1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
From 2ebfffb0e8836bfb1cd7d85c059cd285c59761a4 Mon Sep 17 00:00:00 2001
From: Lee Howard <faxguy@howardsilvan.com>
Date: Sat, 5 Oct 2024 09:45:30 -0700
Subject: [PATCH] Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH for valid
input, addresses issue #650
CVE: CVE-2024-13978
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4]
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
tools/tiff2pdf.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 63751f1..fef28d1 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1255,9 +1255,25 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){
TIFFGetField(input,
TIFFTAG_TILEWIDTH,
&( t2p->tiff_tiles[i].tiles_tilewidth) );
+ if (t2p->tiff_tiles[i].tiles_tilewidth < 1)
+ {
+ TIFFError(TIFF2PDF_MODULE, "Invalid tile width (%d), %s",
+ t2p->tiff_tiles[i].tiles_tilewidth,
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
TIFFGetField(input,
TIFFTAG_TILELENGTH,
&( t2p->tiff_tiles[i].tiles_tilelength) );
+ if (t2p->tiff_tiles[i].tiles_tilelength < 1)
+ {
+ TIFFError(TIFF2PDF_MODULE, "Invalid tile length (%d), %s",
+ t2p->tiff_tiles[i].tiles_tilelength,
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
t2p->tiff_tiles[i].tiles_tiles =
(T2P_TILE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,t2p->tiff_tiles[i].tiles_tilecount,
sizeof(T2P_TILE)) );
--
2.40.0
|
