From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001 From: 4ugustus Date: Tue, 25 Jan 2022 16:25:28 +0000 Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where count is required (fixes #355) CVE: CVE-2022-22844 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/03047a26952a82daaa0792957ce211e0aa51bc64] Signed-off-by: Purushottam Choudhary Signed-off-by: Purushottam Choudhary Comments: Add header stdint.h in tiffset.c explicitly for UINT16_MAX --- tools/tiffset.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/tools/tiffset.c b/tools/tiffset.c index 8c9e23c5..e7a88c09 100644 --- a/tools/tiffset.c +++ b/tools/tiffset.c @@ -33,6 +33,7 @@ #include #include +#include #include "tiffio.h" static char* usageMsg[] = { @@ -146,9 +146,19 @@ main(int argc, char* argv[]) arg_index++; if (TIFFFieldDataType(fip) == TIFF_ASCII) { - if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) - fprintf( stderr, "Failed to set %s=%s\n", - TIFFFieldName(fip), argv[arg_index] ); + if(TIFFFieldPassCount( fip )) { + size_t len; + len = strlen(argv[arg_index]) + 1; + if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), + (uint16_t)len, argv[arg_index]) != 1) + fprintf( stderr, "Failed to set %s=%s\n", + TIFFFieldName(fip), argv[arg_index] ); + } else { + if (TIFFSetField(tiff, TIFFFieldTag(fip), + argv[arg_index]) != 1) + fprintf( stderr, "Failed to set %s=%s\n", + TIFFFieldName(fip), argv[arg_index] ); + } } else if (TIFFFieldWriteCount(fip) > 0 || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { int ret = 1; -- GitLab