Re: [OE-core] [kirkstone][PATCH] tiff: fix multiple CVEs

Wed, 26 Jul 2023 07:38:39 -0700 

On Wed, 2023-07-26 at 17:20 +0530, Hitendra Prajapati wrote:
> +Upstream-Status: Backport
> [https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb1
> 1acaaeaa493334f8]
> +CVE: CVE-2023-3618
> +Signed-off-by: Hitendra Prajapati <[email protected]>
> +---
> + tools/tiffcrop.c | 18 +++++++++++++++---
> + 1 file changed, 15 insertions(+), 3 deletions(-)
> +
> +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
> +index ce77c74..2c553e3 100644
> +--- a/tools/tiffcrop.c
> ++++ b/tools/tiffcrop.c
> +@@ -2459,9 +2459,15 @@ main(int argc, char* argv[])
> +         {  /* Whole image or sections not based on output page size
> */
> +         if (crop.selections > 0)
> +           {
> +-      writeSelections(in, &out, &crop, &image, &dump, seg_buffs,
> +-                          mp, argv[argc - 1], &next_page,
> total_pages);
> +-          }
> ++             if (writeSelections(in, &out, &crop, &image, &dump,
> ++                                 seg_buffs, mp, argv[argc - 1],
> ++                                 &next_page, total_pages))
> ++              {
> ++                TIFFError("main",
> ++                          "Unable to write new image selections");
> ++                exit(EXIT_FAILURE);
> ++              }
> ++      }
> +     else  /* One file all images and sections */
> +           {
> +       if (update_output_file (&out, mp, crop.exp_mode, argv[argc
> - 1],
> +@@ -7836,6 +7842,12 @@ createCroppedImage(struct image_data *image,
> struct crop_mask *crop,
> + 
> +   read_buff = *read_buff_ptr;
> + 
> ++  /* Memory is freed before crop_buff_ptr is overwritten */
> ++    if (*crop_buff_ptr != NULL)
> ++    {
> ++        _TIFFfree(*crop_buff_ptr);
> ++    }
> ++

This doesn't seem to be part of the commit mentioned above in Upstream-
Status. This change is coming from:

https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37

Please backport it as a separate patch.

> +   /* process full image, no crop buffer needed */
> +   crop_buff = read_buff;

The commit 881a070194 actually removes this assignment but your patch
doesn't seem to be doing that ...

Thanks,

Anuj


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184886): 
https://lists.openembedded.org/g/openembedded-core/message/184886
Mute This Topic: https://lists.openembedded.org/mt/100345399/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to