85 lines
2.9 KiB
Diff
85 lines
2.9 KiB
Diff
From b4cf40182c865db554c6e67034afa6ea12c5554d Mon Sep 17 00:00:00 2001
|
|
From: Su_Laus <sulau@freenet.de>
|
|
Date: Sun, 6 Feb 2022 10:53:45 +0100
|
|
Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
|
|
|
|
uint32_t underflow.
|
|
|
|
CVE: CVE-2022-2869
|
|
|
|
Upstream-Status: Backport
|
|
[https://gitlab.com/libtiff/libtiff/-/commit/bcf28bb7f630f24fa47701a9907013f3548092cd?merge_request_iid=294]
|
|
|
|
Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
|
|
|
|
---
|
|
tools/tiffcrop.c | 34 +++++++++++++++++++---------------
|
|
1 file changed, 19 insertions(+), 15 deletions(-)
|
|
|
|
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
|
index b9b13d8..4a4ace8 100644
|
|
--- a/tools/tiffcrop.c
|
|
+++ b/tools/tiffcrop.c
|
|
@@ -5194,26 +5194,30 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
|
|
y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
|
|
y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
|
|
}
|
|
- if (x1 < 1)
|
|
- crop->regionlist[i].x1 = 0;
|
|
- else
|
|
+ /* region needs to be within image sizes 0.. width-1; 0..length-1
|
|
+ * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1)
|
|
+ */
|
|
+ if (x1 > image->width - 1)
|
|
+ crop->regionlist[i].x1 = image->width - 1;
|
|
+ else if (x1 > 0)
|
|
crop->regionlist[i].x1 = (uint32_t) (x1 - 1);
|
|
|
|
- if (x2 > image->width - 1)
|
|
- crop->regionlist[i].x2 = image->width - 1;
|
|
- else
|
|
- crop->regionlist[i].x2 = (uint32_t) (x2 - 1);
|
|
+ if (x2 > image->width - 1)
|
|
+ crop->regionlist[i].x2 = image->width - 1;
|
|
+ else if (x2 > 0)
|
|
+ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
|
|
+
|
|
zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
|
|
|
|
- if (y1 < 1)
|
|
- crop->regionlist[i].y1 = 0;
|
|
- else
|
|
- crop->regionlist[i].y1 = (uint32_t) (y1 - 1);
|
|
+ if (y1 > image->length - 1)
|
|
+ crop->regionlist[i].y1 = image->length - 1;
|
|
+ else if (y1 > 0)
|
|
+ crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
|
|
|
|
if (y2 > image->length - 1)
|
|
crop->regionlist[i].y2 = image->length - 1;
|
|
- else
|
|
- crop->regionlist[i].y2 = (uint32_t) (y2 - 1);
|
|
+ else if (y2 > 0)
|
|
+ crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
|
|
|
|
zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
|
|
|
|
@@ -5376,7 +5380,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
|
|
crop_width = endx - startx + 1;
|
|
crop_length = endy - starty + 1;
|
|
|
|
- if (crop_width <= 0)
|
|
+ if (endx + 1 <= startx)
|
|
{
|
|
TIFFError("computeInputPixelOffsets",
|
|
"Invalid left/right margins and /or image crop width requested");
|
|
@@ -5385,7 +5389,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
|
|
if (crop_width > image->width)
|
|
crop_width = image->width;
|
|
|
|
- if (crop_length <= 0)
|
|
+ if (endy + 1 <= starty)
|
|
{
|
|
TIFFError("computeInputPixelOffsets",
|
|
"Invalid top/bottom margins and /or image crop length requested");
|