1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From 7e87352217d1f0c77eee7033ac59e3aab08532bb Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Tue, 8 Nov 2022 15:16:58 +0100
Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
CVE: CVE-2022-3970
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Origin: https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-01-17
strips/tiles > 2 GB
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
---
libtiff/tif_getimage.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 96ab146..0b90dcc 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -3042,15 +3042,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 col, uint32 row, uint32 * raster, int stop
return( ok );
for( i_row = 0; i_row < read_ysize; i_row++ ) {
- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
- raster + (read_ysize - i_row - 1) * read_xsize,
+ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+ raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
read_xsize * sizeof(uint32) );
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
0, sizeof(uint32) * (tile_xsize - read_xsize) );
}
for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
+ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
0, sizeof(uint32) * tile_xsize );
}
|