|
|
@@ -0,0 +1,71 @@
|
|
|
+From 8a7a48d7a645992ca83062b3a1873c951661e2b3 Mon Sep 17 00:00:00 2001
|
|
|
+From: Lee Howard <faxguy@howardsilvan.com>
|
|
|
+Date: Sun, 11 Aug 2024 16:01:07 +0000
|
|
|
+Subject: [PATCH] Attempt to address tiffcrop Coverity scan issues 1605444,
|
|
|
+ 1605445, and 1605449.
|
|
|
+
|
|
|
+CVE: CVE-2025-8851
|
|
|
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/8a7a48d7a645992ca83062b3a1873c951661e2b3]
|
|
|
+
|
|
|
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
|
|
|
+---
|
|
|
+ tools/tiffcrop.c | 17 ++++++++++++-----
|
|
|
+ 1 file changed, 12 insertions(+), 5 deletions(-)
|
|
|
+
|
|
|
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
|
|
+index 1b072d4..e16bc2d 100644
|
|
|
+--- a/tools/tiffcrop.c
|
|
|
++++ b/tools/tiffcrop.c
|
|
|
+@@ -5024,7 +5024,14 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
|
|
|
+ buff = srcbuffs[s];
|
|
|
+ strip = (s * strips_per_sample) + j;
|
|
|
+ bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
|
|
|
+- rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
|
|
|
++ if (bytes_read < 0)
|
|
|
++ {
|
|
|
++ rows_this_strip = 0;
|
|
|
++ }
|
|
|
++ else
|
|
|
++ {
|
|
|
++ rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
|
|
|
++ }
|
|
|
+ if (bytes_read < 0 && !ignore)
|
|
|
+ {
|
|
|
+ TIFFError(TIFFFileName(in),
|
|
|
+@@ -5434,14 +5441,14 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
|
|
|
+ rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
|
|
|
+ }
|
|
|
+
|
|
|
+- if ((lmargin + rmargin) > image->width)
|
|
|
++ if (lmargin == 0xFFFFFFFFU || rmargin == 0xFFFFFFFFU || (lmargin + rmargin) > image->width)
|
|
|
+ {
|
|
|
+ TIFFError("computeInputPixelOffsets", "Combined left and right margins exceed image width");
|
|
|
+ lmargin = (uint32_t) 0;
|
|
|
+ rmargin = (uint32_t) 0;
|
|
|
+ return (-1);
|
|
|
+ }
|
|
|
+- if ((tmargin + bmargin) > image->length)
|
|
|
++ if (tmargin == 0xFFFFFFFFU || bmargin == 0xFFFFFFFFU || (tmargin + bmargin) > image->length)
|
|
|
+ {
|
|
|
+ TIFFError("computeInputPixelOffsets", "Combined top and bottom margins exceed image length");
|
|
|
+ tmargin = (uint32_t) 0;
|
|
|
+@@ -5977,14 +5984,14 @@ computeOutputPixelOffsets (struct crop_mask *crop, struct image_data *image,
|
|
|
+ vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
|
|
|
+ }
|
|
|
+
|
|
|
+- if ((hmargin * 2.0) > (pwidth * page->hres))
|
|
|
++ if (hmargin == 0xFFFFFFFFU || (hmargin * 2.0) > (pwidth * page->hres))
|
|
|
+ {
|
|
|
+ TIFFError("computeOutputPixelOffsets",
|
|
|
+ "Combined left and right margins exceed page width");
|
|
|
+ hmargin = (uint32_t) 0;
|
|
|
+ return (-1);
|
|
|
+ }
|
|
|
+- if ((vmargin * 2.0) > (plength * page->vres))
|
|
|
++ if (vmargin == 0xFFFFFFFFU || (vmargin * 2.0) > (plength * page->vres))
|
|
|
+ {
|
|
|
+ TIFFError("computeOutputPixelOffsets",
|
|
|
+ "Combined top and bottom margins exceed page length");
|
|
|
+--
|
|
|
+2.40.0
|
|
|
+
|
Yogita Urade