From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001 From: zhailiangliang Date: Thu, 16 Mar 2023 16:16:54 +0800 Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection CVE: CVE-2023-1916 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535] Signed-off-by: Marek Vasut Signed-off-by: Hitendra Prajapati --- tools/tiffcrop.c | 44 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index 05ba4d2..8a08536 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -5700,6 +5700,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt crop->combined_width += (uint32_t)zwidth; else crop->combined_width = (uint32_t)zwidth; + + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ + if (((crop->rotation == 90) || (crop->rotation == 270)) + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) + { + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); + return -1; + } + break; case EDGE_BOTTOM: /* width from left, zones from bottom to top */ zwidth = offsets.crop_width; @@ -5735,6 +5744,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt else crop->combined_length = (uint32_t)zlength; crop->combined_width = (uint32_t)zwidth; + + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ + if (((crop->rotation == 90) || (crop->rotation == 270)) + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) + { + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); + return -1; + } + break; case EDGE_RIGHT: /* zones from right to left, length from top */ zlength = offsets.crop_length; @@ -5772,6 +5790,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt crop->combined_width += (uint32_t)zwidth; else crop->combined_width = (uint32_t)zwidth; + + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ + if (((crop->rotation == 90) || (crop->rotation == 270)) + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) + { + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); + return -1; + } + break; case EDGE_TOP: /* width from left, zones from top to bottom */ default: @@ -5818,7 +5845,16 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt else crop->combined_length = (uint32_t)zlength; crop->combined_width = (uint32_t)zwidth; - break; + + /* When the degrees clockwise rotation is 90 or 270, check the boundary */ + if (((crop->rotation == 90) || (crop->rotation == 270)) + && ((crop->combined_length > image->width) || (crop->combined_width > image->length))) + { + TIFFError("getCropOffsets", "The crop size exceeds the image boundary size"); + return -1; + } + + break; } /* end switch statement */ buffsize = (uint32_t) @@ -7016,9 +7052,9 @@ extractImageSection(struct image_data *image, struct pageseg *section, * regardless of the way the data are organized in the input file. * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 */ - img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ - full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ - trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ + img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */ + full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */ + trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */ #ifdef DEVELMODE TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n", -- 2.25.1