summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/libtiff/files/CVE-2022-2867-CVE-2022-2868-CVE-2022-2869.patch
blob: 131ff94119d4aeddf98caaa78a656dbe92679cee (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
From 07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Wed, 9 Feb 2022 21:31:29 +0000
Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
 uint32_t underflow.

CVE: CVE-2022-2867 CVE-2022-2868 CVE-2022-2869
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c]
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
---
Index: tiff-4.1.0/tools/tiffcrop.c
===================================================================
--- tiff-4.1.0.orig/tools/tiffcrop.c
+++ tiff-4.1.0/tools/tiffcrop.c
@@ -5153,29 +5153,45 @@ computeInputPixelOffsets(struct crop_mas
 	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
 	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
 	}
-      if (x1 < 1)
-        crop->regionlist[i].x1 = 0;
-      else
-        crop->regionlist[i].x1 = (uint32) (x1 - 1);
+      /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 
+       * b) Corners are expected to be submitted as top-left to bottom-right.
+       *    Therefore, check that and reorder input.
+       * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
+       */
+      uint32_t aux;
+      if (x1 > x2) {
+        aux = x1;
+        x1 = x2;
+        x2 = aux;
+      }
+      if (y1 > y2) {
+        aux = y1;
+        y1 = y2;
+        y2 = aux;
+      }
+      if (x1 > image->width - 1)
+        crop->regionlist[i].x1 = image->width - 1;
+      else if (x1 > 0)
+        crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
 
       if (x2 > image->width - 1)
         crop->regionlist[i].x2 = image->width - 1;
-      else
-        crop->regionlist[i].x2 = (uint32) (x2 - 1);
-      zwidth  = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; 
-
-      if (y1 < 1)
-        crop->regionlist[i].y1 = 0;
-      else
-        crop->regionlist[i].y1 = (uint32) (y1 - 1);
+      else if (x2 > 0)
+        crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
+
+      zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+
+      if (y1 > image->length - 1)
+        crop->regionlist[i].y1 = image->length - 1;
+      else if (y1 > 0)
+        crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
 
       if (y2 > image->length - 1)
         crop->regionlist[i].y2 = image->length - 1;
-      else
-        crop->regionlist[i].y2 = (uint32) (y2 - 1);
-
-      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; 
+      else if (y2 > 0)
+        crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
 
+      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
       if (zwidth > max_width)
         max_width = zwidth;
       if (zlength > max_length)
@@ -5205,7 +5221,7 @@ computeInputPixelOffsets(struct crop_mas
 	}
       }
     return (0);
-    }
+    }  /* crop_mode == CROP_REGIONS */
   
   /* Convert crop margins into offsets into image
    * Margins are expressed as pixel rows and columns, not bytes
@@ -5241,7 +5257,7 @@ computeInputPixelOffsets(struct crop_mas
       bmargin = (uint32) 0;
       return (-1);
       }
-    }
+    }  /* crop_mode == CROP_MARGINS */
   else
     { /* no margins requested */
     tmargin = (uint32) 0;
@@ -5332,24 +5348,23 @@ computeInputPixelOffsets(struct crop_mas
   off->endx   = endx;
   off->endy   = endy;
 
-  crop_width  = endx - startx + 1;
-  crop_length = endy - starty + 1;
-
-  if (crop_width <= 0)
+  if (endx + 1 <= startx)
     {
     TIFFError("computeInputPixelOffsets", 
                "Invalid left/right margins and /or image crop width requested");
     return (-1);
     }
+  crop_width  = endx - startx + 1;
   if (crop_width > image->width)
     crop_width = image->width;
 
-  if (crop_length <= 0)
+  if (endy + 1 <= starty)
     {
     TIFFError("computeInputPixelOffsets", 
               "Invalid top/bottom margins and /or image crop length requested");
     return (-1);
     }
+  crop_length = endy - starty + 1;
   if (crop_length > image->length)
     crop_length = image->length;
 
@@ -5449,10 +5464,17 @@ getCropOffsets(struct image_data *image,
   else
     crop->selections = crop->zones;
 
-  for (i = 0; i < crop->zones; i++)
+  /* Initialize regions iterator i */
+  i = 0;
+  for (int j = 0; j < crop->zones; j++)
     {
-    seg = crop->zonelist[i].position;
-    total = crop->zonelist[i].total;
+    seg = crop->zonelist[j].position;
+    total = crop->zonelist[j].total;
+
+    /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
+    if (seg == 0 || total == 0 || seg > total) {
+        continue;
+    }
 
     switch (crop->edge_ref) 
       {
@@ -5581,8 +5603,11 @@ getCropOffsets(struct image_data *image,
                     i + 1, (uint32)zwidth, (uint32)zlength,
 		    crop->regionlist[i].x1, crop->regionlist[i].x2, 
                     crop->regionlist[i].y1, crop->regionlist[i].y2);
+  /* increment regions iterator */
+  i++;
     }
-
+    /* set number of generated regions out of given zones */
+    crop->selections = i;
   return (0);
   } /* end getCropOffsets */
 
-- 
GitLab