1*4882a593SmuzhiyunFrom 2dd282a54e5fccf9b501973e6da5f83ebde8e980 Mon Sep 17 00:00:00 2001
2*4882a593SmuzhiyunFrom: 4ugustus <wangdw.augustus@qq.com>
3*4882a593SmuzhiyunDate: Thu, 10 Mar 2022 08:48:00 +0000
4*4882a593SmuzhiyunSubject: [PATCH] fix heap buffer overflow in tiffcp (#278)
5*4882a593Smuzhiyun
6*4882a593SmuzhiyunCVE: CVE-2022-0924
7*4882a593SmuzhiyunUpstream-Status: Backport
8*4882a593SmuzhiyunSigned-off-by: Ross Burton <ross.burton@arm.com>
9*4882a593Smuzhiyun
10*4882a593Smuzhiyun---
11*4882a593Smuzhiyun tools/tiffcp.c | 17 ++++++++++++++++-
12*4882a593Smuzhiyun 1 file changed, 16 insertions(+), 1 deletion(-)
13*4882a593Smuzhiyun
14*4882a593Smuzhiyundiff --git a/tools/tiffcp.c b/tools/tiffcp.c
15*4882a593Smuzhiyunindex 1f88951..552d8fa 100644
16*4882a593Smuzhiyun--- a/tools/tiffcp.c
17*4882a593Smuzhiyun+++ b/tools/tiffcp.c
18*4882a593Smuzhiyun@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
19*4882a593Smuzhiyun 	tdata_t obuf;
20*4882a593Smuzhiyun 	tstrip_t strip = 0;
21*4882a593Smuzhiyun 	tsample_t s;
22*4882a593Smuzhiyun+	uint16_t bps = 0, bytes_per_sample;
23*4882a593Smuzhiyun
24*4882a593Smuzhiyun 	obuf = limitMalloc(stripsize);
25*4882a593Smuzhiyun 	if (obuf == NULL)
26*4882a593Smuzhiyun 		return (0);
27*4882a593Smuzhiyun 	_TIFFmemset(obuf, 0, stripsize);
28*4882a593Smuzhiyun 	(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
29*4882a593Smuzhiyun+	(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
30*4882a593Smuzhiyun+	if( bps == 0 )
31*4882a593Smuzhiyun+        {
32*4882a593Smuzhiyun+            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
33*4882a593Smuzhiyun+            _TIFFfree(obuf);
34*4882a593Smuzhiyun+            return 0;
35*4882a593Smuzhiyun+        }
36*4882a593Smuzhiyun+        if( (bps % 8) != 0 )
37*4882a593Smuzhiyun+        {
38*4882a593Smuzhiyun+            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
39*4882a593Smuzhiyun+            _TIFFfree(obuf);
40*4882a593Smuzhiyun+            return 0;
41*4882a593Smuzhiyun+        }
42*4882a593Smuzhiyun+	bytes_per_sample = bps/8;
43*4882a593Smuzhiyun 	for (s = 0; s < spp; s++) {
44*4882a593Smuzhiyun 		uint32_t row;
45*4882a593Smuzhiyun 		for (row = 0; row < imagelength; row += rowsperstrip) {
46*4882a593Smuzhiyun@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)
47*4882a593Smuzhiyun
48*4882a593Smuzhiyun 			cpContigBufToSeparateBuf(
49*4882a593Smuzhiyun 			    obuf, (uint8_t*) buf + row * rowsize + s,
50*4882a593Smuzhiyun-			    nrows, imagewidth, 0, 0, spp, 1);
51*4882a593Smuzhiyun+			    nrows, imagewidth, 0, 0, spp, bytes_per_sample);
52*4882a593Smuzhiyun 			if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
53*4882a593Smuzhiyun 				TIFFError(TIFFFileName(out),
54*4882a593Smuzhiyun 				    "Error, can't write strip %"PRIu32,
55