Skip to content
Commit e8131125 authored by Even Rouault's avatar Even Rouault
Browse files

Merge branch 'InkNames_NumberOfInks_handling_revised' into 'master'

Revised handling of TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value (fixes #149, #150, #152, #168, #250, #269, #398 and #456)

Closes #474, #463, #387, #456, #398, #269, #250, #168, #152, #150 et #149

See merge request !385
parents 236b7191 f00484b9
Loading
Loading
Loading
Loading
Loading
  • Lukas W @lukas-w

    mentioned in commit lukas-w/pdfium@56adfa04

    ·

    mentioned in commit lukas-w/pdfium@56adfa04

    Toggle commit list
  • CCPatcher @Crispy-fried-chicken ·

    According to the description of the CVE-2022-4645, the LibTIFF affected version of the vulnerability is 4.4.0 . However, based on the vulnerability code snippet, the earliest version is v3.5.1(https://github.com/libsdl-org/libtiff/blob/v3.5.1/libtiff/tif_dir.c#L91) code snippet:

    1: https://github.com/libsdl-org/libtiff/blob/v3.5.1/libtiff/tif_dir.c#L91
    #ifdef CMYK_SUPPORT
    static int
    checkInkNamesString(TIFF* tif, int slen, const char* s)
    {
    	TIFFDirectory* td = &tif->tif_dir;
    	int i = td->td_samplesperpixel;
    
    	if (slen > 0) {
    		const char* ep = s+slen;
    		const char* cp = s;
    		for (; i > 0; i--) {
    			for (; *cp != '\0'; cp++)
    				if (cp >= ep)
    					goto bad;
    			cp++;				/* skip \0 */
    		}
    		return (cp-s);
    	}
    bad:
    	TIFFError("TIFFSetField",
    	    "%s: Invalid InkNames value; expecting %d names, found %d",
    	    tif->tif_name,
    	    td->td_samplesperpixel,
    	    td->td_samplesperpixel-i);
    	return (0);
    }
    #endif
    
    2 https://github.com/libsdl-org/libtiff/blob/v3.5.1/libtiff/tif_dir.c#L404C1-L405C2
    	case TIFFTAG_INKNAMES:
    		i = va_arg(ap, int);
    		s = va_arg(ap, char*);
    		i = checkInkNamesString(tif, i, s);
    		if (status = (i > 0)) {
    			_TIFFsetNString(&td->td_inknames, s, i);
    			td->td_inknameslen = i;
    		}

    please confirm thank you!

  • CCPatcher @Crispy-fried-chicken ·

    According to the description of the CVE-2023-30774, the LibTIFF affected version of the vulnerability is not existed . However, based on the vulnerability code snippet, the earliest version was found in v3.5.1(https://github.com/libsdl-org/libtiff/blob/v3.5.1/libtiff/tif_dir.c#L89) , and the end version is v4.4.0, in this patch code snippet:

    1: https://github.com/libsdl-org/libtiff/blob/v3.5.1/libtiff/tif_dir.c#L89
    #ifdef CMYK_SUPPORT
    static int
    checkInkNamesString(TIFF* tif, int slen, const char* s)
    {
    	TIFFDirectory* td = &tif->tif_dir;
    	int i = td->td_samplesperpixel;
    
    	if (slen > 0) {
    		const char* ep = s+slen;
    		const char* cp = s;
    		for (; i > 0; i--) {
    			for (; *cp != '\0'; cp++)
    				if (cp >= ep)
    					goto bad;
    			cp++;				/* skip \0 */
    		}
    		return (cp-s);
    	}
    bad:
    	TIFFError("TIFFSetField",
    	    "%s: Invalid InkNames value; expecting %d names, found %d",
    	    tif->tif_name,
    	    td->td_samplesperpixel,
    	    td->td_samplesperpixel-i);
    	return (0);
    }
    #endif
    2: https://github.com/libsdl-org/libtiff/blob/v3.5.1/libtiff/tif_dir.c#L404
    #ifdef CMYK_SUPPORT
    	case TIFFTAG_INKSET:
    		td->td_inkset = (uint16) va_arg(ap, int);
    		break;
    	case TIFFTAG_DOTRANGE:
    		/* XXX should check for null range */
    		td->td_dotrange[0] = (uint16) va_arg(ap, int);
    		td->td_dotrange[1] = (uint16) va_arg(ap, int);
    		break;
    	case TIFFTAG_INKNAMES:
    		i = va_arg(ap, int);
    		s = va_arg(ap, char*);
    		i = checkInkNamesString(tif, i, s);
    		if (status = (i > 0)) {
    			_TIFFsetNString(&td->td_inknames, s, i);
    			td->td_inknameslen = i;
    		}
    		break;
    	case TIFFTAG_NUMBEROFINKS:
    		td->td_ninks = (uint16) va_arg(ap, int);
    		break;
    	case TIFFTAG_TARGETPRINTER:
    		_TIFFsetString(&td->td_targetprinter, va_arg(ap, char*));
    		break;

    please confirm thank you!

0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment