package/tiff: fix CVE-2022-22844
LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
parent
9229054bd5
commit
7ec5f99b3a
@ -0,0 +1,43 @@
|
||||
From 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001
|
||||
From: 4ugustus <wangdw.augustus@qq.com>
|
||||
Date: Tue, 25 Jan 2022 16:25:28 +0000
|
||||
Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
|
||||
count is required (fixes #355)
|
||||
|
||||
[Retrieved from:
|
||||
https://gitlab.com/libtiff/libtiff/-/commit/03047a26952a82daaa0792957ce211e0aa51bc64]
|
||||
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||||
---
|
||||
tools/tiffset.c | 16 +++++++++++++---
|
||||
1 file changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/tools/tiffset.c b/tools/tiffset.c
|
||||
index 8c9e23c5..e7a88c09 100644
|
||||
--- a/tools/tiffset.c
|
||||
+++ b/tools/tiffset.c
|
||||
@@ -146,9 +146,19 @@ main(int argc, char* argv[])
|
||||
|
||||
arg_index++;
|
||||
if (TIFFFieldDataType(fip) == TIFF_ASCII) {
|
||||
- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
|
||||
- fprintf( stderr, "Failed to set %s=%s\n",
|
||||
- TIFFFieldName(fip), argv[arg_index] );
|
||||
+ if(TIFFFieldPassCount( fip )) {
|
||||
+ size_t len;
|
||||
+ len = strlen(argv[arg_index]) + 1;
|
||||
+ if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
|
||||
+ (uint16_t)len, argv[arg_index]) != 1)
|
||||
+ fprintf( stderr, "Failed to set %s=%s\n",
|
||||
+ TIFFFieldName(fip), argv[arg_index] );
|
||||
+ } else {
|
||||
+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
|
||||
+ argv[arg_index]) != 1)
|
||||
+ fprintf( stderr, "Failed to set %s=%s\n",
|
||||
+ TIFFFieldName(fip), argv[arg_index] );
|
||||
+ }
|
||||
} else if (TIFFFieldWriteCount(fip) > 0
|
||||
|| TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
|
||||
int ret = 1;
|
||||
--
|
||||
GitLab
|
||||
|
@ -11,6 +11,10 @@ TIFF_LICENSE_FILES = COPYRIGHT
|
||||
TIFF_CPE_ID_VENDOR = libtiff
|
||||
TIFF_CPE_ID_PRODUCT = libtiff
|
||||
TIFF_INSTALL_STAGING = YES
|
||||
|
||||
# 0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags.patch
|
||||
TIFF_IGNORE_CVES += CVE-2022-22844
|
||||
|
||||
TIFF_CONF_OPTS = \
|
||||
--disable-cxx \
|
||||
--without-x
|
||||
|
Loading…
Reference in New Issue
Block a user