| CVE: CVE-2022-22844 |
| Upstream-Status: Backport |
| Signed-off-by: Ross Burton <ross.burton@arm.com> |
| |
| From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001 |
| From: 4ugustus <wangdw.augustus@qq.com> |
| Date: Tue, 25 Jan 2022 16:25:28 +0000 |
| Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where |
| count is required (fixes #355) |
| |
| --- |
| tools/tiffset.c | 16 +++++++++++++--- |
| 1 file changed, 13 insertions(+), 3 deletions(-) |
| |
| diff --git a/tools/tiffset.c b/tools/tiffset.c |
| index 8c9e23c5..e7a88c09 100644 |
| --- a/tools/tiffset.c |
| +++ b/tools/tiffset.c |
| @@ -146,9 +146,19 @@ main(int argc, char* argv[]) |
| |
| arg_index++; |
| if (TIFFFieldDataType(fip) == TIFF_ASCII) { |
| - if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) |
| - fprintf( stderr, "Failed to set %s=%s\n", |
| - TIFFFieldName(fip), argv[arg_index] ); |
| + if(TIFFFieldPassCount( fip )) { |
| + size_t len; |
| + len = strlen(argv[arg_index]) + 1; |
| + if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), |
| + (uint16_t)len, argv[arg_index]) != 1) |
| + fprintf( stderr, "Failed to set %s=%s\n", |
| + TIFFFieldName(fip), argv[arg_index] ); |
| + } else { |
| + if (TIFFSetField(tiff, TIFFFieldTag(fip), |
| + argv[arg_index]) != 1) |
| + fprintf( stderr, "Failed to set %s=%s\n", |
| + TIFFFieldName(fip), argv[arg_index] ); |
| + } |
| } else if (TIFFFieldWriteCount(fip) > 0 |
| || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { |
| int ret = 1; |
| -- |
| 2.25.1 |