1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From a80b9eb70a8137e2571b2f32bd05d1a22a5603c4 Mon Sep 17 00:00:00 2001
From: Lee Howard <faxguy@howardsilvan.com>
Date: Sat, 5 Oct 2024 09:45:30 -0700
Subject: [PATCH 2/7] Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH for valid
input, addresses issue #650
CVE: CVE-2024-13978
Upstream-Status: Backport from [https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4]
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
tools/tiff2pdf.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
index 6dfc239..2010fee 100644
--- a/tools/tiff2pdf.c
+++ b/tools/tiff2pdf.c
@@ -1371,8 +1371,24 @@ void t2p_read_tiff_init(T2P *t2p, TIFF *input)
t2p->pdf_xrefcount += (t2p->tiff_tiles[i].tiles_tilecount - 1) * 2;
TIFFGetField(input, TIFFTAG_TILEWIDTH,
&(t2p->tiff_tiles[i].tiles_tilewidth));
+ if (t2p->tiff_tiles[i].tiles_tilewidth < 1)
+ {
+ TIFFError(TIFF2PDF_MODULE, "Invalid tile width (%d), %s",
+ t2p->tiff_tiles[i].tiles_tilewidth,
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
TIFFGetField(input, TIFFTAG_TILELENGTH,
&(t2p->tiff_tiles[i].tiles_tilelength));
+ if (t2p->tiff_tiles[i].tiles_tilelength < 1)
+ {
+ TIFFError(TIFF2PDF_MODULE, "Invalid tile length (%d), %s",
+ t2p->tiff_tiles[i].tiles_tilelength,
+ TIFFFileName(input));
+ t2p->t2p_error = T2P_ERR_ERROR;
+ return;
+ }
t2p->tiff_tiles[i].tiles_tiles = (T2P_TILE *)_TIFFmalloc(
TIFFSafeMultiply(tmsize_t, t2p->tiff_tiles[i].tiles_tilecount,
sizeof(T2P_TILE)));
--
2.47.3
|
