 char XY, Z, R, S;
21- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH));
22- Z = (crop_data->crop_mode & CROP_ZONES);
23- R = (crop_data->crop_mode & CROP_REGIONS);
24- S = (page->mode & PAGE_MODE_ROWSCOLS);
25- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) {
26+ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
27+ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
28+ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
29+ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
30+ if (XY + Z + R + S > 1) {
31 TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
32 exit(EXIT_FAILURE);
33 }
34--
352.34.1
36
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch
new file mode 100644
index 0000000000..6a62787648
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch
@@ -0,0 +1,59 @@
1From 4746f16253b784287bc8a5003990c1c3b9a03a62 Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Thu, 25 Aug 2022 16:11:41 +0200
4Subject: [PATCH] tiffcrop: disable incompatibility of -Z, -X, -Y, -z options
5 with any PAGE_MODE_x option (fixes #411 and #413)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S.
11
12Code analysis:
13
14With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[].
15In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) .
16
17Execution of the else-clause often leads to buffer-overflows.
18
19Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows.
20
21The MR solves issues #411 and #413.
22
23CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627
24Upstream-Status: Backport
25Signed-off-by: Ross Burton <ross.burton@arm.com>
26---
27 doc/tools/tiffcrop.rst | 8 ++++++++
28 tools/tiffcrop.c | 32 +++++++++++++++++++++++++-------
29 2 files changed, 33 insertions(+), 7 deletions(-)
30
31diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
32index 8fd856dc..41a2ea36 100644
33--- a/tools/tiffcrop.c
34+++ b/tools/tiffcrop.c
35@@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
36 R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
37 S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
38 if (XY + Z + R + S > 1) {
39- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
40+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
41 exit(EXIT_FAILURE);
42 }
43+
44+ /* Check for not allowed combination:
45+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
46+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
47+. */
48+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
49+ TIFFError("tiffcrop input error",
50+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
51+ exit(EXIT_FAILURE);
52+ }
53+
54 } /* end process_command_opts */
55
56 /* Start a new output file if one has not been previously opened or
57--
582.34.1
59
diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch
new file mode 100644
index 0000000000..e10e37ccc9
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch
@@ -0,0 +1,640 @@
1From 1e000b3484808f1ee7a68bd276220d1cd82dec73 Mon Sep 17 00:00:00 2001
2From: Su Laus <sulau@freenet.de>
3Date: Thu, 13 Oct 2022 14:33:27 +0000
4Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271,
5 #381, #386, #388, #389, #435)
6
7CVE: CVE-2022-3570 CVE-2022-3598
8Upstream-Status: Backport
9Signed-off-by: Ross Burton <ross.burton@arm.com>
10---
11 tools/tiffcrop.c | 203 ++++++++++++++++++++++++++---------------------
12 1 file changed, 114 insertions(+), 89 deletions(-)
13
14diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
15index f96c7d60..adf0f849 100644
16--- a/tools/tiffcrop.c
17+++ b/tools/tiffcrop.c
18@@ -210,6 +210,10 @@ static char tiffcrop_rev_date[] = "02-09-2022";
19
20 #define TIFF_DIR_MAX 65534
21
22+/* Some conversion subroutines require image buffers, which are at least 3 bytes
23+ * larger than the necessary size for the image itself. */
24+#define NUM_BUFF_OVERSIZE_BYTES 3
25+
26 /* Offsets into buffer for margins and fixed width and length segments */
27 struct offset {
28 uint32_t tmargin;
29@@ -231,7 +235,7 @@ struct offset {
30 */
31
32 struct buffinfo {
33- uint32_t size; /* size of this buffer */
34+ size_t size; /* size of this buffer */
35 unsigned char *buffer; /* address of the allocated buffer */
36 };
37
38@@ -805,8 +809,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
39 uint32_t dst_rowsize, shift_width;
40 uint32_t bytes_per_sample, bytes_per_pixel;
41 uint32_t trailing_bits, prev_trailing_bits;
42- uint32_t tile_rowsize = TIFFTileRowSize(in);
43- uint32_t src_offset, dst_offset;
44+ tmsize_t tile_rowsize = TIFFTileRowSize(in);
45+ tmsize_t src_offset, dst_offset;
46 uint32_t row_offset, col_offset;
47 uint8_t *bufp = (uint8_t*) buf;
48 unsigned char *src = NULL;
49@@ -856,7 +860,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf,
50 TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
51 exit(EXIT_FAILURE);
52 }
53- tilebuf = limitMalloc(tile_buffsize + 3);
54+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
55 if (tilebuf == 0)
56 return 0;
57 tilebuf[tile_buffsize] = 0;
58@@ -1019,7 +1023,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf,
59 for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++)
60 {
61 srcbuffs[sample] = NULL;
62- tbuff = (unsigned char *)limitMalloc(tilesize + 8);
63+ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES);
64 if (!tbuff)
65 {
66 TIFFError ("readSeparateTilesIntoBuffer",
67@@ -1213,7 +1217,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
68 }
69 rowstripsize = rowsperstrip * bytes_per_sample * (width + 1);
70
71- obuf = limitMalloc (rowstripsize);
72+ /* Add 3 padding bytes for extractContigSamples32bits */
73+ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
74 if (obuf == NULL)
75 return 1;
76
77@@ -1226,7 +1231,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
78 stripsize = TIFFVStripSize(out, nrows);
79 src = buf + (row * rowsize);
80 total_bytes += stripsize;
81- memset (obuf, '\0', rowstripsize);
82+ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES);
83 if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump))
84 {
85 _TIFFfree(obuf);
86@@ -1234,10 +1239,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf,
87 }
88 if ((dump->outfile != NULL) && (dump->level == 1))
89 {
90- dump_info(dump->outfile, dump->format,"",
91+ if (scanlinesize > 0x0ffffffffULL) {
92+ dump_info(dump->infile, dump->format, "loadImage",
93+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
94+ scanlinesize);
95+ }
96+ dump_info(dump->outfile, dump->format,"",
97 "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d",
98- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf);
99- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf);
100+ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf);
101+ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf);
102 }
103
104 if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0)
105@@ -1264,7 +1274,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
106 uint32_t tl, tw;
107 uint32_t row, col, nrow, ncol;
108 uint32_t src_rowsize, col_offset;
109- uint32_t tile_rowsize = TIFFTileRowSize(out);
110+ tmsize_t tile_rowsize = TIFFTileRowSize(out);
111 uint8_t* bufp = (uint8_t*) buf;
112 tsize_t tile_buffsize = 0;
113 tsize_t tilesize = TIFFTileSize(out);
114@@ -1307,9 +1317,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng
115 }
116 src_rowsize = ((imagewidth * spp * bps) + 7U) / 8;
117
118- tilebuf = limitMalloc(tile_buffsize);
119+ /* Add 3 padding bytes for extractContigSamples32bits */
120+ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
121 if (tilebuf == 0)
122 return 1;
123+ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES);
124 for (row = 0; row < imagelength; row += tl)
125 {
126 nrow = (row + tl > imagelength) ? imagelength - row : tl;
127@@ -1355,7 +1367,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
128 uint32_t imagewidth, tsample_t spp,
129 struct dump_opts * dump)
130 {
131- tdata_t obuf = limitMalloc(TIFFTileSize(out));
132+ /* Add 3 padding bytes for extractContigSamples32bits */
133+ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
134 uint32_t tl, tw;
135 uint32_t row, col, nrow, ncol;
136 uint32_t src_rowsize, col_offset;
137@@ -1365,6 +1378,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele
138
139 if (obuf == NULL)
140 return 1;
141+ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES);
142
143 if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) ||
144 !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) ||
145@@ -1790,14 +1804,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
146
147 *opt_offset = '\0';
148 /* convert option to lowercase */
149- end = strlen (opt_ptr);
150+ end = (unsigned int)strlen (opt_ptr);
151 for (i = 0; i < end; i++)
152 *(opt_ptr + i) = tolower((int) *(opt_ptr + i));
153 /* Look for dump format specification */
154 if (strncmp(opt_ptr, "for", 3) == 0)
155 {
156 /* convert value to lowercase */
157- end = strlen (opt_offset + 1);
158+ end = (unsigned int)strlen (opt_offset + 1);
159 for (i = 1; i <= end; i++)
160 *(opt_offset + i) = tolower((int) *(opt_offset + i));
161 /* check dump format value */
162@@ -2270,6 +2284,8 @@ main(int argc, char* argv[])
163 size_t length;
164 char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */
165
166+ assert(NUM_BUFF_OVERSIZE_BYTES >= 3);
167+
168 little_endian = *((unsigned char *)&little_endian) & '1';
169
170 initImageData(&image);
171@@ -3222,13 +3238,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols,
172 /* If we have a full buffer's worth, write it out */
173 if (ready_bits >= 32)
174 {
175- bytebuff1 = (buff2 >> 56);
176+ bytebuff1 = (uint8_t)(buff2 >> 56);
177 *dst++ = bytebuff1;
178- bytebuff2 = (buff2 >> 48);
179+ bytebuff2 = (uint8_t)(buff2 >> 48);
180 *dst++ = bytebuff2;
181- bytebuff3 = (buff2 >> 40);
182+ bytebuff3 = (uint8_t)(buff2 >> 40);
183 *dst++ = bytebuff3;
184- bytebuff4 = (buff2 >> 32);
185+ bytebuff4 = (uint8_t)(buff2 >> 32);
186 *dst++ = bytebuff4;
187 ready_bits -= 32;
188
189@@ -3637,13 +3653,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols,
190 }
191 else /* If we have a full buffer's worth, write it out */
192 {
193- bytebuff1 = (buff2 >> 56);
194+ bytebuff1 = (uint8_t)(buff2 >> 56);
195 *dst++ = bytebuff1;
196- bytebuff2 = (buff2 >> 48);
197+ bytebuff2 = (uint8_t)(buff2 >> 48);
198 *dst++ = bytebuff2;
199- bytebuff3 = (buff2 >> 40);
200+ bytebuff3 = (uint8_t)(buff2 >> 40);
201 *dst++ = bytebuff3;
202- bytebuff4 = (buff2 >> 32);
203+ bytebuff4 = (uint8_t)(buff2 >> 32);
204 *dst++ = bytebuff4;
205 ready_bits -= 32;
206
207@@ -3820,10 +3836,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3
208 static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
209 {
210 uint8_t* bufp = buf;
211- int32_t bytes_read = 0;
212+ tmsize_t bytes_read = 0;
213 uint32_t strip, nstrips = TIFFNumberOfStrips(in);
214- uint32_t stripsize = TIFFStripSize(in);
215- uint32_t rows = 0;
216+ tmsize_t stripsize = TIFFStripSize(in);
217+ tmsize_t rows = 0;
218 uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps);
219 tsize_t scanline_size = TIFFScanlineSize(in);
220
221@@ -3836,11 +3852,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf)
222 bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1);
223 rows = bytes_read / scanline_size;
224 if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize))
225- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32,
226+ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64,
227 strip + 1, bytes_read, stripsize);
228
229 if (bytes_read < 0 && !ignore) {
230- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows",
231+ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows",
232 strip, rows);
233 return 0;
234 }
235@@ -4305,13 +4321,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
236 /* If we have a full buffer's worth, write it out */
237 if (ready_bits >= 32)
238 {
239- bytebuff1 = (buff2 >> 56);
240+ bytebuff1 = (uint8_t)(buff2 >> 56);
241 *dst++ = bytebuff1;
242- bytebuff2 = (buff2 >> 48);
243+ bytebuff2 = (uint8_t)(buff2 >> 48);
244 *dst++ = bytebuff2;
245- bytebuff3 = (buff2 >> 40);
246+ bytebuff3 = (uint8_t)(buff2 >> 40);
247 *dst++ = bytebuff3;
248- bytebuff4 = (buff2 >> 32);
249+ bytebuff4 = (uint8_t)(buff2 >> 32);
250 *dst++ = bytebuff4;
251 ready_bits -= 32;
252
253@@ -4354,10 +4370,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
254 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
255 row + 1, col + 1, src_byte, src_bit, dst - out);
256
257- dump_long (dumpfile, format, "Match bits ", matchbits);
258+ dump_wide (dumpfile, format, "Match bits ", matchbits);
259 dump_data (dumpfile, format, "Src bits ", src, 4);
260- dump_long (dumpfile, format, "Buff1 bits ", buff1);
261- dump_long (dumpfile, format, "Buff2 bits ", buff2);
262+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
263+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
264 dump_byte (dumpfile, format, "Write bits1", bytebuff1);
265 dump_byte (dumpfile, format, "Write bits2", bytebuff2);
266 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
267@@ -4830,13 +4846,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
268 /* If we have a full buffer's worth, write it out */
269 if (ready_bits >= 32)
270 {
271- bytebuff1 = (buff2 >> 56);
272+ bytebuff1 = (uint8_t)(buff2 >> 56);
273 *dst++ = bytebuff1;
274- bytebuff2 = (buff2 >> 48);
275+ bytebuff2 = (uint8_t)(buff2 >> 48);
276 *dst++ = bytebuff2;
277- bytebuff3 = (buff2 >> 40);
278+ bytebuff3 = (uint8_t)(buff2 >> 40);
279 *dst++ = bytebuff3;
280- bytebuff4 = (buff2 >> 32);
281+ bytebuff4 = (uint8_t)(buff2 >> 32);
282 *dst++ = bytebuff4;
283 ready_bits -= 32;
284
285@@ -4879,10 +4895,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols,
286 "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d",
287 row + 1, col + 1, src_byte, src_bit, dst - out);
288
289- dump_long (dumpfile, format, "Match bits ", matchbits);
290+ dump_wide (dumpfile, format, "Match bits ", matchbits);
291 dump_data (dumpfile, format, "Src bits ", src, 4);
292- dump_long (dumpfile, format, "Buff1 bits ", buff1);
293- dump_long (dumpfile, format, "Buff2 bits ", buff2);
294+ dump_wide (dumpfile, format, "Buff1 bits ", buff1);
295+ dump_wide (dumpfile, format, "Buff2 bits ", buff2);
296 dump_byte (dumpfile, format, "Write bits1", bytebuff1);
297 dump_byte (dumpfile, format, "Write bits2", bytebuff2);
298 dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits);
299@@ -4905,7 +4921,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
300 {
301 int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1;
302 uint32_t j;
303- int32_t bytes_read = 0;
304+ tmsize_t bytes_read = 0;
305 uint16_t bps = 0, planar;
306 uint32_t nstrips;
307 uint32_t strips_per_sample;
308@@ -4971,7 +4987,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
309 for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
310 {
311 srcbuffs[s] = NULL;
312- buff = limitMalloc(stripsize + 3);
313+ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES);
314 if (!buff)
315 {
316 TIFFError ("readSeparateStripsIntoBuffer",
317@@ -4994,7 +5010,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
318 buff = srcbuffs[s];
319 strip = (s * strips_per_sample) + j;
320 bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
321- rows_this_strip = bytes_read / src_rowsize;
322+ rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
323 if (bytes_read < 0 && !ignore)
324 {
325 TIFFError(TIFFFileName(in),
326@@ -6047,13 +6063,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
327 uint16_t input_compression = 0, input_photometric = 0;
328 uint16_t subsampling_horiz, subsampling_vert;
329 uint32_t width = 0, length = 0;
330- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0;
331+ tmsize_t stsize = 0, tlsize = 0, buffsize = 0;
332+ tmsize_t scanlinesize = 0;
333 uint32_t tw = 0, tl = 0; /* Tile width and length */
334- uint32_t tile_rowsize = 0;
335+ tmsize_t tile_rowsize = 0;
336 unsigned char *read_buff = NULL;
337 unsigned char *new_buff = NULL;
338 int readunit = 0;
339- static uint32_t prev_readsize = 0;
340+ static tmsize_t prev_readsize = 0;
341
342 TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
343 TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
344@@ -6355,7 +6372,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
345 TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
346 return (-1);
347 }
348- read_buff = (unsigned char *)limitMalloc(buffsize+3);
349+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
350 }
351 else
352 {
353@@ -6366,11 +6383,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
354 TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
355 return (-1);
356 }
357- new_buff = _TIFFrealloc(read_buff, buffsize+3);
358+ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
359 if (!new_buff)
360 {
361 free (read_buff);
362- read_buff = (unsigned char *)limitMalloc(buffsize+3);
363+ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
364 }
365 else
366 read_buff = new_buff;
367@@ -6443,8 +6460,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
368 dump_info (dump->infile, dump->format, "",
369 "Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp);
370
371+ if (scanlinesize > 0x0ffffffffULL) {
372+ dump_info(dump->infile, dump->format, "loadImage",
373+ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.",
374+ scanlinesize);
375+ }
376 for (i = 0; i < length; i++)
377- dump_buffer(dump->infile, dump->format, 1, scanlinesize,
378+ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize,
379 i, read_buff + (i * scanlinesize));
380 }
381 return (0);
382@@ -7464,13 +7486,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image,
383 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
384 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
385 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
386- int inknameslen = strlen(inknames) + 1;
387+ int inknameslen = (int)strlen(inknames) + 1;
388 const char* cp = inknames;
389 while (ninks > 1) {
390 cp = strchr(cp, '\0');
391 if (cp) {
392 cp++;
393- inknameslen += (strlen(cp) + 1);
394+ inknameslen += ((int)strlen(cp) + 1);
395 }
396 ninks--;
397 }
398@@ -7533,23 +7555,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
399
400 if (!sect_buff)
401 {
402- sect_buff = (unsigned char *)limitMalloc(sectsize);
403+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
404 if (!sect_buff)
405 {
406 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
407 return (-1);
408 }
409- _TIFFmemset(sect_buff, 0, sectsize);
410+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
411 }
412 else
413 {
414 if (prev_sectsize < sectsize)
415 {
416- new_buff = _TIFFrealloc(sect_buff, sectsize);
417+ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES);
418 if (!new_buff)
419 {
420 _TIFFfree (sect_buff);
421- sect_buff = (unsigned char *)limitMalloc(sectsize);
422+ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES);
423 }
424 else
425 sect_buff = new_buff;
426@@ -7559,7 +7581,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr)
427 TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
428 return (-1);
429 }
430- _TIFFmemset(sect_buff, 0, sectsize);
431+ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES);
432 }
433 }
434
435@@ -7590,17 +7612,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
436 cropsize = crop->bufftotal;
437 crop_buff = seg_buffs[0].buffer;
438 if (!crop_buff)
439- crop_buff = (unsigned char *)limitMalloc(cropsize);
440+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
441 else
442 {
443 prev_cropsize = seg_buffs[0].size;
444 if (prev_cropsize < cropsize)
445 {
446- next_buff = _TIFFrealloc(crop_buff, cropsize);
447+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
448 if (! next_buff)
449 {
450 _TIFFfree (crop_buff);
451- crop_buff = (unsigned char *)limitMalloc(cropsize);
452+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
453 }
454 else
455 crop_buff = next_buff;
456@@ -7613,7 +7635,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
457 return (-1);
458 }
459
460- _TIFFmemset(crop_buff, 0, cropsize);
461+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
462 seg_buffs[0].buffer = crop_buff;
463 seg_buffs[0].size = cropsize;
464
465@@ -7693,17 +7715,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
466 cropsize = crop->bufftotal;
467 crop_buff = seg_buffs[i].buffer;
468 if (!crop_buff)
469- crop_buff = (unsigned char *)limitMalloc(cropsize);
470+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
471 else
472 {
473 prev_cropsize = seg_buffs[0].size;
474 if (prev_cropsize < cropsize)
475 {
476- next_buff = _TIFFrealloc(crop_buff, cropsize);
477+ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
478 if (! next_buff)
479 {
480 _TIFFfree (crop_buff);
481- crop_buff = (unsigned char *)limitMalloc(cropsize);
482+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
483 }
484 else
485 crop_buff = next_buff;
486@@ -7716,7 +7738,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
487 return (-1);
488 }
489
490- _TIFFmemset(crop_buff, 0, cropsize);
491+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
492 seg_buffs[i].buffer = crop_buff;
493 seg_buffs[i].size = cropsize;
494
495@@ -7832,24 +7854,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
496 crop_buff = *crop_buff_ptr;
497 if (!crop_buff)
498 {
499- crop_buff = (unsigned char *)limitMalloc(cropsize);
500+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
501 if (!crop_buff)
502 {
503 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
504 return (-1);
505 }
506- _TIFFmemset(crop_buff, 0, cropsize);
507+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
508 prev_cropsize = cropsize;
509 }
510 else
511 {
512 if (prev_cropsize < cropsize)
513 {
514- new_buff = _TIFFrealloc(crop_buff, cropsize);
515+ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES);
516 if (!new_buff)
517 {
518 free (crop_buff);
519- crop_buff = (unsigned char *)limitMalloc(cropsize);
520+ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES);
521 }
522 else
523 crop_buff = new_buff;
524@@ -7858,7 +7880,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
525 TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
526 return (-1);
527 }
528- _TIFFmemset(crop_buff, 0, cropsize);
529+ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES);
530 }
531 }
532
533@@ -8156,13 +8178,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
534 if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
535 TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
536 if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
537- int inknameslen = strlen(inknames) + 1;
538+ int inknameslen = (int)strlen(inknames) + 1;
539 const char* cp = inknames;
540 while (ninks > 1) {
541 cp = strchr(cp, '\0');
542 if (cp) {
543 cp++;
544- inknameslen += (strlen(cp) + 1);
545+ inknameslen += ((int)strlen(cp) + 1);
546 }
547 ninks--;
548 }
549@@ -8547,13 +8569,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
550 }
551 else /* If we have a full buffer's worth, write it out */
552 {
553- bytebuff1 = (buff2 >> 56);
554+ bytebuff1 = (uint8_t)(buff2 >> 56);
555 *dst++ = bytebuff1;
556- bytebuff2 = (buff2 >> 48);
557+ bytebuff2 = (uint8_t)(buff2 >> 48);
558 *dst++ = bytebuff2;
559- bytebuff3 = (buff2 >> 40);
560+ bytebuff3 = (uint8_t)(buff2 >> 40);
561 *dst++ = bytebuff3;
562- bytebuff4 = (buff2 >> 32);
563+ bytebuff4 = (uint8_t)(buff2 >> 32);
564 *dst++ = bytebuff4;
565 ready_bits -= 32;
566
567@@ -8622,12 +8644,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
568 return (-1);
569 }
570
571- if (!(rbuff = (unsigned char *)limitMalloc(buffsize)))
572+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
573+ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
574 {
575- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize);
576+ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
577 return (-1);
578 }
579- _TIFFmemset(rbuff, '\0', buffsize);
580+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
581
582 ibuff = *ibuff_ptr;
583 switch (rotation)
584@@ -9155,13 +9178,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width,
585 }
586 else /* If we have a full buffer's worth, write it out */
587 {
588- bytebuff1 = (buff2 >> 56);
589+ bytebuff1 = (uint8_t)(buff2 >> 56);
590 *dst++ = bytebuff1;
591- bytebuff2 = (buff2 >> 48);
592+ bytebuff2 = (uint8_t)(buff2 >> 48);
593 *dst++ = bytebuff2;
594- bytebuff3 = (buff2 >> 40);
595+ bytebuff3 = (uint8_t)(buff2 >> 40);
596 *dst++ = bytebuff3;
597- bytebuff4 = (buff2 >> 32);
598+ bytebuff4 = (uint8_t)(buff2 >> 32);
599 *dst++ = bytebuff4;
600 ready_bits -= 32;
601
602@@ -9252,12 +9275,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
603 {
604 case MIRROR_BOTH:
605 case MIRROR_VERT:
606- line_buff = (unsigned char *)limitMalloc(rowsize);
607+ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES);
608 if (line_buff == NULL)
609 {
610- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize);
611+ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES);
612 return (-1);
613 }
614+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
615
616 dst = ibuff + (rowsize * (length - 1));
617 for (row = 0; row < length / 2; row++)
618@@ -9289,11 +9313,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
619 }
620 else
621 { /* non 8 bit per sample data */
622- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1)))
623+ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES)))
624 {
625 TIFFError("mirrorImage", "Unable to allocate mirror line buffer");
626 return (-1);
627 }
628+ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
629 bytes_per_sample = (bps + 7) / 8;
630 bytes_per_pixel = ((bps * spp) + 7) / 8;
631 if (bytes_per_pixel < (bytes_per_sample + 1))
632@@ -9305,7 +9330,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_
633 {
634 row_offset = row * rowsize;
635 src = ibuff + row_offset;
636- _TIFFmemset (line_buff, '\0', rowsize);
637+ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES);
638 switch (shift_width)
639 {
640 case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff))
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 29a2c38d8e..af9bdcfbde 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -27,6 +27,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
27 file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \ 27 file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \
28 file://0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch \ 28 file://0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch \
29 file://CVE-2022-2953.patch \ 29 file://CVE-2022-2953.patch \
30 file://0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch \
31 file://0001-tiffcrop-S-option-Make-decision-simpler.patch \
32 file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch \
33 file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \
30 " 34 "
31 35
32SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" 36SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
@@ -40,7 +44,6 @@ CVE_CHECK_IGNORE += "CVE-2015-7313"
40# These issues only affect libtiff post-4.3.0 but before 4.4.0, 44# These issues only affect libtiff post-4.3.0 but before 4.4.0,
41# caused by 3079627e and fixed by b4e79bfa. 45# caused by 3079627e and fixed by b4e79bfa.
42CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623" 46CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
43
44# Issue is in jbig which we don't enable 47# Issue is in jbig which we don't enable
45CVE_CHECK_IGNORE += "CVE-2022-1210" 48CVE_CHECK_IGNORE += "CVE-2022-1210"
46 49
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-10-31 19:40:42 +0000