xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593SmuzhiyunFrom 19d775e058bf6bb0b0e9c56f406b775f9e725355 Mon Sep 17 00:00:00 2001
2*4882a593SmuzhiyunFrom: Su_Laus <sulau@freenet.de>
3*4882a593SmuzhiyunDate: Sat, 2 Apr 2022 22:33:31 +0200
4*4882a593SmuzhiyunSubject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400)
5*4882a593Smuzhiyun
6*4882a593SmuzhiyunCVE: CVE-2022-1355
7*4882a593Smuzhiyun
8*4882a593SmuzhiyunUpstream-Status: Backport
9*4882a593Smuzhiyun[https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2]
10*4882a593Smuzhiyun
11*4882a593SmuzhiyunSigned-off-by: Yi Zhao <yi.zhao@windriver.com>
12*4882a593Smuzhiyun
13*4882a593Smuzhiyun---
14*4882a593Smuzhiyun tools/tiffcp.c | 25 ++++++++++++++++++++-----
15*4882a593Smuzhiyun 1 file changed, 20 insertions(+), 5 deletions(-)
16*4882a593Smuzhiyun
17*4882a593Smuzhiyundiff --git a/tools/tiffcp.c b/tools/tiffcp.c
18*4882a593Smuzhiyunindex 552d8fa..57eef90 100644
19*4882a593Smuzhiyun--- a/tools/tiffcp.c
20*4882a593Smuzhiyun+++ b/tools/tiffcp.c
21*4882a593Smuzhiyun@@ -274,19 +274,34 @@ main(int argc, char* argv[])
22*4882a593Smuzhiyun 			deftilewidth = atoi(optarg);
23*4882a593Smuzhiyun 			break;
24*4882a593Smuzhiyun 		case 'B':
25*4882a593Smuzhiyun-			*mp++ = 'b'; *mp = '\0';
26*4882a593Smuzhiyun+			if (strlen(mode) < (sizeof(mode) - 1))
27*4882a593Smuzhiyun+			{
28*4882a593Smuzhiyun+				*mp++ = 'b'; *mp = '\0';
29*4882a593Smuzhiyun+			}
30*4882a593Smuzhiyun 			break;
31*4882a593Smuzhiyun 		case 'L':
32*4882a593Smuzhiyun-			*mp++ = 'l'; *mp = '\0';
33*4882a593Smuzhiyun+			if (strlen(mode) < (sizeof(mode) - 1))
34*4882a593Smuzhiyun+			{
35*4882a593Smuzhiyun+				*mp++ = 'l'; *mp = '\0';
36*4882a593Smuzhiyun+			}
37*4882a593Smuzhiyun 			break;
38*4882a593Smuzhiyun 		case 'M':
39*4882a593Smuzhiyun-			*mp++ = 'm'; *mp = '\0';
40*4882a593Smuzhiyun+			if (strlen(mode) < (sizeof(mode) - 1))
41*4882a593Smuzhiyun+			{
42*4882a593Smuzhiyun+				*mp++ = 'm'; *mp = '\0';
43*4882a593Smuzhiyun+			}
44*4882a593Smuzhiyun 			break;
45*4882a593Smuzhiyun 		case 'C':
46*4882a593Smuzhiyun-			*mp++ = 'c'; *mp = '\0';
47*4882a593Smuzhiyun+			if (strlen(mode) < (sizeof(mode) - 1))
48*4882a593Smuzhiyun+			{
49*4882a593Smuzhiyun+				*mp++ = 'c'; *mp = '\0';
50*4882a593Smuzhiyun+			}
51*4882a593Smuzhiyun 			break;
52*4882a593Smuzhiyun 		case '8':
53*4882a593Smuzhiyun-			*mp++ = '8'; *mp = '\0';
54*4882a593Smuzhiyun+			if (strlen(mode) < (sizeof(mode)-1))
55*4882a593Smuzhiyun+			{
56*4882a593Smuzhiyun+				*mp++ = '8'; *mp = '\0';
57*4882a593Smuzhiyun+			}
58*4882a593Smuzhiyun 			break;
59*4882a593Smuzhiyun 		case 'x':
60*4882a593Smuzhiyun 			pageInSeq = 1;
61