Package: tiff / 4.2.0-1+deb11u5

CVE-2023-0800.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
 
From: Markus Koschany <apo@debian.org>
Date: Tue, 21 Feb 2023 14:39:52 +0100
Subject: CVE-2023-0800

This is also the fix for CVE-2023-0801, CVE-2023-0802, CVE-2023-0803,
CVE-2023-0804.

Bug-Debian: https://bugs.debian.org/1031632
Origin: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00
---
 tools/tiffcrop.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 69 insertions(+), 4 deletions(-)

Index: tiff-4.2.0/tools/tiffcrop.c
===================================================================
--- tiff-4.2.0.orig/tools/tiffcrop.c
+++ tiff-4.2.0/tools/tiffcrop.c
@@ -5304,18 +5304,40 @@ computeInputPixelOffsets(struct crop_mas
 
       crop->regionlist[i].buffsize = buffsize;
       crop->bufftotal += buffsize;
+
+      /* For composite images with more than one region, the
+       * combined_length or combined_width always needs to be equal,
+       * respectively.
+       * Otherwise, even the first section/region copy
+       * action might cause buffer overrun. */
       if (crop->img_mode == COMPOSITE_IMAGES)
         {
         switch (crop->edge_ref)
           {
           case EDGE_LEFT:
           case EDGE_RIGHT:
+               if (i > 0 && zlength != crop->combined_length)
+               {
+                   TIFFError(
+                       "computeInputPixelOffsets",
+                       "Only equal length regions can be combined for "
+                       "-E left or right");
+                   return (-1);
+               }
                crop->combined_length = zlength;
                crop->combined_width += zwidth;
                break;
           case EDGE_BOTTOM:
           case EDGE_TOP:  /* width from left, length from top */
           default:
+               if (i > 0 && zwidth != crop->combined_width)
+                {
+                    TIFFError("computeInputPixelOffsets",
+                              "Only equal width regions can be "
+                              "combined for -E "
+                              "top or bottom");
+                    return (-1);
+                }
                crop->combined_width = zwidth;
                crop->combined_length += zlength;
 	       break;
@@ -6470,6 +6492,47 @@ extractCompositeRegions(struct image_dat
   crop->combined_width = 0;
   crop->combined_length = 0;
 
+    /* If there is more than one region, check beforehand whether all the width
+     * and length values of the regions are the same, respectively. */
+    switch (crop->edge_ref)
+    {
+        default:
+        case EDGE_TOP:
+        case EDGE_BOTTOM:
+            for (i = 1; i < crop->selections; i++)
+            {
+                uint32_t crop_width0 =
+                    crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
+                uint32_t crop_width1 =
+                    crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+                if (crop_width0 != crop_width1)
+                {
+                    TIFFError("extractCompositeRegions",
+                              "Only equal width regions can be combined for -E "
+                              "top or bottom");
+                    return (1);
+                }
+            }
+            break;
+        case EDGE_LEFT:
+        case EDGE_RIGHT:
+            for (i = 1; i < crop->selections; i++)
+            {
+                uint32_t crop_length0 =
+                    crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
+                uint32_t crop_length1 =
+                    crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+                if (crop_length0 != crop_length1)
+                {
+                    TIFFError("extractCompositeRegions",
+                              "Only equal length regions can be combined for "
+                              "-E left or right");
+                    return (1);
+                }
+            }
+   }
+
+
   for (i = 0; i < crop->selections; i++)
     {
     /* rows, columns, width, length are expressed in pixels */
@@ -6493,8 +6556,9 @@ extractCompositeRegions(struct image_dat
       default:
       case EDGE_TOP:
       case EDGE_BOTTOM:
-	   if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
-             {
+         if ((crop->selections > i + 1) &&
+                    (crop_width != crop->regionlist[i + 1].width))
+         {
 	     TIFFError ("extractCompositeRegions", 
                           "Only equal width regions can be combined for -E top or bottom");
 	     return (1);
@@ -6574,8 +6638,9 @@ extractCompositeRegions(struct image_dat
 	   break;
       case EDGE_LEFT:  /* splice the pieces of each row together, side by side */
       case EDGE_RIGHT:
-	   if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
-             {
+         if ((crop->selections > i + 1) &&
+                    (crop_length != crop->regionlist[i + 1].length))
+         {
 	     TIFFError ("extractCompositeRegions", 
                           "Only equal length regions can be combined for -E left or right");
 	     return (1);