meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978_1.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

From 6dd7006103f9612fbd22e9c7c1b93d16691370a4 Mon Sep 17 00:00:00 2001
From: Lee Howard <faxguy@howardsilvan.com>
Date: Fri, 27 Sep 2024 11:21:57 -0700
Subject: [PATCH 1/7] Fix issue #649 in fax2ps caused by regression in commit
 https://gitlab.com/libtiff/libtiff/-/commit/28c38d648b64a66c3218778c4745225fe3e3a06d
 where TIFFTAG_FAXFILLFUNC is being used rather than an output buffer.

CVE: CVE-2024-13978
Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/7be20ccaab97455f192de0ac561ceda7cd9e12d1]
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
 libtiff/tif_read.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
index 7efab59..964f119 100644
--- a/libtiff/tif_read.c
+++ b/libtiff/tif_read.c
@@ -466,7 +466,9 @@ int TIFFReadScanline(TIFF *tif, void *buf, uint32_t row, uint16_t sample)
     }
     else
     {
-        memset(buf, 0, (size_t)tif->tif_scanlinesize);
+        /* See TIFFReadEncodedStrip comment regarding TIFFTAG_FAXFILLFUNC. */
+        if (buf)
+            memset(buf, 0, (size_t)tif->tif_scanlinesize);
     }
     return (e > 0 ? 1 : -1);
 }
@@ -554,7 +556,10 @@ tmsize_t TIFFReadEncodedStrip(TIFF *tif, uint32_t strip, void *buf,
         stripsize = size;
     if (!TIFFFillStrip(tif, strip))
     {
-        memset(buf, 0, (size_t)stripsize);
+        /* The output buf may be NULL, in particular if TIFFTAG_FAXFILLFUNC
+           is being used. Thus, memset must be conditional on buf not NULL. */
+        if (buf)
+            memset(buf, 0, (size_t)stripsize);
         return ((tmsize_t)(-1));
     }
     if ((*tif->tif_decodestrip)(tif, buf, stripsize, plane) <= 0)
@@ -976,7 +981,9 @@ tmsize_t TIFFReadEncodedTile(TIFF *tif, uint32_t tile, void *buf, tmsize_t size)
         size = tilesize;
     if (!TIFFFillTile(tif, tile))
     {
-        memset(buf, 0, (size_t)size);
+        /* See TIFFReadEncodedStrip comment regarding TIFFTAG_FAXFILLFUNC. */
+        if (buf)
+            memset(buf, 0, (size_t)size);
         return ((tmsize_t)(-1));
     }
     else if ((*tif->tif_decodetile)(tif, (uint8_t *)buf, size,
@@ -1569,7 +1576,9 @@ int TIFFReadFromUserBuffer(TIFF *tif, uint32_t strile, void *inbuf,
         if (!TIFFStartTile(tif, strile))
         {
             ret = 0;
-            memset(outbuf, 0, (size_t)outsize);
+            /* See related TIFFReadEncodedStrip comment. */
+            if (outbuf)
+                memset(outbuf, 0, (size_t)outsize);
         }
         else if (!(*tif->tif_decodetile)(
                      tif, (uint8_t *)outbuf, outsize,
@@ -1596,7 +1605,9 @@ int TIFFReadFromUserBuffer(TIFF *tif, uint32_t strile, void *inbuf,
             if (!TIFFStartStrip(tif, strile))
             {
                 ret = 0;
-                memset(outbuf, 0, (size_t)outsize);
+                /* See related TIFFReadEncodedStrip comment. */
+                if (outbuf)
+                    memset(outbuf, 0, (size_t)outsize);
             }
             else if (!(*tif->tif_decodestrip)(
                          tif, (uint8_t *)outbuf, outsize,
-- 
2.47.3