master

分支 (24)

标签 (19)

管理

管理

master

openEuler-20.03-LTS-SP4

openEuler-22.03-LTS-SP1

openEuler-22.03-LTS-SP3

openEuler-22.03-LTS-SP4

openEuler-24.03-LTS

openEuler-24.03-LTS-Next

openEuler-24.09

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS

openEuler-20.03-LTS-SP1

openEuler-22.03-LTS-Next

openEuler-20.03-LTS-SP3

openEuler-23.09

openEuler-23.03

openEuler-22.09

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-21.09

openEuler-22.03-LTS-SP4-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

libtiff
/
backport-0003-CVE-2023-6277.patch

From 38f5b5b9f95891d2616f1df70ebcfb53690cb67c Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 29 Nov 2023 18:10:25 +0800
Subject: [PATCH] backport patch for fix CVE-2023-6277 issue

---
 libtiff/tif_dirread.c | 129 +++++++++++++++++++++---------------------
 1 file changed, 66 insertions(+), 63 deletions(-)

diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
index a98ea1f..b38060f 100644
--- a/libtiff/tif_dirread.c
+++ b/libtiff/tif_dirread.c
@@ -1308,19 +1308,22 @@ TIFFReadDirEntryArrayWithLimit(TIFF *tif, TIFFDirEntry *direntry,
     datasize = (*count) * typesize;
     assert((tmsize_t)datasize > 0);

-    /* Before allocating a huge amount of memory for corrupted files, check if
-     * size of requested memory is not greater than file size.
-     */
-    uint64_t filesize = TIFFGetFileSize(tif);
-    if (datasize > filesize)
-    {
-        TIFFWarningExtR(tif, "ReadDirEntryArray",
-                        "Requested memory size for tag %d (0x%x) %" PRIu32
-                        " is greather than filesize %" PRIu64
-                        ". Memory not allocated, tag not read",
-                        direntry->tdir_tag, direntry->tdir_tag, datasize,
-                        filesize);
-        return (TIFFReadDirEntryErrAlloc);
+    if (datasize > 100 * 1024 * 1024)
+    {
+        /* Before allocating a huge amount of memory for corrupted files, check
+         * if size of requested memory is not greater than file size.
+         */
+        const uint64_t filesize = TIFFGetFileSize(tif);
+        if (datasize > filesize)
+        {
+            TIFFWarningExtR(tif, "ReadDirEntryArray",
+                            "Requested memory size for tag %d (0x%x) %" PRIu32
+                            " is greater than filesize %" PRIu64
+                            ". Memory not allocated, tag not read",
+                            direntry->tdir_tag, direntry->tdir_tag, datasize,
+                            filesize);
+            return (TIFFReadDirEntryErrAlloc);
+        }
     }

     if (isMapped(tif) && datasize > (uint64_t)tif->tif_size)
@@ -5281,18 +5284,22 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
     if (!_TIFFFillStrilesInternal(tif, 0))
         return -1;

-    /* Before allocating a huge amount of memory for corrupted files, check if
-     * size of requested memory is not greater than file size. */
-    uint64_t filesize = TIFFGetFileSize(tif);
-    uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
-    if (allocsize > filesize)
-    {
-        TIFFWarningExtR(tif, module,
-                        "Requested memory size for StripByteCounts of %" PRIu64
-                        " is greather than filesize %" PRIu64
-                        ". Memory not allocated",
-                        allocsize, filesize);
-        return -1;
+    const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+    uint64_t filesize = 0;
+    if (allocsize > 100 * 1024 * 1024)
+    {
+        /* Before allocating a huge amount of memory for corrupted files, check
+         * if size of requested memory is not greater than file size. */
+        filesize = TIFFGetFileSize(tif);
+        if (allocsize > filesize)
+        {
+            TIFFWarningExtR(
+                tif, module,
+                "Requested memory size for StripByteCounts of %" PRIu64
+                " is greater than filesize %" PRIu64 ". Memory not allocated",
+                allocsize, filesize);
+            return -1;
+        }
     }

     if (td->td_stripbytecount_p)
@@ -5341,6 +5348,8 @@ static int EstimateStripByteCounts(TIFF *tif, TIFFDirEntry *dir,
                 return -1;
             space += datasize;
         }
+        if (filesize == 0)
+            filesize = TIFFGetFileSize(tif);
         if (filesize < space)
             /* we should perhaps return in error ? */
             space = filesize;
@@ -5834,20 +5843,6 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
             dircount16 = (uint16_t)dircount64;
             dirsize = 20;
         }
-        /* Before allocating a huge amount of memory for corrupted files, check
-         * if size of requested memory is not greater than file size. */
-        uint64_t filesize = TIFFGetFileSize(tif);
-        uint64_t allocsize = (uint64_t)dircount16 * dirsize;
-        if (allocsize > filesize)
-        {
-            TIFFWarningExtR(
-                tif, module,
-                "Requested memory size for TIFF directory of %" PRIu64
-                " is greather than filesize %" PRIu64
-                ". Memory not allocated, TIFF directory not read",
-                allocsize, filesize);
-            return 0;
-        }
         origdir = _TIFFCheckMalloc(tif, dircount16, dirsize,
                                    "to read TIFF directory");
         if (origdir == NULL)
@@ -5971,7 +5966,7 @@ static uint16_t TIFFFetchDirectory(TIFF *tif, uint64_t diroff,
             TIFFWarningExtR(
                 tif, module,
                 "Requested memory size for TIFF directory of %" PRIu64
-                " is greather than filesize %" PRIu64
+                " is greater than filesize %" PRIu64
                 ". Memory not allocated, TIFF directory not read",
                 allocsize, filesize);
             return 0;
@@ -7221,19 +7216,24 @@ static int TIFFFetchStripThing(TIFF *tif, TIFFDirEntry *dir, uint32_t nstrips,
             return (0);
         }

-        /* Before allocating a huge amount of memory for corrupted files, check
-         * if size of requested memory is not greater than file size. */
-        uint64_t filesize = TIFFGetFileSize(tif);
-        uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
-        if (allocsize > filesize)
+        const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+        if (allocsize > 100 * 1024 * 1024)
         {
-            TIFFWarningExtR(tif, module,
-                            "Requested memory size for StripArray of %" PRIu64
-                            " is greather than filesize %" PRIu64
-                            ". Memory not allocated",
-                            allocsize, filesize);
-            _TIFFfreeExt(tif, data);
-            return (0);
+            /* Before allocating a huge amount of memory for corrupted files,
+             * check if size of requested memory is not greater than file size.
+             */
+            const uint64_t filesize = TIFFGetFileSize(tif);
+            if (allocsize > filesize)
+            {
+                TIFFWarningExtR(
+                    tif, module,
+                    "Requested memory size for StripArray of %" PRIu64
+                    " is greater than filesize %" PRIu64
+                    ". Memory not allocated",
+                    allocsize, filesize);
+                _TIFFfreeExt(tif, data);
+                return (0);
+            }
         }
         resizeddata = (uint64_t *)_TIFFCheckMalloc(
             tif, nstrips, sizeof(uint64_t), "for strip array");
@@ -7338,17 +7338,20 @@ static void allocChoppedUpStripArrays(TIFF *tif, uint32_t nstrips,
      * size of StripByteCount and StripOffset tags is not greater than
      * file size.
      */
-    uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
-    uint64_t filesize = TIFFGetFileSize(tif);
-    if (allocsize > filesize)
-    {
-        TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
-                        "Requested memory size for StripByteCount and "
-                        "StripOffsets %" PRIu64
-                        " is greather than filesize %" PRIu64
-                        ". Memory not allocated",
-                        allocsize, filesize);
-        return;
+    const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+    if (allocsize > 100 * 1024 * 1024)
+    {
+        const uint64_t filesize = TIFFGetFileSize(tif);
+        if (allocsize > filesize)
+        {
+            TIFFWarningExtR(tif, "allocChoppedUpStripArrays",
+                            "Requested memory size for StripByteCount and "
+                            "StripOffsets %" PRIu64
+                            " is greater than filesize %" PRIu64
+                            ". Memory not allocated",
+                            allocsize, filesize);
+            return;
+        }
     }

     newcounts =
--
2.27.0