Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame^] | 1 | CVE: CVE-2022-22844 |
| 2 | Upstream-Status: Backport |
| 3 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 4 | |
| 5 | From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001 |
| 6 | From: 4ugustus <wangdw.augustus@qq.com> |
| 7 | Date: Tue, 25 Jan 2022 16:25:28 +0000 |
| 8 | Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where |
| 9 | count is required (fixes #355) |
| 10 | |
| 11 | --- |
| 12 | tools/tiffset.c | 16 +++++++++++++--- |
| 13 | 1 file changed, 13 insertions(+), 3 deletions(-) |
| 14 | |
| 15 | diff --git a/tools/tiffset.c b/tools/tiffset.c |
| 16 | index 8c9e23c5..e7a88c09 100644 |
| 17 | --- a/tools/tiffset.c |
| 18 | +++ b/tools/tiffset.c |
| 19 | @@ -146,9 +146,19 @@ main(int argc, char* argv[]) |
| 20 | |
| 21 | arg_index++; |
| 22 | if (TIFFFieldDataType(fip) == TIFF_ASCII) { |
| 23 | - if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1) |
| 24 | - fprintf( stderr, "Failed to set %s=%s\n", |
| 25 | - TIFFFieldName(fip), argv[arg_index] ); |
| 26 | + if(TIFFFieldPassCount( fip )) { |
| 27 | + size_t len; |
| 28 | + len = strlen(argv[arg_index]) + 1; |
| 29 | + if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip), |
| 30 | + (uint16_t)len, argv[arg_index]) != 1) |
| 31 | + fprintf( stderr, "Failed to set %s=%s\n", |
| 32 | + TIFFFieldName(fip), argv[arg_index] ); |
| 33 | + } else { |
| 34 | + if (TIFFSetField(tiff, TIFFFieldTag(fip), |
| 35 | + argv[arg_index]) != 1) |
| 36 | + fprintf( stderr, "Failed to set %s=%s\n", |
| 37 | + TIFFFieldName(fip), argv[arg_index] ); |
| 38 | + } |
| 39 | } else if (TIFFFieldWriteCount(fip) > 0 |
| 40 | || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { |
| 41 | int ret = 1; |
| 42 | -- |
| 43 | 2.25.1 |