1*4882a593SmuzhiyunFrom adfd6be615635705c2f4eb8dfe49e2f463786361 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Even Rouault <even.rouault@spatialys.com> 3*4882a593SmuzhiyunDate: Thu, 24 Feb 2022 22:26:02 +0100 4*4882a593SmuzhiyunSubject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunCVE: CVE-2022-0865 7*4882a593SmuzhiyunUpstream-Status: Backport 8*4882a593SmuzhiyunSigned-off-by: Ross Burton <ross.burton@arm.com> 9*4882a593Smuzhiyun 10*4882a593Smuzhiyun IFD in memory-mapped mode and when bit reversal is needed (fixes #385) 11*4882a593Smuzhiyun 12*4882a593Smuzhiyun--- 13*4882a593Smuzhiyun libtiff/tif_jbig.c | 10 ++++++++++ 14*4882a593Smuzhiyun 1 file changed, 10 insertions(+) 15*4882a593Smuzhiyun 16*4882a593Smuzhiyundiff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c 17*4882a593Smuzhiyunindex 7408633..8bfa4ce 100644 18*4882a593Smuzhiyun--- a/libtiff/tif_jbig.c 19*4882a593Smuzhiyun+++ b/libtiff/tif_jbig.c 20*4882a593Smuzhiyun@@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) 21*4882a593Smuzhiyun */ 22*4882a593Smuzhiyun tif->tif_flags |= TIFF_NOBITREV; 23*4882a593Smuzhiyun tif->tif_flags &= ~TIFF_MAPPED; 24*4882a593Smuzhiyun+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and 25*4882a593Smuzhiyun+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial 26*4882a593Smuzhiyun+ * value to be consistent with the state of a non-memory mapped file. 27*4882a593Smuzhiyun+ */ 28*4882a593Smuzhiyun+ if (tif->tif_flags&TIFF_BUFFERMMAP) { 29*4882a593Smuzhiyun+ tif->tif_rawdata = NULL; 30*4882a593Smuzhiyun+ tif->tif_rawdatasize = 0; 31*4882a593Smuzhiyun+ tif->tif_flags &= ~TIFF_BUFFERMMAP; 32*4882a593Smuzhiyun+ tif->tif_flags |= TIFF_MYBUFFER; 33*4882a593Smuzhiyun+ } 34*4882a593Smuzhiyun 35*4882a593Smuzhiyun /* Setup the function pointers for encode, decode, and cleanup. */ 36*4882a593Smuzhiyun tif->tif_setupdecode = JBIGSetupDecode; 37