66 lines
2.6 KiB
Diff
66 lines
2.6 KiB
Diff
|
From 8ee0e7d2bdcc1a5a5a3241904b243964ab947b7b Mon Sep 17 00:00:00 2001
|
||
|
|
From: Su_Laus <sulau@freenet.de>
|
||
|
|
Date: Fri, 1 Dec 2023 20:12:25 +0100
|
||
|
|
Subject: [PATCH] Check return value of _TIFFCreateAnonField().
|
||
|
|
|
||
|
|
Fixes #624
|
||
|
|
|
||
|
|
Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e]
|
||
|
|
CVE: CVE-2024-7006
|
||
|
|
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
|
||
|
|
---
|
||
|
|
libtiff/tif_dirinfo.c | 2 +-
|
||
|
|
libtiff/tif_dirread.c | 16 ++++++----------
|
||
|
|
2 files changed, 7 insertions(+), 11 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
|
||
|
|
index 0e705e8..4cfdaad 100644
|
||
|
|
--- a/libtiff/tif_dirinfo.c
|
||
|
|
+++ b/libtiff/tif_dirinfo.c
|
||
|
|
@@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag,
|
||
|
|
if (fld == NULL)
|
||
|
|
{
|
||
|
|
fld = _TIFFCreateAnonField(tif, tag, dt);
|
||
|
|
- if (!_TIFFMergeFields(tif, fld, 1))
|
||
|
|
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
|
||
|
|
return NULL;
|
||
|
|
}
|
||
|
|
|
||
|
|
diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
|
||
|
|
index 58a4276..738df9f 100644
|
||
|
|
--- a/libtiff/tif_dirread.c
|
||
|
|
+++ b/libtiff/tif_dirread.c
|
||
|
|
@@ -4275,11 +4275,9 @@ int TIFFReadDirectory(TIFF *tif)
|
||
|
|
dp->tdir_tag, dp->tdir_tag);
|
||
|
|
/* the following knowingly leaks the
|
||
|
|
anonymous field structure */
|
||
|
|
- if (!_TIFFMergeFields(
|
||
|
|
- tif,
|
||
|
|
- _TIFFCreateAnonField(tif, dp->tdir_tag,
|
||
|
|
- (TIFFDataType)dp->tdir_type),
|
||
|
|
- 1))
|
||
|
|
+ const TIFFField *fld = _TIFFCreateAnonField(
|
||
|
|
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
|
||
|
|
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
|
||
|
|
{
|
||
|
|
TIFFWarningExtR(
|
||
|
|
tif, module,
|
||
|
|
@@ -5153,11 +5151,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff,
|
||
|
|
"Unknown field with tag %" PRIu16 " (0x%" PRIx16
|
||
|
|
") encountered",
|
||
|
|
dp->tdir_tag, dp->tdir_tag);
|
||
|
|
- if (!_TIFFMergeFields(
|
||
|
|
- tif,
|
||
|
|
- _TIFFCreateAnonField(tif, dp->tdir_tag,
|
||
|
|
- (TIFFDataType)dp->tdir_type),
|
||
|
|
- 1))
|
||
|
|
+ const TIFFField *fld = _TIFFCreateAnonField(
|
||
|
|
+ tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type);
|
||
|
|
+ if (fld == NULL || !_TIFFMergeFields(tif, fld, 1))
|
||
|
|
{
|
||
|
|
TIFFWarningExtR(tif, module,
|
||
|
|
"Registering anonymous field with tag %" PRIu16
|
||
|
|
--
|
||
|
|
2.44.1
|
||
|
|
|