1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
From: Markus Koschany <apo@debian.org>
Date: Tue, 21 Feb 2023 14:26:43 +0100
Subject: CVE-2023-0795
This is also the fix for CVE-2023-0796, CVE-2023-0797, CVE-2023-0798,
CVE-2023-0799.
Bug-Debian: https://bugs.debian.org/1031632
Origin: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68
CVE: CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799
Upstream-Status: Backport [import from ubuntu debian/patches/CVE-2023-0795.patch http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.4.0-4ubuntu3.3.debian.tar.xz ]
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
tools/tiffcrop.c | 51 ++++++++++++++++++++++++++++++---------------------
1 file changed, 30 insertions(+), 21 deletions(-)
--- tiff-4.4.0.orig/tools/tiffcrop.c
+++ tiff-4.4.0/tools/tiffcrop.c
@@ -269,7 +269,6 @@ struct region {
uint32_t width; /* width in pixels */
uint32_t length; /* length in pixels */
uint32_t buffsize; /* size of buffer needed to hold the cropped region */
- unsigned char *buffptr; /* address of start of the region */
};
/* Cropping parameters from command line and image data
@@ -524,7 +523,7 @@ static int rotateContigSamples24bits(uin
static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
uint32_t, uint32_t, uint8_t *, uint8_t *);
static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
- unsigned char **);
+ unsigned char **, int);
static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
unsigned char *);
static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
@@ -5219,7 +5218,6 @@ initCropMasks (struct crop_mask *cps)
cps->regionlist[i].width = 0;
cps->regionlist[i].length = 0;
cps->regionlist[i].buffsize = 0;
- cps->regionlist[i].buffptr = NULL;
cps->zonelist[i].position = 0;
cps->zonelist[i].total = 0;
}
@@ -6551,8 +6549,13 @@ static int correct_orientation(struct i
(uint16_t) (image->adjustments & ROTATE_ANY));
return (-1);
}
-
- if (rotateImage(rotation, image, &image->width, &image->length, work_buff_ptr))
+
+ /* Dummy variable in order not to switch two times the
+ * image->width,->length within rotateImage(),
+ * but switch xres, yres there. */
+ uint32_t width = image->width;
+ uint32_t length = image->length;
+ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
{
TIFFError ("correct_orientation", "Unable to rotate image");
return (-1);
@@ -6661,7 +6664,6 @@ extractCompositeRegions(struct image_dat
/* These should not be needed for composite images */
crop->regionlist[i].width = crop_width;
crop->regionlist[i].length = crop_length;
- crop->regionlist[i].buffptr = crop_buff;
src_rowsize = ((img_width * bps * spp) + 7) / 8;
dst_rowsize = (((crop_width * bps * count) + 7) / 8);
@@ -6900,7 +6902,6 @@ extractSeparateRegion(struct image_data
crop->regionlist[region].width = crop_width;
crop->regionlist[region].length = crop_length;
- crop->regionlist[region].buffptr = crop_buff;
src = read_buff;
dst = crop_buff;
@@ -7778,7 +7779,7 @@ processCropSelections(struct image_data
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, &crop_buff))
+ &crop->combined_length, &crop_buff, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation);
@@ -7888,7 +7889,7 @@ processCropSelections(struct image_data
* ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !!
*/
if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
- &crop->regionlist[i].length, &crop_buff))
+ &crop->regionlist[i].length, &crop_buff, FALSE))
{
TIFFError("processCropSelections",
"Failed to rotate crop region by %"PRIu16" degrees", crop->rotation);
@@ -8020,7 +8021,7 @@ createCroppedImage(struct image_data *im
if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
{
if (rotateImage(crop->rotation, image, &crop->combined_width,
- &crop->combined_length, crop_buff_ptr))
+ &crop->combined_length, crop_buff_ptr, TRUE))
{
TIFFError("createCroppedImage",
"Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation);
@@ -8683,7 +8684,7 @@ rotateContigSamples32bits(uint16_t rotat
/* Rotate an image by a multiple of 90 degrees clockwise */
static int
rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,
- uint32_t *img_length, unsigned char **ibuff_ptr)
+ uint32_t *img_length, unsigned char **ibuff_ptr, int rot_image_params)
{
int shift_width;
uint32_t bytes_per_pixel, bytes_per_sample;
@@ -8874,11 +8875,15 @@ rotateImage(uint16_t rotation, struct im
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params)
+ {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
case 270: if ((bps % 8) == 0) /* byte aligned data */
@@ -8951,11 +8956,15 @@ rotateImage(uint16_t rotation, struct im
*img_width = length;
*img_length = width;
- image->width = length;
- image->length = width;
- res_temp = image->xres;
- image->xres = image->yres;
- image->yres = res_temp;
+ /* Only toggle image parameters if whole input image is rotated. */
+ if (rot_image_params)
+ {
+ image->width = length;
+ image->length = width;
+ res_temp = image->xres;
+ image->xres = image->yres;
+ image->yres = res_temp;
+ }
break;
default:
break;
|
