From 8ee0e7d2bdcc1a5a5a3241904b243964ab947b7b Mon Sep 17 00:00:00 2001 From: Su_Laus Date: Fri, 1 Dec 2023 20:12:25 +0100 Subject: [PATCH] Check return value of _TIFFCreateAnonField(). Fixes #624 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e] CVE: CVE-2024-7006 Signed-off-by: Siddharth Doshi --- libtiff/tif_dirinfo.c | 2 +- libtiff/tif_dirread.c | 16 ++++++---------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c index 0e705e8..4cfdaad 100644 --- a/libtiff/tif_dirinfo.c +++ b/libtiff/tif_dirinfo.c @@ -887,7 +887,7 @@ const TIFFField *_TIFFFindOrRegisterField(TIFF *tif, uint32_t tag, if (fld == NULL) { fld = _TIFFCreateAnonField(tif, tag, dt); - if (!_TIFFMergeFields(tif, fld, 1)) + if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) return NULL; } diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c index 58a4276..738df9f 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -4275,11 +4275,9 @@ int TIFFReadDirectory(TIFF *tif) dp->tdir_tag, dp->tdir_tag); /* the following knowingly leaks the anonymous field structure */ - if (!_TIFFMergeFields( - tif, - _TIFFCreateAnonField(tif, dp->tdir_tag, - (TIFFDataType)dp->tdir_type), - 1)) + const TIFFField *fld = _TIFFCreateAnonField( + tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); + if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) { TIFFWarningExtR( tif, module, @@ -5153,11 +5151,9 @@ int TIFFReadCustomDirectory(TIFF *tif, toff_t diroff, "Unknown field with tag %" PRIu16 " (0x%" PRIx16 ") encountered", dp->tdir_tag, dp->tdir_tag); - if (!_TIFFMergeFields( - tif, - _TIFFCreateAnonField(tif, dp->tdir_tag, - (TIFFDataType)dp->tdir_type), - 1)) + const TIFFField *fld = _TIFFCreateAnonField( + tif, dp->tdir_tag, (TIFFDataType)dp->tdir_type); + if (fld == NULL || !_TIFFMergeFields(tif, fld, 1)) { TIFFWarningExtR(tif, module, "Registering anonymous field with tag %" PRIu16 -- 2.44.1