File _service:tar_scm:backport-0001-CVE-2023-0795-07... of Package libtiff

File _service:tar_scm:backport-0001-CVE-2023-0795-0796-0797-0798-0799.patch of Package libtiff

From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001
From: Su_Laus <sulau@freenet.de>
Date: Fri, 3 Feb 2023 15:31:31 +0100
Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage()
 fix#520 rotateImage() set up a new buffer and calculates its size
 individually. Therefore, seg_buffs[] size needs to be updated accordingly.
 Before this fix, the seg_buffs buffer size was calculated with a different
 formula than within rotateImage().

Closes #520.
---
 tools/tiffcrop.c | 36 ++++++++++++++++++++----------------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 7db69883..f8b66188 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -577,7 +577,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,
 static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,
                                      uint32_t, uint32_t, uint8_t *, uint8_t *);
 static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,
-                       unsigned char **);
+                       unsigned char **, size_t *);
 static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
                        unsigned char *);
 static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,
@@ -7243,7 +7243,7 @@ static int correct_orientation(struct image_data *image,
         }
 
         if (rotateImage(rotation, image, &image->width, &image->length,
-                        work_buff_ptr))
+                        work_buff_ptr, NULL))
         {
             TIFFError("correct_orientation", "Unable to rotate image");
             return (-1);
@@ -8563,8 +8563,12 @@ static int processCropSelections(struct image_data *image,
         if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can
                                               reallocate the buffer */
         {
+            /* rotateImage() set up a new buffer and calculates its size
+             * individually. Therefore, seg_buffs size  needs to be updated
+             * accordingly. */
+            size_t rot_buf_size = 0;
             if (rotateImage(crop->rotation, image, &crop->combined_width,
-                            &crop->combined_length, &crop_buff))
+                            &crop->combined_length, &crop_buff, &rot_buf_size))
             {
                 TIFFError("processCropSelections",
                           "Failed to rotate composite regions by %" PRIu32
@@ -8573,9 +8577,7 @@ static int processCropSelections(struct image_data *image,
                 return (-1);
             }
             seg_buffs[0].buffer = crop_buff;
-            seg_buffs[0].size =
-                (((crop->combined_width * image->bps + 7) / 8) * image->spp) *
-                crop->combined_length;
+            seg_buffs[0].size = rot_buf_size;
         }
     }
     else /* Separated Images */
@@ -8686,10 +8688,13 @@ static int processCropSelections(struct image_data *image,
                  * ->yres, what it schouldn't do here, when more than one
                  * section is processed. ToDo: Therefore rotateImage() and its
                  * usage has to be reworked (e.g. like mirrorImage()) !!
-                 */
-                if (rotateImage(crop->rotation, image,
-                                &crop->regionlist[i].width,
-                                &crop->regionlist[i].length, &crop_buff))
+                 * Furthermore, rotateImage() set up a new buffer and calculates
+                 * its size individually. Therefore, seg_buffs size  needs to be
+                 * updated accordingly. */
+                size_t rot_buf_size = 0;
+                if (rotateImage(
+                        crop->rotation, image, &crop->regionlist[i].width,
+                        &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
                 {
                     TIFFError("processCropSelections",
                               "Failed to rotate crop region by %" PRIu16
@@ -8702,10 +8707,7 @@ static int processCropSelections(struct image_data *image,
                 crop->combined_width = total_width;
                 crop->combined_length = total_length;
                 seg_buffs[i].buffer = crop_buff;
-                seg_buffs[i].size =
-                    (((crop->regionlist[i].width * image->bps + 7) / 8) *
-                     image->spp) *
-                    crop->regionlist[i].length;
+                seg_buffs[i].size = rot_buf_size;
             }
         } /* for crop->selections loop */
     }     /* Separated Images (else case) */
@@ -8836,7 +8838,7 @@ static int createCroppedImage(struct image_data *image, struct crop_mask *crop,
         CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
     {
         if (rotateImage(crop->rotation, image, &crop->combined_width,
-                        &crop->combined_length, crop_buff_ptr))
+                        &crop->combined_length, crop_buff_ptr, NULL))
         {
             TIFFError("createCroppedImage",
                       "Failed to rotate image or cropped selection by %" PRIu16
@@ -9552,7 +9554,7 @@ static int rotateContigSamples32bits(uint16_t rotation, uint16_t spp,
 /* Rotate an image by a multiple of 90 degrees clockwise */
 static int rotateImage(uint16_t rotation, struct image_data *image,
                        uint32_t *img_width, uint32_t *img_length,
-                       unsigned char **ibuff_ptr)
+                       unsigned char **ibuff_ptr, size_t *rot_buf_size)
 {
     int shift_width;
     uint32_t bytes_per_pixel, bytes_per_sample;
@@ -9610,6 +9612,8 @@ static int rotateImage(uint16_t rotation, struct image_data *image,
         return (-1);
     }
     _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
+    if (rot_buf_size != NULL)
+        *rot_buf_size = buffsize;
 
     ibuff = *ibuff_ptr;
     switch (rotation)
-- 
GitLab