| Patrick Williams | 2390b1b | 2022-11-03 13:47:49 -0500 | [diff] [blame] | 1 | CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627 |
| 2 | Upstream-Status: Backport |
| 3 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 4 | |
| 5 | From 4746f16253b784287bc8a5003990c1c3b9a03a62 Mon Sep 17 00:00:00 2001 |
| 6 | From: Su_Laus <sulau@freenet.de> |
| 7 | Date: Thu, 25 Aug 2022 16:11:41 +0200 |
| 8 | Subject: [PATCH] tiffcrop: disable incompatibility of -Z, -X, -Y, -z options |
| 9 | with any PAGE_MODE_x option (fixes #411 and #413) |
| 10 | MIME-Version: 1.0 |
| 11 | Content-Type: text/plain; charset=UTF-8 |
| 12 | Content-Transfer-Encoding: 8bit |
| 13 | |
| 14 | tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S. |
| 15 | |
| 16 | Code analysis: |
| 17 | |
| 18 | With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[]. |
| 19 | In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) . |
| 20 | |
| 21 | Execution of the else-clause often leads to buffer-overflows. |
| 22 | |
| 23 | Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows. |
| 24 | |
| 25 | The MR solves issues #411 and #413. |
| 26 | --- |
| 27 | doc/tools/tiffcrop.rst | 8 ++++++++ |
| 28 | tools/tiffcrop.c | 32 +++++++++++++++++++++++++------- |
| 29 | 2 files changed, 33 insertions(+), 7 deletions(-) |
| 30 | |
| 31 | diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c |
| 32 | index 8fd856dc..41a2ea36 100644 |
| 33 | --- a/tools/tiffcrop.c |
| 34 | +++ b/tools/tiffcrop.c |
| 35 | @@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 |
| 36 | R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; |
| 37 | S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; |
| 38 | if (XY + Z + R + S > 1) { |
| 39 | - TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); |
| 40 | + TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit"); |
| 41 | exit(EXIT_FAILURE); |
| 42 | } |
| 43 | + |
| 44 | + /* Check for not allowed combination: |
| 45 | + * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options |
| 46 | + * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. |
| 47 | +. */ |
| 48 | + if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) { |
| 49 | + TIFFError("tiffcrop input error", |
| 50 | + "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit"); |
| 51 | + exit(EXIT_FAILURE); |
| 52 | + } |
| 53 | + |
| 54 | } /* end process_command_opts */ |
| 55 | |
| 56 | /* Start a new output file if one has not been previously opened or |
| 57 | -- |
| 58 | 2.34.1 |
| 59 | |