1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
From cca32f0d4f3dd2bd73d044bd6991ab3c764fc718 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Sun, 6 Feb 2022 17:53:53 +0100
Subject: [PATCH] tiffcrop.c: This update fixes also issues #350 and #351.
Issue 350 is fixed by checking for not allowed zone input cases like -Z 0:0
in getCropOffsets().
CVE: CVE-2022-2867
Upstream-Status: Backport
[https://gitlab.com/libtiff/libtiff/-/commit/7d7bfa4416366ec64068ac389414241ed4730a54?merge_request_iid=294]
Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com>
---
tools/tiffcrop.c | 58 +++++++++++++++++++++++++++++++++---------------
1 file changed, 40 insertions(+), 18 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 4a4ace8..0ef5bb2 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5194,20 +5194,33 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1);
y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2);
}
- /* region needs to be within image sizes 0.. width-1; 0..length-1
- * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1)
+ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1
+ * b) Corners are expected to be submitted as top-left to bottom-right.
+ * Therefore, check that and reorder input.
+ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) )
*/
- if (x1 > image->width - 1)
+ uint32_t aux;
+ if (x1 > x2) {
+ aux = x1;
+ x1 = x2;
+ x2 = aux;
+ }
+ if (y1 > y2) {
+ aux = y1;
+ y1 = y2;
+ y2 = aux;
+ }
+ if (x1 > image->width - 1)
crop->regionlist[i].x1 = image->width - 1;
- else if (x1 > 0)
- crop->regionlist[i].x1 = (uint32_t) (x1 - 1);
+ else if (x1 > 0)
+ crop->regionlist[i].x1 = (uint32_t)(x1 - 1);
- if (x2 > image->width - 1)
- crop->regionlist[i].x2 = image->width - 1;
- else if (x2 > 0)
- crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
+ if (x2 > image->width - 1)
+ crop->regionlist[i].x2 = image->width - 1;
+ else if (x2 > 0)
+ crop->regionlist[i].x2 = (uint32_t)(x2 - 1);
- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
if (y1 > image->length - 1)
crop->regionlist[i].y1 = image->length - 1;
@@ -5219,8 +5232,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
else if (y2 > 0)
crop->regionlist[i].y2 = (uint32_t)(y2 - 1);
- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
-
+ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
if (zwidth > max_width)
max_width = zwidth;
if (zlength > max_length)
@@ -5250,7 +5262,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
}
}
return (0);
- }
+ } /* crop_mode == CROP_REGIONS */
/* Convert crop margins into offsets into image
* Margins are expressed as pixel rows and columns, not bytes
@@ -5286,7 +5298,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image,
bmargin = (uint32_t) 0;
return (-1);
}
- }
+ } /* crop_mode == CROP_MARGINS */
else
{ /* no margins requested */
tmargin = (uint32_t) 0;
@@ -5494,10 +5506,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
else
crop->selections = crop->zones;
- for (i = 0; i < crop->zones; i++)
+ /* Initialize regions iterator i */
+ i = 0;
+ for (int j = 0; j < crop->zones; j++)
{
- seg = crop->zonelist[i].position;
- total = crop->zonelist[i].total;
+ seg = crop->zonelist[j].position;
+ total = crop->zonelist[j].total;
+
+ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */
+ if (seg == 0 || total == 0 || seg > total) {
+ continue;
+ }
switch (crop->edge_ref)
{
@@ -5626,8 +5645,11 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
i + 1, zwidth, zlength,
crop->regionlist[i].x1, crop->regionlist[i].x2,
crop->regionlist[i].y1, crop->regionlist[i].y2);
+ /* increment regions iterator */
+ i++;
}
-
+ /* set number of generated regions out of given zones */
+ crop->selections = i;
return (0);
} /* end getCropOffsets */
|
