graphics/tiff: Fix CVE-2022-3970

Fix: TIFFReadRGBATileExt(): fix (unsigned) integer overflow on strips/tiles > 2 GB Obtained from: Upstream 227500897dfb07fb7d27f7aa570050e62617e3be (merged as a05860a0872d323e3fbf4390187ce934dd2b165e) MFH: 2022Q4 Security: CVE-2022-3970 Security: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
2024-11-19 00:13:33 +00:00 · 2022-11-23 13:26:19 -08:00 · 2022-11-23 13:26:19 -08:00 · 76ee9a3057
commit 76ee9a3057
parent 8376433ae3
2 changed files with 23 additions and 0 deletions
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@ -1,5 +1,6 @@
 PORTNAME=	tiff
 DISTVERSION=	4.4.0
+PORTREVISION=	1
 CATEGORIES=	graphics
 MASTER_SITES=	https://download.osgeo.org/libtiff/

--- a/graphics/tiff/files/patch-libtiff_tif_getimage.c
+++ b/graphics/tiff/files/patch-libtiff_tif_getimage.c
@ -0,0 +1,22 @@
+--- libtiff/tif_getimage.c.orig	2022-02-19 07:33:54.000000000 -0800
+++ libtiff/tif_getimage.c	2022-11-23 11:36:14.192628000 -0800
+@@ -3058,15 +3058,15 @@
+         return( ok );
+ 
+     for( i_row = 0; i_row < read_ysize; i_row++ ) {
+-        memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
+-                 raster + (read_ysize - i_row - 1) * read_xsize,
+        memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+                 raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
+                  read_xsize * sizeof(uint32_t) );
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+                      0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
+     }
+ 
+     for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
+        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+                      0, sizeof(uint32_t) * tile_xsize );
+     }
+