From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001 From: Su_Laus Date: Sun, 29 Jan 2023 11:09:26 +0100 Subject: [PATCH] CVE-2023-25434 & CVE-2023-25435 tiffcrop: Amend rotateImage() not to toggle the input (main) image width and length parameters when only cropped image sections are rotated. Remove buffptr from region structure because never used. Closes #492 #493 #494 #495 #499 #518 #519 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38] CVE: CVE-2023-25434 & CVE-2023-25435 Signed-off-by: Hitendra Prajapati --- tools/tiffcrop.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index cbd24cc..b811fbb 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -523,7 +523,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t, static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, uint32_t, uint8_t *, uint8_t *); static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *, - unsigned char **, size_t *); + unsigned char **, size_t *, int); static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, unsigned char *); static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t, @@ -6513,10 +6513,11 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b /* Dummy variable in order not to switch two times the * image->width,->length within rotateImage(), * but switch xres, yres there. */ - uint32_t width = image->width; - uint32_t length = image->length; - if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL)) - { + uint32_t width = image->width; + uint32_t length = image->length; + if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL, + TRUE)) + { TIFFError ("correct_orientation", "Unable to rotate image"); return (-1); } @@ -7700,7 +7701,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, * accordingly. */ size_t rot_buf_size = 0; if (rotateImage(crop->rotation, image, &crop->combined_width, - &crop->combined_length, &crop_buff, &rot_buf_size)) + &crop->combined_length, &crop_buff, &rot_buf_size, + FALSE)) { TIFFError("processCropSelections", "Failed to rotate composite regions by %"PRIu32" degrees", crop->rotation); @@ -7811,9 +7813,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, * its size individually. Therefore, seg_buffs size needs to be * updated accordingly. */ size_t rot_buf_size = 0; - if (rotateImage( - crop->rotation, image, &crop->regionlist[i].width, - &crop->regionlist[i].length, &crop_buff, &rot_buf_size)) + if (rotateImage(crop->rotation, image, + &crop->regionlist[i].width, + &crop->regionlist[i].length, &crop_buff, + &rot_buf_size, FALSE)) { TIFFError("processCropSelections", "Failed to rotate crop region by %"PRIu16" degrees", crop->rotation); @@ -7943,7 +7946,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ { if (rotateImage(crop->rotation, image, &crop->combined_width, - &crop->combined_length, crop_buff_ptr, NULL)) + &crop->combined_length, crop_buff_ptr, NULL, TRUE)) { TIFFError("createCroppedImage", "Failed to rotate image or cropped selection by %"PRIu16" degrees", crop->rotation); @@ -8607,7 +8610,9 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_ static int rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width,uint32_t *img_length, - unsigned char **ibuff_ptr, size_t *rot_buf_size) + unsigned char **ibuff_ptr, size_t *rot_buf_size, + int rot_image_params) + { int shift_width; uint32_t bytes_per_pixel, bytes_per_sample; -- 2.25.1