external/libtiff/0001-WebP-decoder-validate-WebP-blob-width-height-band-co.patch
| 79 ++++++++++
external/libtiff/UnpackedTarball_libtiff.mk
| 1
2 files changed, 80 insertions(+)
New commits:
commit e60ef8651cfb30335471d1622e58c13eebc7d58b
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Sun Aug 20 20:37:26 2023 +0100
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Sun Aug 20 22:48:13 2023 +0200
ofz: Use-of-uninitialized-value
same as seen at: https://gitlab.com/libtiff/libtiff/-/issues/582
Change-Id: Ifc4eaaa47ad392968db814783281f1db76564d9e
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/155874
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
diff --git
a/external/libtiff/0001-WebP-decoder-validate-WebP-blob-width-height-band-co.patch
b/external/libtiff/0001-WebP-decoder-validate-WebP-blob-width-height-band-co.patch
new file mode 100644
index 000000000000..68353bd9ed20
--- /dev/null
+++
b/external/libtiff/0001-WebP-decoder-validate-WebP-blob-width-height-band-co.patch
@@ -0,0 +1,79 @@
+From 350ff161c8a61b6483a1e4689e09cd47dd0dd5f9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.roua...@spatialys.com>
+Date: Sat, 17 Jun 2023 16:22:38 +0200
+Subject: [PATCH] WebP decoder: validate WebP blob width, height, band count
+ against TIFF parameters
+
+to avoid use of uninitialized variable, or decoding corrupted content
+without explicit error
+
+Fixes #581, fixes #582
+---
+ libtiff/tif_webp.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 51 insertions(+)
+
+diff --git a/libtiff/tif_webp.c b/libtiff/tif_webp.c
+index 07db7cce..ce15391e 100644
+--- a/libtiff/tif_webp.c
++++ b/libtiff/tif_webp.c
+@@ -149,6 +149,57 @@ static int TWebPDecode(TIFF *tif, uint8_t *op, tmsize_t
occ, uint16_t s)
+ segment_height = td->td_rowsperstrip;
+ }
+
++ int webp_width, webp_height;
++ if (!WebPGetInfo(tif->tif_rawcp,
++ tif->tif_rawcc > UINT32_MAX ? UINT32_MAX
++ :
(uint32_t)tif->tif_rawcc,
++ &webp_width, &webp_height))
++ {
++ TIFFErrorExtR(tif, module, "WebPGetInfo() failed");
++ return 0;
++ }
++ if ((uint32_t)webp_width != segment_width ||
++ (uint32_t)webp_height != segment_height)
++ {
++ TIFFErrorExtR(
++ tif, module, "WebP blob dimension is %dx%d. Expected %ux%u",
++ webp_width, webp_height, segment_width, segment_height);
++ return 0;
++ }
++
++#if WEBP_DECODER_ABI_VERSION >= 0x0002
++ WebPDecoderConfig config;
++ if (!WebPInitDecoderConfig(&config))
++ {
++ TIFFErrorExtR(tif, module, "WebPInitDecoderConfig() failed");
++ return 0;
++ }
++
++ const bool bWebPGetFeaturesOK =
++ WebPGetFeatures(tif->tif_rawcp,
++ tif->tif_rawcc > UINT32_MAX
++ ? UINT32_MAX
++ : (uint32_t)tif->tif_rawcc,
++ &config.input) == VP8_STATUS_OK;
++
++ WebPFreeDecBuffer(&config.output);
++
++ if (!bWebPGetFeaturesOK)
++ {
++ TIFFErrorExtR(tif, module, "WebPInitDecoderConfig() failed");
++ return 0;
++ }
++
++ const int webp_bands = config.input.has_alpha ? 4 : 3;
++ if (webp_bands != sp->nSamples)
++ {
++ TIFFErrorExtR(tif, module,
++ "WebP blob band count is %d. Expected %d",
webp_bands,
++ sp->nSamples);
++ return 0;
++ }
++#endif
++
+ buffer_size = segment_width * segment_height * sp->nSamples;
+ if (occ == (tmsize_t)buffer_size)
+ {
+--
+2.41.0
+
diff --git a/external/libtiff/UnpackedTarball_libtiff.mk
b/external/libtiff/UnpackedTarball_libtiff.mk
index f7eeb6ace868..32ed699b7491 100644
--- a/external/libtiff/UnpackedTarball_libtiff.mk
+++ b/external/libtiff/UnpackedTarball_libtiff.mk
@@ -16,6 +16,7 @@ $(eval $(call gb_UnpackedTarball_set_patchlevel,libtiff,1))
$(eval $(call gb_UnpackedTarball_add_patches,libtiff,\
external/libtiff/libtiff.linknolibs.patch \
external/libtiff/0001-ofz-54685-Timeout.patch \
+
external/libtiff/0001-WebP-decoder-validate-WebP-blob-width-height-band-co.patch
\
))
# vim: set noet sw=4 ts=4:
