From: Markus Koschany <apo@debian.org>
Date: Tue, 21 Feb 2023 14:39:52 +0100
Subject: CVE-2023-0800
This is also the fix for CVE-2023-0801, CVE-2023-0802, CVE-2023-0803,
CVE-2023-0804.
Bug-Debian: https://bugs.debian.org/1031632
Origin: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00
---
tools/tiffcrop.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 69 insertions(+), 4 deletions(-)
Index: tiff-4.2.0/tools/tiffcrop.c
===================================================================
--- tiff-4.2.0.orig/tools/tiffcrop.c
+++ tiff-4.2.0/tools/tiffcrop.c
@@ -5304,18 +5304,40 @@ computeInputPixelOffsets(struct crop_mas
crop->regionlist[i].buffsize = buffsize;
crop->bufftotal += buffsize;
+
+ /* For composite images with more than one region, the
+ * combined_length or combined_width always needs to be equal,
+ * respectively.
+ * Otherwise, even the first section/region copy
+ * action might cause buffer overrun. */
if (crop->img_mode == COMPOSITE_IMAGES)
{
switch (crop->edge_ref)
{
case EDGE_LEFT:
case EDGE_RIGHT:
+ if (i > 0 && zlength != crop->combined_length)
+ {
+ TIFFError(
+ "computeInputPixelOffsets",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (-1);
+ }
crop->combined_length = zlength;
crop->combined_width += zwidth;
break;
case EDGE_BOTTOM:
case EDGE_TOP: /* width from left, length from top */
default:
+ if (i > 0 && zwidth != crop->combined_width)
+ {
+ TIFFError("computeInputPixelOffsets",
+ "Only equal width regions can be "
+ "combined for -E "
+ "top or bottom");
+ return (-1);
+ }
crop->combined_width = zwidth;
crop->combined_length += zlength;
break;
@@ -6470,6 +6492,47 @@ extractCompositeRegions(struct image_dat
crop->combined_width = 0;
crop->combined_length = 0;
+ /* If there is more than one region, check beforehand whether all the width
+ * and length values of the regions are the same, respectively. */
+ switch (crop->edge_ref)
+ {
+ default:
+ case EDGE_TOP:
+ case EDGE_BOTTOM:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_width0 =
+ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
+ uint32_t crop_width1 =
+ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ if (crop_width0 != crop_width1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal width regions can be combined for -E "
+ "top or bottom");
+ return (1);
+ }
+ }
+ break;
+ case EDGE_LEFT:
+ case EDGE_RIGHT:
+ for (i = 1; i < crop->selections; i++)
+ {
+ uint32_t crop_length0 =
+ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
+ uint32_t crop_length1 =
+ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+ if (crop_length0 != crop_length1)
+ {
+ TIFFError("extractCompositeRegions",
+ "Only equal length regions can be combined for "
+ "-E left or right");
+ return (1);
+ }
+ }
+ }
+
+
for (i = 0; i < crop->selections; i++)
{
/* rows, columns, width, length are expressed in pixels */
@@ -6493,8 +6556,9 @@ extractCompositeRegions(struct image_dat
default:
case EDGE_TOP:
case EDGE_BOTTOM:
- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
- {
+ if ((crop->selections > i + 1) &&
+ (crop_width != crop->regionlist[i + 1].width))
+ {
TIFFError ("extractCompositeRegions",
"Only equal width regions can be combined for -E top or bottom");
return (1);
@@ -6574,8 +6638,9 @@ extractCompositeRegions(struct image_dat
break;
case EDGE_LEFT: /* splice the pieces of each row together, side by side */
case EDGE_RIGHT:
- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
- {
+ if ((crop->selections > i + 1) &&
+ (crop_length != crop->regionlist[i + 1].length))
+ {
TIFFError ("extractCompositeRegions",
"Only equal length regions can be combined for -E left or right");
return (1);
distrib
>
Mageia
>
8
>
i586
>
media
>
core-updates_testing-src
>
by-pkgid
>
0a4e82cc20594aa76c552ec815a3f474
>
files
>
21
