|
 |
edc570 |
From 2d598cd7523cba7ee8441fac96bfe422ec277efc Mon Sep 17 00:00:00 2001
|
|
|
edc570 |
From: Even Rouault <even.rouault@spatialys.com>
|
|
|
edc570 |
Date: Thu, 24 Feb 2022 22:26:02 +0100
|
|
|
edc570 |
Subject: [PATCH] (CVE-2022-0865) tif_jbig.c: fix crash when reading a file
|
|
|
edc570 |
with multiple IFD in memory-mapped mode and when bit reversal is needed
|
|
|
edc570 |
(fixes #385)
|
|
|
edc570 |
|
|
|
edc570 |
(cherry picked from commit a1c933dabd0e1c54a412f3f84ae0aa58115c6067)
|
|
|
edc570 |
---
|
|
|
edc570 |
libtiff/tif_jbig.c | 10 ++++++++++
|
|
|
edc570 |
1 file changed, 10 insertions(+)
|
|
|
edc570 |
|
|
|
edc570 |
diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c
|
|
|
edc570 |
index 8136c77b..698428f0 100644
|
|
|
edc570 |
--- a/libtiff/tif_jbig.c
|
|
|
edc570 |
+++ b/libtiff/tif_jbig.c
|
|
|
edc570 |
@@ -210,6 +210,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme)
|
|
|
edc570 |
*/
|
|
|
edc570 |
tif->tif_flags |= TIFF_NOBITREV;
|
|
|
edc570 |
tif->tif_flags &= ~TIFF_MAPPED;
|
|
|
edc570 |
+ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and
|
|
|
edc570 |
+ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial
|
|
|
edc570 |
+ * value to be consistent with the state of a non-memory mapped file.
|
|
|
edc570 |
+ */
|
|
|
edc570 |
+ if (tif->tif_flags&TIFF_BUFFERMMAP) {
|
|
|
edc570 |
+ tif->tif_rawdata = NULL;
|
|
|
edc570 |
+ tif->tif_rawdatasize = 0;
|
|
|
edc570 |
+ tif->tif_flags &= ~TIFF_BUFFERMMAP;
|
|
|
edc570 |
+ tif->tif_flags |= TIFF_MYBUFFER;
|
|
|
edc570 |
+ }
|
|
|
edc570 |
|
|
|
edc570 |
/* Setup the function pointers for encode, decode, and cleanup. */
|
|
|
edc570 |
tif->tif_setupdecode = JBIGSetupDecode;
|
|
|
edc570 |
--
|
|
|
edc570 |
2.34.1
|
|
|
edc570 |
|