|
 |
b70fad |
From 84f9ede8075774dd9a10080a9eea9016229adbaa Mon Sep 17 00:00:00 2001
|
|
|
b70fad |
From: Su_Laus <sulau@freenet.de>
|
|
|
b70fad |
Date: Thu, 25 Aug 2022 16:11:41 +0200
|
|
|
b70fad |
Subject: [PATCH] (CVE-2022-3597 CVE-2022-3626 CVE-2022-3627) tiffcrop: disable
|
|
|
b70fad |
incompatibility of -Z, -X, -Y, -z options with any PAGE_MODE_x option (fixes
|
|
|
b70fad |
#411 and #413)
|
|
|
b70fad |
MIME-Version: 1.0
|
|
|
b70fad |
Content-Type: text/plain; charset=UTF-8
|
|
|
b70fad |
Content-Transfer-Encoding: 8bit
|
|
|
b70fad |
|
|
|
b70fad |
tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S.
|
|
|
b70fad |
|
|
|
b70fad |
Code analysis:
|
|
|
b70fad |
|
|
|
b70fad |
With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[].
|
|
|
b70fad |
In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) .
|
|
|
b70fad |
|
|
|
b70fad |
Execution of the else-clause often leads to buffer-overflows.
|
|
|
b70fad |
|
|
|
b70fad |
Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows.
|
|
|
b70fad |
|
|
|
b70fad |
The MR solves issues #411 and #413.
|
|
|
b70fad |
|
|
|
b70fad |
(cherry picked from commit 4746f16253b784287bc8a5003990c1c3b9a03a62)
|
|
|
b70fad |
---
|
|
|
b70fad |
tools/tiffcrop.c | 27 +++++++++++++++++++++++----
|
|
|
b70fad |
1 file changed, 23 insertions(+), 4 deletions(-)
|
|
|
b70fad |
|
|
|
b70fad |
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
|
|
|
b70fad |
index ff118496..848b2b49 100644
|
|
|
b70fad |
--- a/tools/tiffcrop.c
|
|
|
b70fad |
+++ b/tools/tiffcrop.c
|
|
|
b70fad |
@@ -106,9 +106,11 @@
|
|
|
b70fad |
* lower level, scanline level routines. Debug reports a limited set
|
|
|
b70fad |
* of messages to monitor progress without enabling dump logs.
|
|
|
b70fad |
*
|
|
|
b70fad |
- * Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
|
|
|
b70fad |
+ * Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.
|
|
|
b70fad |
* In no case should the options be applied to a given selection successively.
|
|
|
b70fad |
- */
|
|
|
b70fad |
+ * Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
|
|
|
b70fad |
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
|
|
|
b70fad |
+ */
|
|
|
b70fad |
|
|
|
b70fad |
static char tiffcrop_version_id[] = "2.4";
|
|
|
b70fad |
static char tiffcrop_rev_date[] = "12-13-2010";
|
|
|
b70fad |
@@ -754,7 +756,11 @@ static char* usage_info[] = {
|
|
|
b70fad |
" The four debug/dump options are independent, though it makes little sense to",
|
|
|
b70fad |
" specify a dump file without specifying a detail level.",
|
|
|
b70fad |
" ",
|
|
|
b70fad |
-"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive."
|
|
|
b70fad |
+"Note 1: The (-X|-Y), -Z, -z and -S options are mutually exclusive.",
|
|
|
b70fad |
+" In no case should the options be applied to a given selection successively.",
|
|
|
b70fad |
+" ",
|
|
|
b70fad |
+"Note 2: Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options",
|
|
|
b70fad |
+" such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.",
|
|
|
b70fad |
" ",
|
|
|
b70fad |
NULL
|
|
|
b70fad |
};
|
|
|
b70fad |
@@ -2111,9 +2117,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
|
|
|
b70fad |
R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
|
|
|
b70fad |
S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
|
|
|
b70fad |
if (XY + Z + R + S > 1) {
|
|
|
b70fad |
- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit");
|
|
|
b70fad |
+ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
|
|
|
b70fad |
exit(EXIT_FAILURE);
|
|
|
b70fad |
}
|
|
|
b70fad |
+
|
|
|
b70fad |
+ /* Check for not allowed combination:
|
|
|
b70fad |
+ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
|
|
|
b70fad |
+ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
|
|
|
b70fad |
+. */
|
|
|
b70fad |
+ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
|
|
|
b70fad |
+ TIFFError("tiffcrop input error",
|
|
|
b70fad |
+ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
|
|
|
b70fad |
+ exit(EXIT_FAILURE);
|
|
|
b70fad |
+ }
|
|
|
b70fad |
+
|
|
|
b70fad |
} /* end process_command_opts */
|
|
|
b70fad |
|
|
|
b70fad |
/* Start a new output file if one has not been previously opened or
|
|
|
b70fad |
@@ -2381,6 +2398,7 @@ main(int argc, char* argv[])
|
|
|
b70fad |
exit (-1);
|
|
|
b70fad |
}
|
|
|
b70fad |
|
|
|
b70fad |
+ /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */
|
|
|
b70fad |
if (crop.selections > 0)
|
|
|
b70fad |
{
|
|
|
b70fad |
if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
|
|
|
b70fad |
@@ -2397,6 +2415,7 @@ main(int argc, char* argv[])
|
|
|
b70fad |
exit (-1);
|
|
|
b70fad |
}
|
|
|
b70fad |
}
|
|
|
b70fad |
+ /* Format and write selected image parts to output file(s). */
|
|
|
b70fad |
if (page.mode == PAGE_MODE_NONE)
|
|
|
b70fad |
{ /* Whole image or sections not based on output page size */
|
|
|
b70fad |
if (crop.selections > 0)
|