From 0bbe164e12be733a1b7e0fe9939ea3461ed7fff2 Mon Sep 17 00:00:00 2001

From: 4ugustus <wangdw.augustus@qq.com>

Date: Thu, 10 Mar 2022 08:48:00 +0000

Subject: [PATCH] (CVE-2022-0924) fix heap buffer overflow in tiffcp (#278)

(cherry picked from commit 88d79a45a31c74cba98c697892fed5f7db8b963a)

---

 tools/tiffcp.c | 17 ++++++++++++++++-

 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/tools/tiffcp.c b/tools/tiffcp.c

index 96f14728..d5f1d248 100644

--- a/tools/tiffcp.c

+++ b/tools/tiffcp.c

@@ -1506,12 +1506,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)

 	tdata_t obuf;

 	tstrip_t strip = 0;

 	tsample_t s;

+	uint16 bps = 0, bytes_per_sample;

 	obuf = _TIFFmalloc(stripsize);

 	if (obuf == NULL)

 		return (0);

 	_TIFFmemset(obuf, 0, stripsize);

 	(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);

+	(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps;;

+	if( bps == 0 )

+        {

+            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");

+            _TIFFfree(obuf);

+            return 0;

+        }

+        if( (bps % 8) != 0 )

+        {

+            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");

+            _TIFFfree(obuf);

+            return 0;

+        }

+	bytes_per_sample = bps/8;

 	for (s = 0; s < spp; s++) {

 		uint32 row;

 		for (row = 0; row < imagelength; row += rowsperstrip) {

@@ -1521,7 +1536,7 @@ DECLAREwriteFunc(writeBufferToSeparateStrips)

 			cpContigBufToSeparateBuf(

 			    obuf, (uint8*) buf + row*rowsize + s,

-			    nrows, imagewidth, 0, 0, spp, 1);

+			    nrows, imagewidth, 0, 0, spp, bytes_per_sample);

 			if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {

 				TIFFError(TIFFFileName(out),

 				    "Error, can't write strip %u",