xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1From 19d775e058bf6bb0b0e9c56f406b775f9e725355 Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Sat, 2 Apr 2022 22:33:31 +0200
4Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
5
6CVE: CVE-2022-1355
7
8Upstream-Status: Backport
9[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
10
11Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
12
13---
14 tools/tiffcp.c | 25 ++++++++++++++++++++-----
15 1 file changed, 20 insertions(+), 5 deletions(-)
16
17diff --git a/tools/tiffcp.c b/tools/tiffcp.c
18index 552d8fa..57eef90 100644
19--- a/tools/tiffcp.c
20+++ b/tools/tiffcp.c
21@@ -274,19 +274,34 @@ main(int argc, char* argv[])
22 			deftilewidth = atoi(optarg);
23 			break;
24 		case 'B':
25-			*mp++ = 'b'; *mp = '\0';
26+			if (strlen(mode) < (sizeof(mode) - 1))
27+			{
28+				*mp++ = 'b'; *mp = '\0';
29+			}
30 			break;
31 		case 'L':
32-			*mp++ = 'l'; *mp = '\0';
33+			if (strlen(mode) < (sizeof(mode) - 1))
34+			{
35+				*mp++ = 'l'; *mp = '\0';
36+			}
37 			break;
38 		case 'M':
39-			*mp++ = 'm'; *mp = '\0';
40+			if (strlen(mode) < (sizeof(mode) - 1))
41+			{
42+				*mp++ = 'm'; *mp = '\0';
43+			}
44 			break;
45 		case 'C':
46-			*mp++ = 'c'; *mp = '\0';
47+			if (strlen(mode) < (sizeof(mode) - 1))
48+			{
49+				*mp++ = 'c'; *mp = '\0';
50+			}
51 			break;
52 		case '8':
53-			*mp++ = '8'; *mp = '\0';
54+			if (strlen(mode) < (sizeof(mode)-1))
55+			{
56+				*mp++ = '8'; *mp = '\0';
57+			}
58 			break;
59 		case 'x':
60 			pageInSeq = 1;
61