|
|
@@ -0,0 +1,73 @@
|
|
|
+From 0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5 Mon Sep 17 00:00:00 2001
|
|
|
+From: Lee Howard <faxguy@howardsilvan.com>
|
|
|
+Date: Fri, 5 Sep 2025 21:42:35 +0000
|
|
|
+Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue
|
|
|
+ #721
|
|
|
+
|
|
|
+CVE: CVE-2025-8961
|
|
|
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5]
|
|
|
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
|
|
|
+---
|
|
|
+ tools/tiffcrop.c | 8 +++++++-
|
|
|
+ 1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
+
|
|
|
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
|
|
+index ae414efc..be250cc9 100644
|
|
|
+--- a/tools/tiffcrop.c
|
|
|
++++ b/tools/tiffcrop.c
|
|
|
+@@ -1072,6 +1072,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
|
|
|
+ "Unable to extract row %" PRIu32
|
|
|
+ " from tile %" PRIu32,
|
|
|
+ row, TIFFCurrentTile(in));
|
|
|
++ _TIFFfree(tilebuf);
|
|
|
+ return 1;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+@@ -1086,6 +1087,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
|
|
|
+ "Unable to extract row %" PRIu32
|
|
|
+ " from tile %" PRIu32,
|
|
|
+ row, TIFFCurrentTile(in));
|
|
|
++ _TIFFfree(tilebuf);
|
|
|
+ return 1;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+@@ -1098,6 +1100,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
|
|
|
+ "Unable to extract row %" PRIu32
|
|
|
+ " from tile %" PRIu32,
|
|
|
+ row, TIFFCurrentTile(in));
|
|
|
++ _TIFFfree(tilebuf);
|
|
|
+ return 1;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+@@ -1110,6 +1113,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
|
|
|
+ "Unable to extract row %" PRIu32
|
|
|
+ " from tile %" PRIu32,
|
|
|
+ row, TIFFCurrentTile(in));
|
|
|
++ _TIFFfree(tilebuf);
|
|
|
+ return 1;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+@@ -1124,12 +1128,14 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf,
|
|
|
+ "Unable to extract row %" PRIu32
|
|
|
+ " from tile %" PRIu32,
|
|
|
+ row, TIFFCurrentTile(in));
|
|
|
++ _TIFFfree(tilebuf);
|
|
|
+ return 1;
|
|
|
+ }
|
|
|
+ break;
|
|
|
+ default:
|
|
|
+ TIFFError("readContigTilesIntoBuffer",
|
|
|
+ "Unsupported bit depth %" PRIu16, bps);
|
|
|
++ _TIFFfree(tilebuf);
|
|
|
+ return 1;
|
|
|
+ }
|
|
|
+ }
|
|
|
+@@ -2901,7 +2907,7 @@ int main(int argc, char *argv[])
|
|
|
+ }
|
|
|
+
|
|
|
+ /* If we did not use the read buffer as the crop buffer */
|
|
|
+- if (read_buff)
|
|
|
++ if (read_buff && read_buff != crop_buff)
|
|
|
+ _TIFFfree(read_buff);
|
|
|
+
|
|
|
+ if (crop_buff)
|
Peter Marko