xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593SmuzhiyunFrom cca32f0d4f3dd2bd73d044bd6991ab3c764fc718 Mon Sep 17 00:00:00 2001
2*4882a593SmuzhiyunFrom: Su_Laus <sulau@freenet.de>
3*4882a593SmuzhiyunDate: Sun, 6 Feb 2022 17:53:53 +0100
4*4882a593SmuzhiyunSubject: [PATCH] tiffcrop.c: This update fixes also issues #350 and #351.
5*4882a593Smuzhiyun
6*4882a593Smuzhiyun Issue 350 is fixed by checking for not allowed zone input cases like -Z 0:0
7*4882a593Smuzhiyun in getCropOffsets().
8*4882a593Smuzhiyun
9*4882a593SmuzhiyunCVE: CVE-2022-2867
10*4882a593Smuzhiyun
11*4882a593SmuzhiyunUpstream-Status: Backport
12*4882a593Smuzhiyun[https://gitlab.com/libtiff/libtiff/-/commit/7d7bfa4416366ec64068ac389414241ed4730a54?merge_request_iid=294]
13*4882a593Smuzhiyun
14*4882a593SmuzhiyunSigned-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
15*4882a593Smuzhiyun
16*4882a593Smuzhiyun---
17*4882a593Smuzhiyun tools/tiffcrop.c | 58 +++++++++++++++++++++++++++++++++---------------
18*4882a593Smuzhiyun 1 file changed, 40 insertions(+), 18 deletions(-)
19*4882a593Smuzhiyun
20*4882a593Smuzhiyundiff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
21*4882a593Smuzhiyunindex 4a4ace8..0ef5bb2 100644
22*4882a593Smuzhiyun--- a/tools/tiffcrop.c
23*4882a593Smuzhiyun+++ b/tools/tiffcrop.c
24*4882a593Smuzhiyun@@ -5194,20 +5194,33 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
25*4882a593Smuzhiyun 	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
26*4882a593Smuzhiyun 	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
27*4882a593Smuzhiyun 	}
28*4882a593Smuzhiyun-      /* region needs to be within image sizes 0.. width-1; 0..length-1
29*4882a593Smuzhiyun-       * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1)
30*4882a593Smuzhiyun+      /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
31*4882a593Smuzhiyun+       * b) Corners are expected to be submitted as top-left to bottom-right.
32*4882a593Smuzhiyun+       *    Therefore, check that and reorder input.
33*4882a593Smuzhiyun+       * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
34*4882a593Smuzhiyun        */
35*4882a593Smuzhiyun-     if (x1 > image->width - 1)
36*4882a593Smuzhiyun+      uint32_t aux;
37*4882a593Smuzhiyun+      if (x1 > x2) {
38*4882a593Smuzhiyun+        aux = x1;
39*4882a593Smuzhiyun+        x1 = x2;
40*4882a593Smuzhiyun+        x2 = aux;
41*4882a593Smuzhiyun+      }
42*4882a593Smuzhiyun+      if (y1 > y2) {
43*4882a593Smuzhiyun+        aux = y1;
44*4882a593Smuzhiyun+        y1 = y2;
45*4882a593Smuzhiyun+        y2 = aux;
46*4882a593Smuzhiyun+      }
47*4882a593Smuzhiyun+      if (x1 > image->width - 1)
48*4882a593Smuzhiyun         crop->regionlist[i].x1 = image->width - 1;
49*4882a593Smuzhiyun-     else if (x1 > 0)
50*4882a593Smuzhiyun-        crop->regionlist[i].x1 = (uint32_t) (x1 - 1);
51*4882a593Smuzhiyun+      else if (x1 > 0)
52*4882a593Smuzhiyun+        crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
53*4882a593Smuzhiyun
54*4882a593Smuzhiyun-     if (x2 > image->width - 1)
55*4882a593Smuzhiyun-       crop->regionlist[i].x2 = image->width - 1;
56*4882a593Smuzhiyun-     else if (x2 > 0)
57*4882a593Smuzhiyun-       crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
58*4882a593Smuzhiyun+      if (x2 > image->width - 1)
59*4882a593Smuzhiyun+        crop->regionlist[i].x2 = image->width - 1;
60*4882a593Smuzhiyun+      else if (x2 > 0)
61*4882a593Smuzhiyun+        crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
62*4882a593Smuzhiyun
63*4882a593Smuzhiyun-      zwidth  = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
64*4882a593Smuzhiyun+      zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
65*4882a593Smuzhiyun
66*4882a593Smuzhiyun       if (y1 > image->length - 1)
67*4882a593Smuzhiyun         crop->regionlist[i].y1 = image->length - 1;
68*4882a593Smuzhiyun@@ -5219,8 +5232,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
69*4882a593Smuzhiyun       else if (y2 > 0)
70*4882a593Smuzhiyun         crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
71*4882a593Smuzhiyun
72*4882a593Smuzhiyun-      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
73*4882a593Smuzhiyun-
74*4882a593Smuzhiyun+      zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
75*4882a593Smuzhiyun       if (zwidth > max_width)
76*4882a593Smuzhiyun         max_width = zwidth;
77*4882a593Smuzhiyun       if (zlength > max_length)
78*4882a593Smuzhiyun@@ -5250,7 +5262,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
79*4882a593Smuzhiyun 	}
80*4882a593Smuzhiyun       }
81*4882a593Smuzhiyun     return (0);
82*4882a593Smuzhiyun-    }
83*4882a593Smuzhiyun+    }  /* crop_mode == CROP_REGIONS */
84*4882a593Smuzhiyun
85*4882a593Smuzhiyun   /* Convert crop margins into offsets into image
86*4882a593Smuzhiyun    * Margins are expressed as pixel rows and columns, not bytes
87*4882a593Smuzhiyun@@ -5286,7 +5298,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
88*4882a593Smuzhiyun       bmargin = (uint32_t) 0;
89*4882a593Smuzhiyun       return (-1);
90*4882a593Smuzhiyun       }
91*4882a593Smuzhiyun-    }
92*4882a593Smuzhiyun+    }  /* crop_mode == CROP_MARGINS */
93*4882a593Smuzhiyun   else
94*4882a593Smuzhiyun     { /* no margins requested */
95*4882a593Smuzhiyun     tmargin = (uint32_t) 0;
96*4882a593Smuzhiyun@@ -5494,10 +5506,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
97*4882a593Smuzhiyun   else
98*4882a593Smuzhiyun     crop->selections = crop->zones;
99*4882a593Smuzhiyun
100*4882a593Smuzhiyun-  for (i = 0; i < crop->zones; i++)
101*4882a593Smuzhiyun+  /* Initialize regions iterator i */
102*4882a593Smuzhiyun+  i = 0;
103*4882a593Smuzhiyun+  for (int j = 0; j < crop->zones; j++)
104*4882a593Smuzhiyun     {
105*4882a593Smuzhiyun-    seg = crop->zonelist[i].position;
106*4882a593Smuzhiyun-    total = crop->zonelist[i].total;
107*4882a593Smuzhiyun+    seg = crop->zonelist[j].position;
108*4882a593Smuzhiyun+    total = crop->zonelist[j].total;
109*4882a593Smuzhiyun+
110*4882a593Smuzhiyun+    /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
111*4882a593Smuzhiyun+    if (seg == 0 || total == 0 || seg > total) {
112*4882a593Smuzhiyun+        continue;
113*4882a593Smuzhiyun+    }
114*4882a593Smuzhiyun
115*4882a593Smuzhiyun     switch (crop->edge_ref)
116*4882a593Smuzhiyun       {
117*4882a593Smuzhiyun@@ -5626,8 +5645,11 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
118*4882a593Smuzhiyun                     i + 1, zwidth, zlength,
119*4882a593Smuzhiyun                crop->regionlist[i].x1, crop->regionlist[i].x2,
120*4882a593Smuzhiyun                crop->regionlist[i].y1, crop->regionlist[i].y2);
121*4882a593Smuzhiyun+  /* increment regions iterator */
122*4882a593Smuzhiyun+  i++;
123*4882a593Smuzhiyun     }
124*4882a593Smuzhiyun-
125*4882a593Smuzhiyun+    /* set number of generated regions out of given zones */
126*4882a593Smuzhiyun+    crop->selections = i;
127*4882a593Smuzhiyun   return (0);
128*4882a593Smuzhiyun   } /* end getCropOffsets */
129*4882a593Smuzhiyun
130