[BACK]Return to patch-CVE-2022-0561 CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / pkgsrc / graphics / tiff / patches

File: [cvs.NetBSD.org] / pkgsrc / graphics / tiff / patches / Attic / patch-CVE-2022-0561 (download)

Revision 1.2, Fri Mar 25 09:32:49 2022 UTC (10 months ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2022Q1-base, pkgsrc-2022Q1
Changes since 1.1: +14 -2 lines

tiff: apply fixes for CVE-2022-0561 CVE-2022-0907 CVE-2022-0891
CVE-2022-0907 CVE-2022-0909

bump PKGREVISION again...

$NetBSD: patch-CVE-2022-0561,v 1.2 2022/03/25 09:32:49 nia Exp $

https://gitlab.com/libtiff/libtiff/-/issues/362

This fixes CVE-2022-0561 and CVE-2022-0562.

--- libtiff/tif_dirread.c.orig	2021-03-07 18:37:25.000000000 +0000
+++ libtiff/tif_dirread.c
@@ -4173,7 +4173,8 @@ TIFFReadDirectory(TIFF* tif)
                     goto bad;
                 }
 
-                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
+                if (old_extrasamples > 0)
+                    memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t));
                 _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
                 _TIFFfree(new_sampleinfo);
         }
@@ -5079,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEnt
 								_TIFFfree(data);
 							return(0);
 						}
-						_TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
+						if (dp->tdir_count > 0 )
+						{
+							_TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
+						}
 						o[(uint32_t)dp->tdir_count]=0;
 						if (data!=0)
 							_TIFFfree(data);
@@ -5765,8 +5769,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
 			_TIFFfree(data);
 			return(0);
 		}
-                _TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
-                _TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
+		if( dir->tdir_count )
+			_TIFFmemcpy(resizeddata,data, (uint32_t)dir->tdir_count * sizeof(uint64_t));
+		_TIFFmemset(resizeddata+(uint32_t)dir->tdir_count, 0, (nstrips - (uint32_t)dir->tdir_count) * sizeof(uint64_t));
 		_TIFFfree(data);
 		data=resizeddata;
 	}