| CVE: CVE-2022-0924 |
| Upstream-Status: Backport |
| Signed-off-by: Ross Burton <ross.burton@arm.com> |
| |
| From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001 |
| From: 4ugustus <wangdw.augustus@qq.com> |
| Date: Thu, 10 Mar 2022 08:48:00 +0000 |
| Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278) |
| |
| --- |
| tools/tiffcp.c | 17 ++++++++++++++++- |
| 1 file changed, 16 insertions(+), 1 deletion(-) |
| |
| diff --git a/tools/tiffcp.c b/tools/tiffcp.c |
| index 1f889516..552d8fad 100644 |
| --- a/tools/tiffcp.c |
| +++ b/tools/tiffcp.c |
| @@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) |
| tdata_t obuf; |
| tstrip_t strip = 0; |
| tsample_t s; |
| + uint16_t bps = 0, bytes_per_sample; |
| |
| obuf = limitMalloc(stripsize); |
| if (obuf == NULL) |
| return (0); |
| _TIFFmemset(obuf, 0, stripsize); |
| (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); |
| + (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); |
| + if( bps == 0 ) |
| + { |
| + TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); |
| + _TIFFfree(obuf); |
| + return 0; |
| + } |
| + if( (bps % 8) != 0 ) |
| + { |
| + TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); |
| + _TIFFfree(obuf); |
| + return 0; |
| + } |
| + bytes_per_sample = bps/8; |
| for (s = 0; s < spp; s++) { |
| uint32_t row; |
| for (row = 0; row < imagelength; row += rowsperstrip) { |
| @@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) |
| |
| cpContigBufToSeparateBuf( |
| obuf, (uint8_t*) buf + row * rowsize + s, |
| - nrows, imagewidth, 0, 0, spp, 1); |
| + nrows, imagewidth, 0, 0, spp, bytes_per_sample); |
| if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { |
| TIFFError(TIFFFileName(out), |
| "Error, can't write strip %"PRIu32, |
| -- |
| 2.25.1 |
| |