diff --git a/CVE-2020-24292.patch b/CVE-2020-24292.patch new file mode 100644 index 0000000000000000000000000000000000000000..0f676764c4e9c7fc575b4a487435bfe57eda08b3 --- /dev/null +++ b/CVE-2020-24292.patch @@ -0,0 +1,14 @@ +Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24292.patch +diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginICO.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginICO.cpp +--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginICO.cpp 2023-09-28 19:34:45.524031668 +0200 ++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginICO.cpp 2023-09-28 19:34:47.717009813 +0200 +@@ -301,6 +301,9 @@ LoadStandardIcon(FreeImageIO *io, fi_han + int width = bmih.biWidth; + int height = bmih.biHeight / 2; // height == xor + and mask + unsigned bit_count = bmih.biBitCount; ++ if (bit_count != 1 && bit_count != 2 && bit_count != 4 && bit_count != 8 && bit_count != 16 && bit_count != 24 && bit_count != 32) { ++ return NULL; ++ } + unsigned line = CalculateLine(width, bit_count); + unsigned pitch = CalculatePitch(line); + diff --git a/CVE-2020-24293.patch b/CVE-2020-24293.patch new file mode 100644 index 0000000000000000000000000000000000000000..03a80a6a75672d55a9c2a581d1d120df1b7d44b0 --- /dev/null +++ b/CVE-2020-24293.patch @@ -0,0 +1,15 @@ +Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24293.patch +diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp +--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp 2023-09-28 19:34:47.287014100 +0200 ++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp 2023-09-28 19:34:47.832008666 +0200 +@@ -780,6 +780,10 @@ int psdThumbnail::Read(FreeImageIO *io, + FreeImage_Unload(_dib); + } + ++ if (_WidthBytes != _Width * _BitPerPixel / 8) { ++ throw "Invalid PSD image"; ++ } ++ + if(_Format == 1) { + // kJpegRGB thumbnail image + _dib = FreeImage_LoadFromHandle(FIF_JPEG, io, handle); diff --git a/CVE-2020-24295.patch b/CVE-2020-24295.patch new file mode 100644 index 0000000000000000000000000000000000000000..8edfeed5d02d167da1d97139a1e8d60f547d160c --- /dev/null +++ b/CVE-2020-24295.patch @@ -0,0 +1,22 @@ +Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24295.patch +diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp +--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp 2023-09-28 19:34:47.936007630 +0200 ++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp 2023-09-28 19:34:47.940007590 +0200 +@@ -1466,6 +1466,7 @@ FIBITMAP* psdParser::ReadImageData(FreeI + const unsigned dstBpp = (depth == 1) ? 1 : FreeImage_GetBPP(bitmap)/8; + const unsigned dstLineSize = FreeImage_GetPitch(bitmap); + BYTE* const dst_first_line = FreeImage_GetScanLine(bitmap, nHeight - 1);//<*** flipped ++ const unsigned dst_buffer_size = dstLineSize * nHeight; + + BYTE* line_start = new BYTE[lineSize]; //< fileline cache + +@@ -1481,6 +1482,9 @@ FIBITMAP* psdParser::ReadImageData(FreeI + const unsigned channelOffset = GetChannelOffset(bitmap, c) * bytes; + + BYTE* dst_line_start = dst_first_line + channelOffset; ++ if (channelOffset + lineSize > dst_buffer_size) { ++ throw "Invalid PSD image"; ++ } + for(unsigned h = 0; h < nHeight; ++h, dst_line_start -= dstLineSize) {//<*** flipped + io->read_proc(line_start, lineSize, 1, handle); + ReadImageLine(dst_line_start, line_start, lineSize, dstBpp, bytes); diff --git a/CVE-2021-33367.patch b/CVE-2021-33367.patch new file mode 100644 index 0000000000000000000000000000000000000000..3c0d05ba5ef6c58b5e3436ffd6d3a07d9b9c5cce --- /dev/null +++ b/CVE-2021-33367.patch @@ -0,0 +1,18 @@ +Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-33367.patch +diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/Metadata/Exif.cpp +--- freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp 2024-10-23 09:59:54.487770330 +0800 ++++ freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp 2024-10-23 10:01:14.995770330 +0800 +@@ -720,7 +720,12 @@ jpeg_read_exif_dir(FIBITMAP *dib, const + + const WORD entriesCount0th = ReadUint16(msb_order, ifd0th); + +- DWORD next_offset = ReadUint32(msb_order, DIR_ENTRY_ADDR(ifd0th, entriesCount0th)); ++ const BYTE* de_addr = DIR_ENTRY_ADDR(ifd0th, entriesCount0th); ++ if(de_addr+4 >= (BYTE*)(dwLength + ifd0th - tiffp)) { ++ return TRUE; //< no thumbnail ++ } ++ ++ DWORD next_offset = ReadUint32(msb_order, de_addr); + if((next_offset == 0) || (next_offset >= dwLength)) { + return TRUE; //< no thumbnail + } diff --git a/CVE-2021-40263.patch b/CVE-2021-40263.patch new file mode 100644 index 0000000000000000000000000000000000000000..4674dcc87441f9c443b9595ce46094af04541a77 --- /dev/null +++ b/CVE-2021-40263.patch @@ -0,0 +1,16 @@ +Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-40263.patch +diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp +--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp 2023-09-28 19:34:47.713009853 +0200 ++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp 2023-09-28 19:34:48.043006563 +0200 +@@ -2081,6 +2081,11 @@ Load(FreeImageIO *io, fi_handle handle, + uint32 tileRowSize = (uint32)TIFFTileRowSize(tif); + uint32 imageRowSize = (uint32)TIFFScanlineSize(tif); + ++ if (width / tileWidth * tileRowSize * 8 > bitspersample * samplesperpixel * width) { ++ free(tileBuffer); ++ throw "Corrupted tiled TIFF file"; ++ } ++ + + // In the tiff file the lines are saved from up to down + // In a DIB the lines must be saved from down to up diff --git a/CVE-2021-40266.patch b/CVE-2021-40266.patch new file mode 100644 index 0000000000000000000000000000000000000000..8d601f600159933d83c1457bf7777988bfe624b7 --- /dev/null +++ b/CVE-2021-40266.patch @@ -0,0 +1,15 @@ +Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-40266.patch +diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp +--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp 2023-09-28 19:34:47.501011966 +0200 ++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp 2023-09-28 19:34:47.610010879 +0200 +@@ -357,6 +357,10 @@ static void + ReadPalette(TIFF *tiff, uint16 photometric, uint16 bitspersample, FIBITMAP *dib) { + RGBQUAD *pal = FreeImage_GetPalette(dib); + ++ if (!pal) { ++ return; ++ } ++ + switch(photometric) { + case PHOTOMETRIC_MINISBLACK: // bitmap and greyscale image types + case PHOTOMETRIC_MINISWHITE: diff --git a/CVE-2023-47995.patch b/CVE-2023-47995.patch new file mode 100644 index 0000000000000000000000000000000000000000..77d35144ac6088db3f8b81354b5db7b5164fc368 --- /dev/null +++ b/CVE-2023-47995.patch @@ -0,0 +1,15 @@ +Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47995.patch +diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginJPEG.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginJPEG.cpp +--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginJPEG.cpp 2024-03-10 14:22:17.818579271 +0100 ++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginJPEG.cpp 2024-03-10 14:22:18.776573816 +0100 +@@ -1086,6 +1086,10 @@ Load(FreeImageIO *io, fi_handle handle, + + jpeg_read_header(&cinfo, TRUE); + ++ if (cinfo.image_width > JPEG_MAX_DIMENSION || cinfo.image_height > JPEG_MAX_DIMENSION) { ++ throw FI_MSG_ERROR_DIB_MEMORY; ++ } ++ + // step 4: set parameters for decompression + + unsigned int scale_denom = 1; // fraction by which to scale image diff --git a/CVE-2023-47997.patch b/CVE-2023-47997.patch new file mode 100644 index 0000000000000000000000000000000000000000..1c22c15d8df44a5fb737cb7553316799a3d82339 --- /dev/null +++ b/CVE-2023-47997.patch @@ -0,0 +1,17 @@ +Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47997.patch +diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp +--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp 2024-03-10 14:22:18.669574426 +0100 ++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp 2024-03-10 14:22:18.673574403 +0100 +@@ -1435,6 +1435,12 @@ Load(FreeImageIO *io, fi_handle handle, + (int)bitspersample, (int)samplesperpixel, (int)photometric); + throw (char*)NULL; + } ++ if (planar_config == PLANARCONFIG_SEPARATE && bitspersample < 8) { ++ FreeImage_OutputMessageProc(s_format_id, ++ "Unable to handle this format: bitspersample = 8, TIFFTAG_PLANARCONFIG = PLANARCONFIG_SEPARATE" ++ ); ++ throw (char*)NULL; ++ } + + // --------------------------------------------------------------------------------- + diff --git a/freeimage.spec b/freeimage.spec index e0171b12ed6e1b7c56cce8586f84abbe1f5124c7..827f9528acba70fc77717fdf7bbbbe7583f3f1b9 100644 --- a/freeimage.spec +++ b/freeimage.spec @@ -4,9 +4,9 @@ Name: freeimage Version: 3.18.0 -Release: 11 +Release: 13 Summary: FreeImage is a library project for developers who would like to support popular graphics image formats (PNG, JPEG, TIFF, BMP and others) -License: GPLv2 or GPLv3 and FIPL +License: GPLv2 or GPLv3 and FreeImage URL: https://freeimage.sourceforge.io/ Source0: http://downloads.sourceforge.net/freeimage/FreeImage3180.zip @@ -29,6 +29,15 @@ Patch10: CVE-2020-21427-1-r1832-improved-BMP-plugin-when-working-with-mal Patch11: CVE-2020-21428-r1877-improved-DDS-plugin-against-malicious-images.patch Patch12: CVE-2020-21427-2-r1836-improved-BMP-plugin-when-working-with-malicious-images.patch Patch13: CVE-2020-22524-r1848-improved-PFM-plugin-against-malicious-images.patch +# https://src.fedoraproject.org/rpms/freeimage/tree/f39 +Patch14: CVE-2020-24292.patch +Patch15: CVE-2020-24293.patch +Patch16: CVE-2020-24295.patch +Patch17: CVE-2021-33367.patch +Patch18: CVE-2021-40263.patch +Patch19: CVE-2021-40266.patch +Patch20: CVE-2023-47995.patch +Patch21: CVE-2023-47997.patch BuildRequires: doxygen gcc-c++ make jxrlib-devel libjpeg-devel libmng-devel libpng-devel libtiff-devel libwebp-devel LibRaw-devel OpenEXR-devel openjpeg2-devel @@ -112,6 +121,13 @@ ldconfig -n %{buildroot}%{_libdir} %changelog +* Wed Oct 23 2024 wangkai <13474090681@163.com> - 3.18.0-13 +- Fix CVE-2020-24292 CVE-2020-24293 CVE-2020-24295 CVE-2021-33367 + CVE-2021-40263 CVE-2021-40266 CVE-2023-47995 CVE-2023-47997 + +* Mon Aug 19 2024 xu_ping <707078654@qq.com> - 3.18.0-12 +- License compliance rectification. + * Mon Dec 04 2023 wangkai <13474090681@163.com> - 3.18.0-11 - Fix CVE-2020-21427,CVE-2020-21428,CVE-2020-22524