1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sun, 29 Jan 2023 11:09:26 +0100
Subject: [PATCH] CVE-2023-25434 & CVE-2023-25435
tiffcrop: Amend rotateImage() not to toggle the input (main)
image width and length parameters when only cropped image sections are
rotated. Remove buffptr from region structure because never used.
Closes #492 #493 #494 #495 #499 #518 #519
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
CVE: CVE-2023-25434 & CVE-2023-25435
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
tools/tiffcrop.c | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index cbd24cc..b811fbb 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -523,7 +523,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
uint32_t, uint32_t, uint8_t *, uint8_t *);
static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
- unsigned char **, size_t *);
+ unsigned char **, size_t *, int);
static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
unsigned char *);
static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
@@ -6513,10 +6513,11 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
/* Dummy variable in order not to switch two times the
* image->width,->length within rotateImage(),
* but switch xres, yres there. */
- uint32_t width = image->width;
- uint32_t length = image->length;
- if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
- {
+ uint32_t width = image->width;
+ uint32_t length = image->length;
+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,
+ TRUE))
+ {
TIFFError ("correct_orientation", "Unable to rotate image");
return (-1);
}
@@ -7700,7 +7701,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
* accordingly. */
size_t rot_buf_size = 0;
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff, &rot_buf_size))
+ &crop->combined_length, &crop_buff, &rot_buf_size,
+ FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
@@ -7811,9 +7813,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
* its size individually. Therefore, seg_buffs size needs to be
* updated accordingly. */
size_t rot_buf_size = 0;
- if (rotateImage(
- crop->rotation, image, &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+ if (rotateImage(crop->rotation, image,
+ &crop->regionlist[i].width,
+ &crop->regionlist[i].length, &crop_buff,
+ &rot_buf_size, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
@@ -7943,7 +7946,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr, NULL))
+ &crop->combined_length, crop_buff_ptr, NULL, TRUE))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
@@ -8607,7 +8610,9 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_
static int
rotateImage(uint16_t rotation, struct image_data *image,
uint32_t *img_width,uint32_t *img_length,
- unsigned char **ibuff_ptr, size_t *rot_buf_size)
+ unsigned char **ibuff_ptr, size_t *rot_buf_size,
+ int rot_image_params)
+
{
int shift_width;
uint32_t bytes_per_pixel, bytes_per_sample;
--
2.25.1
|