main/tiff: fix CVE-2022-3970

2026-05-05 20:36:40 +02:00 · 2023-03-24 09:42:35 +00:00 · 2023-03-24 09:42:35 +00:00 · 0fe76f20b3
commit 0fe76f20b3
parent 88b2307f79
2 changed files with 45 additions and 2 deletions
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@ -3,7 +3,7 @@
 # Maintainer: Michael Mason <ms13sp@gmail.com>
 pkgname=tiff
 pkgver=4.4.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Provides support for the Tag Image File Format or TIFF"
 url="https://gitlab.com/libtiff/libtiff"
 arch="all"
@ -12,10 +12,14 @@ depends_dev="zlib-dev libjpeg-turbo-dev libwebp-dev xz-dev zstd-dev"
 makedepends="libtool autoconf automake $depends_dev"
 checkdepends="diffutils"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-tools libtiffxx:_libtiffxx"
-source="https://gitlab.com/libtiff/libtiff/-/archive/v$pkgver/libtiff-v$pkgver.tar.gz"
+source="https://gitlab.com/libtiff/libtiff/-/archive/v$pkgver/libtiff-v$pkgver.tar.gz
+	CVE-2022-3970.patch
+	"
 builddir="$srcdir/libtiff-v$pkgver"

 # secfixes:
+#   4.4.0-r1:
+#     - CVE-2022-3970
 #   4.4.0-r0:
 #     - CVE-2022-2867
 #     - CVE-2022-2868
@ -119,4 +123,5 @@ tools() {

 sha512sums="
 93955a2b802cf243e41d49048499da73862b5d3ffc005e3eddf0bf948a8bd1537f7c9e7f112e72d082549b4c49e256b9da9a3b6d8039ad8fc5c09a941b7e75d7  libtiff-v4.4.0.tar.gz
+59d7079109f9e60f25e08330a046334d4ad54328b214fb7c7054d438e01e7372786b2df4d656286ecd531abda7eee15cc46f169a83b2f83468cc5b47adc4d9af  CVE-2022-3970.patch
 "
--- a/main/tiff/CVE-2022-3970.patch
+++ b/main/tiff/CVE-2022-3970.patch
@ -0,0 +1,38 @@
+From 227500897dfb07fb7d27f7aa570050e62617e3be Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 8 Nov 2022 15:16:58 +0100
+Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
+ strips/tiles > 2 GB
+
+Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
+---
+ libtiff/tif_getimage.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index a4d0c1d6..60b94d8e 100644
+--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
+@@ -3016,15 +3016,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in
+         return( ok );
+ 
+     for( i_row = 0; i_row < read_ysize; i_row++ ) {
+-        memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
+-                 raster + (read_ysize - i_row - 1) * read_xsize,
+        memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+                 raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
+                  read_xsize * sizeof(uint32_t) );
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+                      0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
+     }
+ 
+     for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
+        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+                      0, sizeof(uint32_t) * tile_xsize );
+     }
+ 
+-- 
+GitLab
+