meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001
From: Arie Haenel <arie.haenel@jct.ac.il>
Date: Thu, 14 Sep 2023 04:36:58 +0000
Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes
   #592)

CVE: CVE-2023-41175

Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 tools/raw2tiff.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
index 4ee59e5..a811077 100644
--- a/tools/raw2tiff.c
+++ b/tools/raw2tiff.c
@@ -101,6 +101,7 @@ int main(int argc, char *argv[])
     int fd;
     char *outfilename = NULL;
     TIFF *out;
+    uint32_t temp_limit_check = 0;     /* temp for integer overflow checking*/

     uint32_t row, col, band;
     int c;
@@ -221,6 +222,33 @@ int main(int argc, char *argv[])
     if (guessSize(fd, dtype, hdr_size, nbands, swab, &width, &length) < 0)
         return EXIT_FAILURE;

+    /* check for integer overflow in */
+    /* hdr_size + (*width) * (*length) * nbands * depth */
+
+    if ((width == 0) || (length == 0) ){
+        fprintf(stderr, "Too large nbands value specified.\n");
+        return (EXIT_FAILURE);
+    }
+
+    temp_limit_check = nbands * depth;
+
+    if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) )  {
+        fprintf(stderr, "Too large length size specified.\n");
+        return (EXIT_FAILURE);
+    }
+    temp_limit_check = temp_limit_check * length;
+
+    if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) )  {
+        fprintf(stderr, "Too large width size specified.\n");
+        return (EXIT_FAILURE);
+    }
+    temp_limit_check = temp_limit_check * width;
+
+    if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) )  {
+        fprintf(stderr, "Too large header size specified.\n");
+        return (EXIT_FAILURE);
+    }
+
     if (outfilename == NULL)
         outfilename = argv[optind + 1];
     out = TIFFOpen(outfilename, "w");
--
2.35.5