Sophie: libtiff-4.2.0-1.16.mga8 src

libtiff-4.2.0-1.16.mga8.src.rpm

backport of:

From 698497c71263bc74acb5f34c4544966f8a79e095 Mon Sep 17 00:00:00 2001
From: Augustus <wangdw.augustus@qq.com>
Date: Mon, 7 Mar 2022 17:59:54 +0800
Subject: [PATCH] fix heap-buffer-overflow in tiffcp and tiffcrop (issue-277
 and issue-398)

---
 tools/tiffcp.c   |  5 +++--
 tools/tiffcrop.c | 10 ++++++----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index 224583e06..cafea55e1 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -858,16 +858,17 @@ tiffcp(TIFF* in, TIFF* out)
 	{
 		uint16 ninks;
 		const char* inknames;
+		uint16 spp = samplesperpixel;
 		if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
 			TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
 			if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
 				int inknameslen = strlen(inknames) + 1;
 				const char* cp = inknames;
-				while (ninks > 1) {
+				while (spp > 1) {
 					cp = strchr(cp, '\0');
                                         cp++;
                                         inknameslen += (strlen(cp) + 1);
-					ninks--;
+					spp--;
 				}
 				TIFFSetField(out, TIFFTAG_INKNAMES, inknameslen, inknames);
 			}
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index f2e5474ae..5682c6986 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -7432,18 +7432,19 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image,
    }
    { uint16 ninks;
      const char* inknames;
+     uint16 samplesperpixel = image->spp;
      if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
        TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
        if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
 	 int inknameslen = (int)strlen(inknames) + 1;
 	 const char* cp = inknames;
-	 while (ninks > 1) {
+	 while (samplesperpixel > 1) {
 	   cp = strchr(cp, '\0');
 	   if (cp) {
 	     cp++;
 	     inknameslen += ((int)strlen(cp) + 1);
 	   }
-	   ninks--;
+	   samplesperpixel--;
          }
 	 TIFFSetField(out, TIFFTAG_INKNAMES, inknameslen, inknames);
        }
@@ -8120,18 +8121,19 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image,
    }
    { uint16 ninks;
      const char* inknames;
+     uint16 samplesperpixel = image->spp;
      if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) {
        TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks);
        if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) {
 	 int inknameslen = (int)strlen(inknames) + 1;
 	 const char* cp = inknames;
-	 while (ninks > 1) {
+	 while (samplesperpixel > 1) {
 	   cp = strchr(cp, '\0');
 	   if (cp) {
 	     cp++;
 	     inknameslen += ((int)strlen(cp) + 1);
 	   }
-	   ninks--;
+	   samplesperpixel--;
          }
 	 TIFFSetField(out, TIFFTAG_INKNAMES, inknameslen, inknames);
        }
-- 
GitLab