graphics/tiff: Fix CVE-2022-3970

Fix: TIFFReadRGBATileExt(): fix (unsigned) integer overflow on strips/tiles > 2 GB Obtained from: Upstream 227500897dfb07fb7d27f7aa570050e62617e3be (merged as a05860a0872d323e3fbf4390187ce934dd2b165e) MFH: 2022Q4 Security: CVE-2022-3970 Security: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
freebsd · Nov 23, 2022 · 76ee9a3 · 76ee9a3
1 parent 8376433
commit 76ee9a3
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	tiff
 DISTVERSION=	4.4.0
+PORTREVISION=	1
 CATEGORIES=	graphics
 MASTER_SITES=	https://download.osgeo.org/libtiff/
 

diff --git a/graphics/tiff/files/patch-libtiff_tif_getimage.c b/graphics/tiff/files/patch-libtiff_tif_getimage.c
@@ -0,0 +1,22 @@
+--- libtiff/tif_getimage.c.orig	2022-02-19 07:33:54.000000000 -0800
++++ libtiff/tif_getimage.c	2022-11-23 11:36:14.192628000 -0800
+@@ -3058,15 +3058,15 @@
+         return( ok );
+
+     for( i_row = 0; i_row < read_ysize; i_row++ ) {
+-        memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
+-                 raster + (read_ysize - i_row - 1) * read_xsize,
++        memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
++                 raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
+                  read_xsize * sizeof(uint32_t) );
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+                      0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
+     }
+
+     for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+                      0, sizeof(uint32_t) * tile_xsize );
+     }
+