Headline
CVE-2022-3599: Merge branch 'InkNames_NumberOfInks_handling_revised' into 'master' (e8131125) · Commits · libtiff / libtiff · GitLab
LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.
…
…
@@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v)
}
/*
* Confirm we have “samplesperpixel” ink names separated by \0. Returns
* Count ink names separated by \0. Returns
* zero if the ink names are not as expected.
*/
static uint32_t
checkInkNamesString(TIFF* tif, uint32_t slen, const char* s)
static uint16_t
countInkNamesString(TIFF *tif, uint32_t slen, const char *s)
{
TIFFDirectory* td = &tif->tif_dir;
uint16_t i = td->td_samplesperpixel;
uint16_t i = 0;
const char *ep = s + slen;
const char *cp = s;
if (slen > 0) {
const char* ep = s+slen;
const char* cp = s;
for (; i > 0; i–) {
do {
for (; cp < ep && *cp != '\0’; cp++) {}
if (cp >= ep)
goto bad;
cp++; /* skip \0 */
}
return ((uint32_t)(cp - s));
i++;
} while (cp < ep);
return (i);
}
bad:
TIFFErrorExt(tif->tif_clientdata, "TIFFSetField",
“%s: Invalid InkNames value; expecting %"PRIu16” names, found %"PRIu16,
tif->tif_name,
td->td_samplesperpixel,
(uint16_t)(td->td_samplesperpixel-i));
“%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16” ink",
tif->tif_name, slen, i);
return (0);
}
…
…
@@ -478,13 +476,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap)
_TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6);
break;
case TIFFTAG_INKNAMES:
v = (uint16_t) va_arg(ap, uint16_vap);
s = va_arg(ap, char*);
v = checkInkNamesString(tif, v, s);
status = v > 0;
if( v > 0 ) {
_TIFFsetNString(&td->td_inknames, s, v);
td->td_inknameslen = v;
{
v = (uint16_t) va_arg(ap, uint16_vap);
s = va_arg(ap, char*);
uint16_t ninksinstring;
ninksinstring = countInkNamesString(tif, v, s);
status = ninksinstring > 0;
if(ninksinstring > 0 ) {
_TIFFsetNString(&td->td_inknames, s, v);
td->td_inknameslen = v;
/* Set NumberOfInks to the value ninksinstring */
if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS))
{
if (td->td_numberofinks != ninksinstring) {
TIFFErrorExt(tif->tif_clientdata, module,
“Warning %s; Tag %s:\n Value %"PRIu16” of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"",
tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring);
td->td_numberofinks = ninksinstring;
}
} else {
td->td_numberofinks = ninksinstring;
TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS);
}
if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
{
if (td->td_numberofinks != td->td_samplesperpixel) {
TIFFErrorExt(tif->tif_clientdata, module,
“Warning %s; Tag %s:\n Value %"PRIu16” of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel);
}
}
}
}
break;
case TIFFTAG_NUMBEROFINKS:
v = (uint16_t)va_arg(ap, uint16_vap);
/* If InkNames already set also NumberOfInks is set accordingly and should be equal */
if (TIFFFieldSet(tif, FIELD_INKNAMES))
{
if (v != td->td_numberofinks) {
TIFFErrorExt(tif->tif_clientdata, module,
“Error %s; Tag %s:\n It is not possible to set the value %"PRIu32” for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")",
tif->tif_name, fip->field_name, v, td->td_numberofinks);
/* Do not set / overwrite number of inks already set by InkNames case accordingly. */
status = 0;
}
} else {
td->td_numberofinks = (uint16_t)v;
if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL))
{
if (td->td_numberofinks != td->td_samplesperpixel) {
TIFFErrorExt(tif->tif_clientdata, module,
“Warning %s; Tag %s:\n Value %"PRIu32” of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"",
tif->tif_name, fip->field_name, v, td->td_samplesperpixel);
}
}
}
break;
case TIFFTAG_PERSAMPLE:
…
…
@@ -986,34 +1032,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
if (fip->field_bit == FIELD_CUSTOM) {
standard_tag = 0;
}
if( standard_tag == TIFFTAG_NUMBEROFINKS )
{
int i;
for (i = 0; i < td->td_customValueCount; i++) {
uint16_t val;
TIFFTagValue *tv = td->td_customValues + i;
if (tv->info->field_tag != standard_tag)
continue;
if( tv->value == NULL )
return 0;
val = *(uint16_t *)tv->value;
/* Truncate to SamplesPerPixel, since the */
/* setting code for INKNAMES assume that there are SamplesPerPixel */
/* inknames. */
/* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */
if( val > td->td_samplesperpixel )
{
TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField",
"Truncating NumberOfInks from %u to %"PRIu16,
val, td->td_samplesperpixel);
val = td->td_samplesperpixel;
}
*va_arg(ap, uint16_t*) = val;
return 1;
}
return 0;
}
switch (standard_tag) {
case TIFFTAG_SUBFILETYPE:
…
…
@@ -1195,6 +1213,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap)
case TIFFTAG_INKNAMES:
*va_arg(ap, const char**) = td->td_inknames;
break;
case TIFFTAG_NUMBEROFINKS:
*va_arg(ap, uint16_t *) = td->td_numberofinks;
break;
default:
{
int i;
…
…
Related news
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
An update for libtiff is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3570: A heap-based buffer overflow flaw was found in Libtiff's tiffcrop utility. This issue occurs during the conversion of a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes an out-of-bound access resulting an application crash, eventually leading to a denial of service. * CVE-2022-3597: An out-o...
Debian Linux Security Advisory 5333-1 - Several buffer overflow, divide by zero or out of bounds read/write vulnerabilities were discovered in tiff, the Tag Image File Format (TIFF) library and tools, which may cause denial of service when processing a crafted TIFF image.