From 3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Mon Sep 17 00:00:00 2001 From: Su Laus Date: Wed, 11 Jun 2025 19:45:19 +0000 Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster rows at TIFFReadRGBAImageOriented() CVE: CVE-2025-9900 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99] Changes- - Use old API TIFFWarningExt instead of TIFFWarningExtR. Signed-off-by: Yogita Urade --- libtiff/tif_getimage.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c index a9cd48f..4c807ad 100644 --- a/libtiff/tif_getimage.c +++ b/libtiff/tif_getimage.c @@ -509,6 +509,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32_t* raster, uint32_t w, uint32_t h) "No \"put\" routine setupl; probably can not handle image format"); return (0); } + /* Verify raster width and height against image width and height. */ + if (h > img->height) + { + /* Adapt parameters to read only available lines and put image at + * the bottom of the raster. */ + raster += (size_t)(h - img->height) * w; + h = img->height; + } + if (w > img->width) + { + TIFFWarningExt(img->tif, TIFFFileName(img->tif), + "Raster width of %d shall not be larger than image " + "width of %d -> raster width adapted for reading", + w, img->width); + w = img->width; + } return (*img->get)(img, raster, w, h); } @@ -527,9 +543,7 @@ TIFFReadRGBAImageOriented(TIFF* tif, if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) { img.req_orientation = (uint16_t)orientation; - /* XXX verify rwidth and rheight against width and height */ - ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth, - rwidth, img.height); + ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight); TIFFRGBAImageEnd(&img); } else { TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg); -- 2.40.0