Control: forwarded -1 https://github.com/tonycoz/imager/issues/522
On Sat, Dec 02, 2023 at 07:24:39PM +0200, Niko Tyni wrote: > On Sat, Dec 02, 2023 at 01:40:51PM +0100, gregor herrmann wrote: > > On Sat, 02 Dec 2023 14:24:01 +0200, Niko Tyni wrote: > It can be reproduced like this with the libimager-perl binaries > currently in sid and every tiff file I tried with, for example > test/images/palette-1c-8b.tiff in src:tiff. Further simplifying, this fails in the exact same way: $ perl -MImager -e '$i=Imager->new; Imager::init_log(); $i->read(file => shift) or die $i->_error_as_msg()' tiff/test/images/palette-1c-8b.tiff > I note it says "filesize 0". The patch determines the file size with > > uint64_t filesize = TIFFGetFileSize(tif); > > and TIFFGetFileSize() is in src:tiff libtiff/tiffiop.h as follows: > > #define TIFFGetFileSize(tif) ((*(tif)->tif_sizeproc)((tif)->tif_clientdata)) >From http://www.simplesystems.org/libtiff/functions/TIFFOpen.html TIFFClientOpen() is like TIFFOpen() except that the caller supplies a collection of functions that the library will use to do UNIX-like I/O operations. The readproc and writeproc functions are called to read and write data at the current file position. seekproc is called to change the current file position à la lseek() (2). closeproc is invoked to release any resources associated with an open file. sizeproc is invoked to obtain the size in bytes of a file. mapproc and unmapproc are called to map and unmap a file's contents in memory; c.f. mmap() (2) and munmap() (2). The clientdata parameter is an opaque "handle" passed to the client-specified routines passed as parameters to TIFFClientOpen(). >From >https://sources.debian.org/src/libimager-perl/1.020%2Bdfsg-1/TIFF/imtiff.c/#L302 static toff_t sizeproc(thandle_t x) { return 0; } which is used as the TIFFClientOpen() argument in i_readtiff_wiol(): https://sources.debian.org/src/libimager-perl/1.020%2Bdfsg-1/TIFF/imtiff.c/#L710 So it looks like libimager-perl is always saying the file size is 0, and this hasn't hurt earlier but now does with the src:tiff CVE-2023-6277 patch. Not sure where this leaves us, but I've just reported it at https://github.com/tonycoz/imager/issues/522 -- Niko
