File tiff-CVE-2023-3164.patch of Package tiff.34105
Index: tiff-4.0.9/tools/tiffcrop.c
===================================================================
--- tiff-4.0.9.orig/tools/tiffcrop.c
+++ tiff-4.0.9/tools/tiffcrop.c
@@ -458,6 +458,7 @@ static uint16 defcompression = (uint16)
static uint16 defpredictor = (uint16) -1;
static int pageNum = 0;
static int little_endian = 1;
+static tmsize_t check_buffsize = 0;
/* Functions adapted from tiffcp with additions or significant modifications */
static int readContigStripsIntoBuffer (TIFF*, uint8*);
@@ -2081,6 +2082,11 @@ void process_command_opts (int argc, ch
TIFFError ("Limit for subdivisions, ie rows x columns, exceeded", "%d", MAX_SECTIONS);
exit (-1);
}
+ if ((page->cols * page->rows) < 1)
+ {
+ TIFFError("No subdivisions", "%d", (page->cols * page->rows));
+ exit(EXIT_FAILURE);
+ }
page->mode |= PAGE_MODE_ROWSCOLS;
break;
case 'U': /* units for measurements and offsets */
@@ -4348,7 +4354,7 @@ combineSeparateTileSamplesBytes (unsigne
dst = out + (row * dst_rowsize);
src_offset = row * src_rowsize;
#ifdef DEVELMODE
- TIFFError("","Tile row %4d, Src offset %6d Dst offset %6d",
+ TIFFError("","Tile row %4d, Src offset %6d Dst offset %6zd",
row, src_offset, dst - out);
#endif
for (col = 0; col < cols; col++)
@@ -4943,7 +4949,7 @@ static int readSeparateStripsIntoBuffer
break;
}
#ifdef DEVELMODE
- TIFFError("", "Strip %2d, read %5d bytes for %4d scanlines, shift width %d",
+ TIFFError("", "Strip %2d, read %5zd bytes for %4d scanlines, shift width %d",
strip, bytes_read, rows_this_strip, shift_width);
#endif
}
@@ -6304,6 +6310,8 @@ loadImage(TIFF* in, struct image_data *i
return (-1);
}
+ check_buffsize = buffsize + NUM_BUFF_OVERSIZE_BYTES;
+
read_buff[buffsize] = 0;
read_buff[buffsize+1] = 0;
read_buff[buffsize+2] = 0;
@@ -6930,6 +6938,12 @@ extractImageSection(struct image_data *i
#ifdef DEVELMODE
TIFFError ("", "Src offset: %8d, Dst offset: %8d", src_offset, dst_offset);
#endif
+ if (src_offset + full_bytes >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
+
_TIFFmemcpy (sect_buff + dst_offset, src_buff + src_offset, full_bytes);
dst_offset += full_bytes;
}
@@ -6965,6 +6979,11 @@ extractImageSection(struct image_data *i
bytebuff1 = bytebuff2 = 0;
if (shift1 == 0) /* the region is byte and sample alligned */
{
+ if (offset1 + full_bytes >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
_TIFFmemcpy (sect_buff + dst_offset, src_buff + offset1, full_bytes);
#ifdef DEVELMODE
@@ -6984,6 +7003,11 @@ extractImageSection(struct image_data *i
if (trailing_bits != 0)
{
/* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
+ if (offset1 + full_bytes >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
sect_buff[dst_offset] = bytebuff2;
#ifdef DEVELMODE
@@ -7009,6 +7033,11 @@ extractImageSection(struct image_data *i
{
/* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
/* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
+ if (offset1 + j + 1 >= check_buffsize)
+ {
+ printf("Bad input. Preventing reading outside of input buffer.\n");
+ return(-1);
+ }
bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));