1*4882a593SmuzhiyunFrom 4746f16253b784287bc8a5003990c1c3b9a03a62 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Su_Laus <sulau@freenet.de> 3*4882a593SmuzhiyunDate: Thu, 25 Aug 2022 16:11:41 +0200 4*4882a593SmuzhiyunSubject: [PATCH] tiffcrop: disable incompatibility of -Z, -X, -Y, -z options 5*4882a593Smuzhiyun with any PAGE_MODE_x option (fixes #411 and #413) 6*4882a593SmuzhiyunMIME-Version: 1.0 7*4882a593SmuzhiyunContent-Type: text/plain; charset=UTF-8 8*4882a593SmuzhiyunContent-Transfer-Encoding: 8bit 9*4882a593Smuzhiyun 10*4882a593Smuzhiyuntiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S. 11*4882a593Smuzhiyun 12*4882a593SmuzhiyunCode analysis: 13*4882a593Smuzhiyun 14*4882a593SmuzhiyunWith the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[]. 15*4882a593SmuzhiyunIn the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) . 16*4882a593Smuzhiyun 17*4882a593SmuzhiyunExecution of the else-clause often leads to buffer-overflows. 18*4882a593Smuzhiyun 19*4882a593SmuzhiyunTherefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows. 20*4882a593Smuzhiyun 21*4882a593SmuzhiyunThe MR solves issues #411 and #413. 22*4882a593Smuzhiyun 23*4882a593SmuzhiyunCVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627 24*4882a593SmuzhiyunUpstream-Status: Backport 25*4882a593SmuzhiyunSigned-off-by: Ross Burton <ross.burton@arm.com> 26*4882a593Smuzhiyun--- 27*4882a593Smuzhiyun doc/tools/tiffcrop.rst | 8 ++++++++ 28*4882a593Smuzhiyun tools/tiffcrop.c | 32 +++++++++++++++++++++++++------- 29*4882a593Smuzhiyun 2 files changed, 33 insertions(+), 7 deletions(-) 30*4882a593Smuzhiyun 31*4882a593Smuzhiyundiff --git a/tools/tiffcrop.c b/tools/tiffcrop.c 32*4882a593Smuzhiyunindex 8fd856dc..41a2ea36 100644 33*4882a593Smuzhiyun--- a/tools/tiffcrop.c 34*4882a593Smuzhiyun+++ b/tools/tiffcrop.c 35*4882a593Smuzhiyun@@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 36*4882a593Smuzhiyun R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; 37*4882a593Smuzhiyun S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; 38*4882a593Smuzhiyun if (XY + Z + R + S > 1) { 39*4882a593Smuzhiyun- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); 40*4882a593Smuzhiyun+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit"); 41*4882a593Smuzhiyun exit(EXIT_FAILURE); 42*4882a593Smuzhiyun } 43*4882a593Smuzhiyun+ 44*4882a593Smuzhiyun+ /* Check for not allowed combination: 45*4882a593Smuzhiyun+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options 46*4882a593Smuzhiyun+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. 47*4882a593Smuzhiyun+. */ 48*4882a593Smuzhiyun+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) { 49*4882a593Smuzhiyun+ TIFFError("tiffcrop input error", 50*4882a593Smuzhiyun+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit"); 51*4882a593Smuzhiyun+ exit(EXIT_FAILURE); 52*4882a593Smuzhiyun+ } 53*4882a593Smuzhiyun+ 54*4882a593Smuzhiyun } /* end process_command_opts */ 55*4882a593Smuzhiyun 56*4882a593Smuzhiyun /* Start a new output file if one has not been previously opened or 57*4882a593Smuzhiyun-- 58*4882a593Smuzhiyun2.34.1 59*4882a593Smuzhiyun 60