File tiff-CVE-2022-2056,CVE-2022-2057,CVE-2022-2058.... of Package tiff

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-CVE-2022-2056,CVE-2022-2057,CVE-2022-2058.patch of Package tiff (Revision 0ad84f4755ad524a5e8111d5e0fb84b8)

Currently displaying revision 0ad84f4755ad524a5e8111d5e0fb84b8 , Show latest

Index: tiff-4.4.0/libtiff/tif_aux.c
===================================================================
--- tiff-4.4.0.orig/libtiff/tif_aux.c
+++ tiff-4.4.0/libtiff/tif_aux.c
@@ -402,6 +402,15 @@ float _TIFFClampDoubleToFloat( double va
     return (float)val;
 }
 
+uint32_t _TIFFClampDoubleToUInt32(double val)
+{
+    if( val < 0 )
+        return 0;
+    if( val > 0xFFFFFFFFU || val != val )
+        return 0xFFFFFFFFU;
+    return (uint32_t)val;
+}
+
 int _TIFFSeekOK(TIFF* tif, toff_t off)
 {
     /* Huge offsets, especially -1 / UINT64_MAX, can cause issues */
Index: tiff-4.4.0/libtiff/tiffiop.h
===================================================================
--- tiff-4.4.0.orig/libtiff/tiffiop.h
+++ tiff-4.4.0/libtiff/tiffiop.h
@@ -365,6 +365,7 @@ extern double _TIFFUInt64ToDouble(uint64
 extern float _TIFFUInt64ToFloat(uint64_t);
 
 extern float _TIFFClampDoubleToFloat(double);
+extern uint32_t _TIFFClampDoubleToUInt32(double);
 
 extern tmsize_t
 _TIFFReadEncodedStripAndAllocBuffer(TIFF* tif, uint32_t strip,
Index: tiff-4.4.0/tools/tiffcrop.c
===================================================================
--- tiff-4.4.0.orig/tools/tiffcrop.c
+++ tiff-4.4.0/tools/tiffcrop.c
@@ -5268,17 +5268,17 @@ computeInputPixelOffsets(struct crop_mas
       {
       if ((crop->res_unit == RESUNIT_INCH) || (crop->res_unit == RESUNIT_CENTIMETER))
         {
-	x1 = (uint32_t) (crop->corners[i].X1 * scale * xres);
-	x2 = (uint32_t) (crop->corners[i].X2 * scale * xres);
-	y1 = (uint32_t) (crop->corners[i].Y1 * scale * yres);
-	y2 = (uint32_t) (crop->corners[i].Y2 * scale * yres);
+	x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1 * scale * xres);
+	x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2 * scale * xres);
+	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1 * scale * yres);
+	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2 * scale * yres);
         }
       else
         {
-	x1 = (uint32_t) (crop->corners[i].X1);
-	x2 = (uint32_t) (crop->corners[i].X2);
-	y1 = (uint32_t) (crop->corners[i].Y1);
-	y2 = (uint32_t) (crop->corners[i].Y2);
+	x1 = _TIFFClampDoubleToUInt32(crop->corners[i].X1);
+	x2 = _TIFFClampDoubleToUInt32(crop->corners[i].X2);
+	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
+	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
 	}
       /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 
        * b) Corners are expected to be submitted as top-left to bottom-right.
@@ -5357,17 +5357,17 @@ computeInputPixelOffsets(struct crop_mas
     {
     if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
       { /* User has specified pixels as reference unit */
-      tmargin = (uint32_t)(crop->margins[0]);
-      lmargin = (uint32_t)(crop->margins[1]);
-      bmargin = (uint32_t)(crop->margins[2]);
-      rmargin = (uint32_t)(crop->margins[3]);
+      tmargin = _TIFFClampDoubleToUInt32(crop->margins[0]);
+      lmargin = _TIFFClampDoubleToUInt32(crop->margins[1]);
+      bmargin = _TIFFClampDoubleToUInt32(crop->margins[2]);
+      rmargin = _TIFFClampDoubleToUInt32(crop->margins[3]);
       }
     else
       { /* inches or centimeters specified */
-      tmargin = (uint32_t)(crop->margins[0] * scale * yres);
-      lmargin = (uint32_t)(crop->margins[1] * scale * xres);
-      bmargin = (uint32_t)(crop->margins[2] * scale * yres);
-      rmargin = (uint32_t)(crop->margins[3] * scale * xres);
+      tmargin = _TIFFClampDoubleToUInt32(crop->margins[0] * scale * yres);
+      lmargin = _TIFFClampDoubleToUInt32(crop->margins[1] * scale * xres);
+      bmargin = _TIFFClampDoubleToUInt32(crop->margins[2] * scale * yres);
+      rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
       }
 
     if ((lmargin + rmargin) > image->width)
@@ -5397,24 +5397,24 @@ computeInputPixelOffsets(struct crop_mas
   if (crop->res_unit != RESUNIT_INCH && crop->res_unit != RESUNIT_CENTIMETER)
     {
     if (crop->crop_mode & CROP_WIDTH)
-      width = (uint32_t)crop->width;
+      width = _TIFFClampDoubleToUInt32(crop->width);
     else
       width = image->width - lmargin - rmargin;
 
     if (crop->crop_mode & CROP_LENGTH)
-      length  = (uint32_t)crop->length;
+      length  = _TIFFClampDoubleToUInt32(crop->length);
     else
       length = image->length - tmargin - bmargin;
     }
   else
     {
     if (crop->crop_mode & CROP_WIDTH)
-      width = (uint32_t)(crop->width * scale * image->xres);
+      width = _TIFFClampDoubleToUInt32(crop->width * scale * image->xres);
     else
       width = image->width - lmargin - rmargin;
 
     if (crop->crop_mode & CROP_LENGTH)
-      length  = (uint32_t)(crop->length * scale * image->yres);
+      length  = _TIFFClampDoubleToUInt32(crop->length * scale * image->yres);
     else
       length = image->length - tmargin - bmargin;
     }
@@ -5868,13 +5868,13 @@ computeOutputPixelOffsets (struct crop_m
     {
     if (page->res_unit == RESUNIT_INCH || page->res_unit == RESUNIT_CENTIMETER)
       { /* inches or centimeters specified */
-      hmargin = (uint32_t)(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
-      vmargin = (uint32_t)(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
+      hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * page->hres * ((image->bps + 7) / 8));
+      vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * page->vres * ((image->bps + 7) / 8));
       }
     else
       { /* Otherwise user has specified pixels as reference unit */
-      hmargin = (uint32_t)(page->hmargin * scale * ((image->bps + 7) / 8));
-      vmargin = (uint32_t)(page->vmargin * scale * ((image->bps + 7) / 8));
+      hmargin = _TIFFClampDoubleToUInt32(page->hmargin * scale * ((image->bps + 7) / 8));
+      vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
       }
 
     if ((hmargin * 2.0) > (pwidth * page->hres))
@@ -5912,13 +5912,13 @@ computeOutputPixelOffsets (struct crop_m
     {
     if (page->mode & PAGE_MODE_PAPERSIZE )
       {
-      owidth  = (uint32_t)((pwidth * page->hres) - (hmargin * 2));
-      olength = (uint32_t)((plength * page->vres) - (vmargin * 2));
+      owidth  = _TIFFClampDoubleToUInt32((pwidth * page->hres) - (hmargin * 2));
+      olength = _TIFFClampDoubleToUInt32((plength * page->vres) - (vmargin * 2));
       }
     else
       {
-      owidth = (uint32_t)(iwidth - (hmargin * 2 * page->hres));
-      olength = (uint32_t)(ilength - (vmargin * 2 * page->vres));
+      owidth = _TIFFClampDoubleToUInt32(iwidth - (hmargin * 2 * page->hres));
+      olength = _TIFFClampDoubleToUInt32(ilength - (vmargin * 2 * page->vres));
       }
     }
 
@@ -5927,6 +5927,12 @@ computeOutputPixelOffsets (struct crop_m
   if (olength > ilength)
     olength = ilength;
 
+  if (owidth == 0 || olength == 0)
+  {
+    TIFFError("computeOutputPixelOffsets", "Integer overflow when calculating the number of pages");
+    exit(EXIT_FAILURE);
+  }
+
   /* Compute the number of pages required for Portrait or Landscape */
   switch (page->orient)
     {
Index: tiff-4.4.0/libtiff/libtiff.def
===================================================================
--- tiff-4.4.0.orig/libtiff/libtiff.def
+++ tiff-4.4.0/libtiff/libtiff.def
@@ -170,6 +170,7 @@ EXPORTS	TIFFAccessTagMethods
 	TIFFYCbCrtoRGB
 	_TIFFCheckMalloc
 	_TIFFCheckRealloc
+        _TIFFClampDoubleToUInt32
 	_TIFFRewriteField
 	_TIFFfree
 	_TIFFmalloc

Places

File tiff-CVE-2022-2056,CVE-2022-2057,CVE-2022-2058.patch of Package tiff (Revision 0ad84f4755ad524a5e8111d5e0fb84b8)

Places