| Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 1 | CVE: CVE-2022-0865 |
| 2 | Upstream-Status: Backport |
| 3 | Signed-off-by: Ross Burton <ross.burton@arm.com> |
| 4 | |
| 5 | From 88da11ae3c4db527cb870fb1017456cc8fbac2e7 Mon Sep 17 00:00:00 2001 |
| 6 | From: Even Rouault <even.rouault@spatialys.com> |
| 7 | Date: Thu, 24 Feb 2022 22:26:02 +0100 |
| 8 | Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple |
| 9 | IFD in memory-mapped mode and when bit reversal is needed (fixes #385) |
| 10 | |
| 11 | --- |
| 12 | libtiff/tif_jbig.c | 10 ++++++++++ |
| 13 | 1 file changed, 10 insertions(+) |
| 14 | |
| 15 | diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c |
| 16 | index 74086338..8bfa4cef 100644 |
| 17 | --- a/libtiff/tif_jbig.c |
| 18 | +++ b/libtiff/tif_jbig.c |
| 19 | @@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) |
| 20 | */ |
| 21 | tif->tif_flags |= TIFF_NOBITREV; |
| 22 | tif->tif_flags &= ~TIFF_MAPPED; |
| 23 | + /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and |
| 24 | + * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial |
| 25 | + * value to be consistent with the state of a non-memory mapped file. |
| 26 | + */ |
| 27 | + if (tif->tif_flags&TIFF_BUFFERMMAP) { |
| 28 | + tif->tif_rawdata = NULL; |
| 29 | + tif->tif_rawdatasize = 0; |
| 30 | + tif->tif_flags &= ~TIFF_BUFFERMMAP; |
| 31 | + tif->tif_flags |= TIFF_MYBUFFER; |
| 32 | + } |
| 33 | |
| 34 | /* Setup the function pointers for encode, decode, and cleanup. */ |
| 35 | tif->tif_setupdecode = JBIGSetupDecode; |
| 36 | -- |
| 37 | 2.25.1 |
| 38 | |