1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
From 3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Wed, 11 Jun 2025 19:45:19 +0000
Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
rows at TIFFReadRGBAImageOriented()
CVE: CVE-2025-9900
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99]
Changes-
- Use old API TIFFWarningExt instead of TIFFWarningExtR.
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
libtiff/tif_getimage.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index a9cd48f..4c807ad 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h)
"No \"put\" routine setupl; probably can not handle image format");
return (0);
}
+ /* Verify raster width and height against image width and height. */
+ if (h > img->height)
+ {
+ /* Adapt parameters to read only available lines and put image at
+ * the bottom of the raster. */
+ raster += (size_t)(h - img->height) * w;
+ h = img->height;
+ }
+ if (w > img->width)
+ {
+ TIFFWarningExt(img->tif, TIFFFileName(img->tif),
+ "Raster width of %d shall not be larger than image "
+ "width of %d -> raster width adapted for reading",
+ w, img->width);
+ w = img->width;
+ }
return (*img->get)(img, raster, w, h);
}
@@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
img.req_orientation = (uint16_t)orientation;
- /* XXX verify rwidth and rheight against width and height */
- ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
- rwidth, img.height);
+ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
TIFFRGBAImageEnd(&img);
} else {
TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
--
2.40.0
|
