|
 |
edc570 |
From 377a37d06f8ea753cba404cd6954b988ca861ad3 Mon Sep 17 00:00:00 2001
|
|
|
edc570 |
From: 4ugustus <wangdw.augustus@qq.com>
|
|
|
edc570 |
Date: Tue, 25 Jan 2022 16:25:28 +0000
|
|
|
edc570 |
Subject: [PATCH] (CVE-2022-22844) tiffset: fix global-buffer-overflow for
|
|
|
edc570 |
ASCII tags where count is required (fixes #355)
|
|
|
edc570 |
|
|
|
edc570 |
(cherry picked from commit 03047a26952a82daaa0792957ce211e0aa51bc64)
|
|
|
edc570 |
---
|
|
|
edc570 |
tools/tiffset.c | 12 +++++++++++-
|
|
|
edc570 |
1 file changed, 11 insertions(+), 1 deletion(-)
|
|
|
edc570 |
|
|
|
edc570 |
diff --git a/tools/tiffset.c b/tools/tiffset.c
|
|
|
edc570 |
index 894c9f1f..e4b0d49f 100644
|
|
|
edc570 |
--- a/tools/tiffset.c
|
|
|
edc570 |
+++ b/tools/tiffset.c
|
|
|
edc570 |
@@ -134,9 +134,19 @@ main(int argc, char* argv[])
|
|
|
edc570 |
|
|
|
edc570 |
arg_index++;
|
|
|
edc570 |
if (TIFFFieldDataType(fip) == TIFF_ASCII) {
|
|
|
edc570 |
- if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
|
|
|
edc570 |
+ if(TIFFFieldPassCount( fip )) {
|
|
|
edc570 |
+ size_t len;
|
|
|
edc570 |
+ len = strlen(argv[arg_index]) + 1;
|
|
|
edc570 |
+ if (len > ((uint16)(~0)) || TIFFSetField(tiff, TIFFFieldTag(fip),
|
|
|
edc570 |
+ (uint16)len, argv[arg_index]) != 1)
|
|
|
edc570 |
fprintf( stderr, "Failed to set %s=%s\n",
|
|
|
edc570 |
TIFFFieldName(fip), argv[arg_index] );
|
|
|
edc570 |
+ } else {
|
|
|
edc570 |
+ if (TIFFSetField(tiff, TIFFFieldTag(fip),
|
|
|
edc570 |
+ argv[arg_index]) != 1)
|
|
|
edc570 |
+ fprintf( stderr, "Failed to set %s=%s\n",
|
|
|
edc570 |
+ TIFFFieldName(fip), argv[arg_index] );
|
|
|
edc570 |
+ }
|
|
|
edc570 |
} else if (TIFFFieldWriteCount(fip) > 0
|
|
|
edc570 |
|| TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
|
|
|
edc570 |
int ret = 1;
|
|
|
edc570 |
--
|
|
|
edc570 |
2.34.1
|
|
|
edc570 |
|