blob: e59f5aad550fc9c3c7cd63a6215044b904ac5222 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sat, 2 Apr 2022 22:33:31 +0200
Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
CVE: CVE-2022-1355
Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
tools/tiffcp.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/tools/tiffcp.c b/tools/tiffcp.c
index fd129bb7..8d944ff6 100644
--- a/tools/tiffcp.c
+++ b/tools/tiffcp.c
@@ -274,19 +274,34 @@ main(int argc, char* argv[])
deftilewidth = atoi(optarg);
break;
case 'B':
- *mp++ = 'b'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'b'; *mp = '\0';
+ }
break;
case 'L':
- *mp++ = 'l'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'l'; *mp = '\0';
+ }
break;
case 'M':
- *mp++ = 'm'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'm'; *mp = '\0';
+ }
break;
case 'C':
- *mp++ = 'c'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode) - 1))
+ {
+ *mp++ = 'c'; *mp = '\0';
+ }
break;
case '8':
- *mp++ = '8'; *mp = '\0';
+ if (strlen(mode) < (sizeof(mode)-1))
+ {
+ *mp++ = '8'; *mp = '\0';
+ }
break;
case 'x':
pageInSeq = 1;
--
2.25.1
|
