xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1From b4cf40182c865db554c6e67034afa6ea12c5554d Mon Sep 17 00:00:00 2001
2From: Su_Laus <sulau@freenet.de>
3Date: Sun, 6 Feb 2022 10:53:45 +0100
4Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting
5
6 uint32_t underflow.
7
8CVE: CVE-2022-2869
9
10Upstream-Status: Backport
11[https://gitlab.com/libtiff/libtiff/-/commit/bcf28bb7f630f24fa47701a9907013f3548092cd?merge_request_iid=294]
12
13Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
14
15---
16 tools/tiffcrop.c | 34 +++++++++++++++++++---------------
17 1 file changed, 19 insertions(+), 15 deletions(-)
18
19diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
20index b9b13d8..4a4ace8 100644
21--- a/tools/tiffcrop.c
22+++ b/tools/tiffcrop.c
23@@ -5194,26 +5194,30 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
24 	y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
25 	y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
26 	}
27-      if (x1 < 1)
28-        crop->regionlist[i].x1 = 0;
29-      else
30+      /* region needs to be within image sizes 0.. width-1; 0..length-1
31+       * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1)
32+       */
33+     if (x1 > image->width - 1)
34+        crop->regionlist[i].x1 = image->width - 1;
35+     else if (x1 > 0)
36         crop->regionlist[i].x1 = (uint32_t) (x1 - 1);
37
38-      if (x2 > image->width - 1)
39-        crop->regionlist[i].x2 = image->width - 1;
40-      else
41-        crop->regionlist[i].x2 = (uint32_t) (x2 - 1);
42+     if (x2 > image->width - 1)
43+       crop->regionlist[i].x2 = image->width - 1;
44+     else if (x2 > 0)
45+       crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
46+
47       zwidth  = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
48
49-      if (y1 < 1)
50-        crop->regionlist[i].y1 = 0;
51-      else
52-        crop->regionlist[i].y1 = (uint32_t) (y1 - 1);
53+      if (y1 > image->length - 1)
54+        crop->regionlist[i].y1 = image->length - 1;
55+      else if (y1 > 0)
56+        crop->regionlist[i].y1 = (uint32_t)(y1 - 1);
57
58       if (y2 > image->length - 1)
59         crop->regionlist[i].y2 = image->length - 1;
60-      else
61-        crop->regionlist[i].y2 = (uint32_t) (y2 - 1);
62+      else if (y2 > 0)
63+        crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
64
65       zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
66
67@@ -5376,7 +5380,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
68   crop_width  = endx - startx + 1;
69   crop_length = endy - starty + 1;
70
71-  if (crop_width <= 0)
72+  if (endx + 1 <= startx)
73     {
74     TIFFError("computeInputPixelOffsets",
75                "Invalid left/right margins and /or image crop width requested");
76@@ -5385,7 +5389,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
77   if (crop_width > image->width)
78     crop_width = image->width;
79
80-  if (crop_length <= 0)
81+  if (endy + 1 <= starty)
82     {
83     TIFFError("computeInputPixelOffsets",
84               "Invalid top/bottom margins and /or image crop length requested");
85