Loading
-
mentioned in commit lukas-w/pdfium@56adfa04
-
According to the description of the CVE-2022-4645, the LibTIFF affected version of the vulnerability is 4.4.0 . However, based on the vulnerability code snippet, the earliest version is v3.5.1(https://github.com/libsdl-org/libtiff/blob/v3.5.1/libtiff/tif_dir.c#L91) code snippet:
1: https://github.com/libsdl-org/libtiff/blob/v3.5.1/libtiff/tif_dir.c#L91 #ifdef CMYK_SUPPORT static int checkInkNamesString(TIFF* tif, int slen, const char* s) { TIFFDirectory* td = &tif->tif_dir; int i = td->td_samplesperpixel; if (slen > 0) { const char* ep = s+slen; const char* cp = s; for (; i > 0; i--) { for (; *cp != '\0'; cp++) if (cp >= ep) goto bad; cp++; /* skip \0 */ } return (cp-s); } bad: TIFFError("TIFFSetField", "%s: Invalid InkNames value; expecting %d names, found %d", tif->tif_name, td->td_samplesperpixel, td->td_samplesperpixel-i); return (0); } #endif 2 https://github.com/libsdl-org/libtiff/blob/v3.5.1/libtiff/tif_dir.c#L404C1-L405C2 case TIFFTAG_INKNAMES: i = va_arg(ap, int); s = va_arg(ap, char*); i = checkInkNamesString(tif, i, s); if (status = (i > 0)) { _TIFFsetNString(&td->td_inknames, s, i); td->td_inknameslen = i; }please confirm thank you!
-
According to the description of the CVE-2023-30774, the LibTIFF affected version of the vulnerability is not existed . However, based on the vulnerability code snippet, the earliest version was found in v3.5.1(https://github.com/libsdl-org/libtiff/blob/v3.5.1/libtiff/tif_dir.c#L89) , and the end version is v4.4.0, in this patch code snippet:
1: https://github.com/libsdl-org/libtiff/blob/v3.5.1/libtiff/tif_dir.c#L89 #ifdef CMYK_SUPPORT static int checkInkNamesString(TIFF* tif, int slen, const char* s) { TIFFDirectory* td = &tif->tif_dir; int i = td->td_samplesperpixel; if (slen > 0) { const char* ep = s+slen; const char* cp = s; for (; i > 0; i--) { for (; *cp != '\0'; cp++) if (cp >= ep) goto bad; cp++; /* skip \0 */ } return (cp-s); } bad: TIFFError("TIFFSetField", "%s: Invalid InkNames value; expecting %d names, found %d", tif->tif_name, td->td_samplesperpixel, td->td_samplesperpixel-i); return (0); } #endif 2: https://github.com/libsdl-org/libtiff/blob/v3.5.1/libtiff/tif_dir.c#L404 #ifdef CMYK_SUPPORT case TIFFTAG_INKSET: td->td_inkset = (uint16) va_arg(ap, int); break; case TIFFTAG_DOTRANGE: /* XXX should check for null range */ td->td_dotrange[0] = (uint16) va_arg(ap, int); td->td_dotrange[1] = (uint16) va_arg(ap, int); break; case TIFFTAG_INKNAMES: i = va_arg(ap, int); s = va_arg(ap, char*); i = checkInkNamesString(tif, i, s); if (status = (i > 0)) { _TIFFsetNString(&td->td_inknames, s, i); td->td_inknameslen = i; } break; case TIFFTAG_NUMBEROFINKS: td->td_ninks = (uint16) va_arg(ap, int); break; case TIFFTAG_TARGETPRINTER: _TIFFsetString(&td->td_targetprinter, va_arg(ap, char*)); break;please confirm thank you!
Please register or sign in to comment