File tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,... of Package tiff

Overview Repositories Revisions Requests Users Attributes Meta

File tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch of Package tiff (Revision d3ea0a119229ade121035bf7df3c17c7)

Currently displaying revision d3ea0a119229ade121035bf7df3c17c7 , Show latest

Index: tiff-4.5.0/tools/tiffcrop.c
===================================================================
--- tiff-4.5.0.orig/tools/tiffcrop.c
+++ tiff-4.5.0/tools/tiffcrop.c
@@ -5930,18 +5930,40 @@ static int computeInputPixelOffsets(stru
 
             crop->regionlist[i].buffsize = buffsize;
             crop->bufftotal += buffsize;
+
+            /* For composite images with more than one region, the
+             * combined_length or combined_width always needs to be equal,
+             * respectively.
+             * Otherwise, even the first section/region copy
+             * action might cause buffer overrun. */
             if (crop->img_mode == COMPOSITE_IMAGES)
             {
                 switch (crop->edge_ref)
                 {
                     case EDGE_LEFT:
                     case EDGE_RIGHT:
+                        if (i > 0 && zlength != crop->combined_length)
+                        {
+                            TIFFError(
+                                "computeInputPixelOffsets",
+                                "Only equal length regions can be combined for "
+                                "-E left or right");
+                            return (-1);
+                        }
                         crop->combined_length = zlength;
                         crop->combined_width += zwidth;
                         break;
                     case EDGE_BOTTOM:
                     case EDGE_TOP: /* width from left, length from top */
                     default:
+                        if (i > 0 && zwidth != crop->combined_width)
+                        {
+                            TIFFError("computeInputPixelOffsets",
+                                      "Only equal width regions can be "
+                                      "combined for -E "
+                                      "top or bottom");
+                            return (-1);
+                        }
                         crop->combined_width = zwidth;
                         crop->combined_length += zlength;
                         break;
@@ -7300,6 +7322,46 @@ static int extractCompositeRegions(struc
     crop->combined_width = 0;
     crop->combined_length = 0;
 
+    /* If there is more than one region, check beforehand whether all the width
+     * and length values of the regions are the same, respectively. */
+    switch (crop->edge_ref)
+    {
+        default:
+        case EDGE_TOP:
+        case EDGE_BOTTOM:
+            for (i = 1; i < crop->selections; i++)
+            {
+                uint32_t crop_width0 =
+                    crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
+                uint32_t crop_width1 =
+                    crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+                if (crop_width0 != crop_width1)
+                {
+                    TIFFError("extractCompositeRegions",
+                              "Only equal width regions can be combined for -E "
+                              "top or bottom");
+                    return (1);
+                }
+            }
+            break;
+        case EDGE_LEFT:
+        case EDGE_RIGHT:
+            for (i = 1; i < crop->selections; i++)
+            {
+                uint32_t crop_length0 =
+                    crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
+                uint32_t crop_length1 =
+                    crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+                if (crop_length0 != crop_length1)
+                {
+                    TIFFError("extractCompositeRegions",
+                              "Only equal length regions can be combined for "
+                              "-E left or right");
+                    return (1);
+                }
+            }
+    }
+
     for (i = 0; i < crop->selections; i++)
     {
         /* rows, columns, width, length are expressed in pixels */
@@ -7323,7 +7385,8 @@ static int extractCompositeRegions(struc
             default:
             case EDGE_TOP:
             case EDGE_BOTTOM:
-                if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
+                if ((crop->selections > i + 1) &&
+                    (crop_width != crop->regionlist[i + 1].width))
                 {
                     TIFFError("extractCompositeRegions",
                               "Only equal width regions can be combined for -E "
@@ -7416,7 +7479,8 @@ static int extractCompositeRegions(struc
             case EDGE_LEFT: /* splice the pieces of each row together, side by
                                side */
             case EDGE_RIGHT:
-                if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
+                if ((crop->selections > i + 1) &&
+                    (crop_length != crop->regionlist[i + 1].length))
                 {
                     TIFFError("extractCompositeRegions",
                               "Only equal length regions can be combined for "

Places

File tiff-CVE-2023-0800,CVE-2023-0801,CVE-2023-0802,CVE-2023-0803,CVE-2023-0804.patch of Package tiff (Revision d3ea0a119229ade121035bf7df3c17c7)

Places