1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
From: Markus Koschany <apo@debian.org>
Date: Tue, 21 Feb 2023 14:26:43 +0100
Subject: CVE-2023-0795
This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798,
CVE-2023-0799.
Bug-Debian: https://bugs.debian.org/1031632
Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68
---
tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++++---------------------
1 file changed, 30 insertions(+), 21 deletions(-)
Index: tiff-4.2.0/tools/tiffcrop.c
===================================================================
--- tiff-4.2.0.orig/tools/tiffcrop.c
+++ tiff-4.2.0/tools/tiffcrop.c
@@ -278,7 +278,6 @@ struct region {
uint32 width; /* width in pixels */
uint32 length; /* length in pixels */
uint32 buffsize; /* size of buffer needed to hold the cropped region */
- unsigned char *buffptr; /* address of start of the region */
};
/* Cropping parameters from command line and image data
@@ -533,7 +532,7 @@ static int rotateContigSamples24bits(uin
static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
uint32, uint32, uint8 *, uint8 *);
static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
- unsigned char **);
+ unsigned char **, int);
static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
unsigned char *);
static int invertImage(uint16, uint16, uint16, uint32, uint32,
@@ -5166,7 +5165,6 @@ initCropMasks (struct crop_mask *cps)
cps->regionlist[i].width = 0;
cps->regionlist[i].length = 0;
cps->regionlist[i].buffsize = 0;
- cps->regionlist[i].buffptr = NULL;
cps->zonelist[i].position = 0;
cps->zonelist[i].total = 0;
}
@@ -6412,8 +6410,13 @@ static int correct_orientation(struct i
image->adjustments & ROTATE_ANY);
return (-1);
}
-
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
+
+ /* Dummy variable in order not to switch two times the
+ * image->width,->length within rotateImage(),
+ * but switch xres, yres there. */
+ uint32_t width = image->width;
+ uint32_t length = image->length;
+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
{
TIFFError ("correct_orientation", "Unable to rotate image");
return (-1);
@@ -6481,7 +6484,6 @@ extractCompositeRegions(struct image_dat
/* These should not be needed for composite images */
crop->regionlist[i].width = crop_width;
crop->regionlist[i].length = crop_length;
- crop->regionlist[i].buffptr = crop_buff;
src_rowsize = ((img_width * bps * spp) + 7) / 8;
dst_rowsize = (((crop_width * bps * count) + 7) / 8);
@@ -6718,7 +6720,6 @@ extractSeparateRegion(struct image_data
crop->regionlist[region].width = crop_width;
crop->regionlist[region].length = crop_length;
- crop->regionlist[region].buffptr = crop_buff;
src = read_buff;
dst = crop_buff;
@@ -7596,7 +7597,7 @@ processCropSelections(struct image_data
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff))
+ &crop->combined_length, &crop_buff, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %d degrees", crop->rotation);
@@ -7702,7 +7703,7 @@ processCropSelections(struct image_data
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff))
+ &crop->regionlist[i].length, &crop_buff, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %d degrees", crop->rotation);
@@ -7834,7 +7835,7 @@ createCroppedImage(struct image_data *im
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr))
+ &crop->combined_length, crop_buff_ptr, TRUE))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %d degrees", crop->rotation);
@@ -8497,7 +8498,7 @@ rotateContigSamples32bits(uint16 rotatio
/* Rotate an image by a multiple of 90 degrees clockwise */
static int
rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
- uint32 *img_length, unsigned char **ibuff_ptr)
+ uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params)
{
int shift_width;
uint32 bytes_per_pixel, bytes_per_sample;
@@ -8688,11 +8689,15 @@ rotateImage(uint16 rotation, struct imag
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params)
+ {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
case 270: if ((bps % 8) == 0) /* byte aligned data */
@@ -8765,11 +8770,15 @@ rotateImage(uint16 rotation, struct imag
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params)
+ {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
default:
break;
|
