1From 2dd282a54e5fccf9b501973e6da5f83ebde8e980 Mon Sep 17 00:00:00 2001 2From: 4ugustus <wangdw.augustus@qq.com> 3Date: Thu, 10 Mar 2022 08:48:00 +0000 4Subject: [PATCH] fix heap buffer overflow in tiffcp (#278) 5 6CVE: CVE-2022-0924 7Upstream-Status: Backport 8Signed-off-by: Ross Burton <ross.burton@arm.com> 9 10--- 11 tools/tiffcp.c | 17 ++++++++++++++++- 12 1 file changed, 16 insertions(+), 1 deletion(-) 13 14diff --git a/tools/tiffcp.c b/tools/tiffcp.c 15index 1f88951..552d8fa 100644 16--- a/tools/tiffcp.c 17+++ b/tools/tiffcp.c 18@@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) 19 tdata_t obuf; 20 tstrip_t strip = 0; 21 tsample_t s; 22+ uint16_t bps = 0, bytes_per_sample; 23 24 obuf = limitMalloc(stripsize); 25 if (obuf == NULL) 26 return (0); 27 _TIFFmemset(obuf, 0, stripsize); 28 (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); 29+ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); 30+ if( bps == 0 ) 31+ { 32+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); 33+ _TIFFfree(obuf); 34+ return 0; 35+ } 36+ if( (bps % 8) != 0 ) 37+ { 38+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); 39+ _TIFFfree(obuf); 40+ return 0; 41+ } 42+ bytes_per_sample = bps/8; 43 for (s = 0; s < spp; s++) { 44 uint32_t row; 45 for (row = 0; row < imagelength; row += rowsperstrip) { 46@@ -1676,7 +1691,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) 47 48 cpContigBufToSeparateBuf( 49 obuf, (uint8_t*) buf + row * rowsize + s, 50- nrows, imagewidth, 0, 0, spp, 1); 51+ nrows, imagewidth, 0, 0, spp, bytes_per_sample); 52 if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { 53 TIFFError(TIFFFileName(out), 54 "Error, can't write strip %"PRIu32, 55