Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions SPECS/libtiff/CVE-2026-12912.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
From ba2b04b114c5dd945107ccc613cedfcca3af73bb Mon Sep 17 00:00:00 2001
From: waugustus <wangdw.augustus@qq.com>
Date: Thu, 23 Apr 2026 17:05:53 +0800
Subject: [PATCH] pixarlog: fix heap-buffer-overflow in 8BITABGR decode
with stride 3 (#824) & pixarlog: add comment explaining 4-byte advance in ABGR decode


Upstream Patch reference: https://gitlab.com/libtiff/libtiff/-/merge_requests/873.patch
---
libtiff/tif_pixarlog.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
index 5c0346b..6570411 100644
--- a/libtiff/tif_pixarlog.c
+++ b/libtiff/tif_pixarlog.c
@@ -864,6 +864,19 @@ static int PixarLogDecode(TIFF *tif, uint8_t *op, tmsize_t occ, uint16_t s)

llen = sp->stride * td->td_imagewidth;

+ /* Fix: ABGR with stride=3 expands 3 samples to 4 output bytes per pixel */
+ if (sp->user_datafmt == PIXARLOGDATAFMT_8BITABGR && sp->stride == 3)
+ {
+ tmsize_t required = (tmsize_t)td->td_imagewidth * 4;
+ if (occ < required)
+ {
+ TIFFErrorExtR(tif, module,
+ "Output buffer too small for PixarLog ABGR data");
+ memset(op, 0, (size_t)occ);
+ return (0);
+ }
+ }
+
(void)s;
assert(sp != NULL);

@@ -972,7 +985,13 @@ static int PixarLogDecode(TIFF *tif, uint8_t *op, tmsize_t occ, uint16_t s)
case PIXARLOGDATAFMT_8BITABGR:
horizontalAccumulate8abgr(up, llen, sp->stride,
(unsigned char *)op, sp->ToLinear8);
- op += llen * sizeof(unsigned char);
+
+ /* For stride == 3 (RGB), horizontalAccumulate8abgr expands to 4
+ * bytes/pixel (ABGR) */
+ if (sp->stride == 3)
+ op += (unsigned long)td->td_imagewidth * 4;
+ else
+ op += (unsigned long)llen * sizeof(unsigned char);
break;
default:
TIFFErrorExtR(tif, module, "Unsupported bits/sample: %" PRIu16,
--
2.34.1

6 changes: 5 additions & 1 deletion SPECS/libtiff/libtiff.spec
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: TIFF libraries and associated utilities.
Name: libtiff
Version: 4.6.0
Release: 13%{?dist}
Release: 14%{?dist}
License: libtiff
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -24,6 +24,7 @@ Patch12: CVE-2025-8961.patch
Patch13: CVE-2025-61143.patch
Patch14: CVE-2025-61144.patch
Patch15: CVE-2026-4775.patch
Patch16: CVE-2026-12912.patch

BuildRequires: autoconf
BuildRequires: automake
Expand Down Expand Up @@ -80,6 +81,9 @@ make %{?_smp_mflags} -k check
%exclude %{_docdir}/tiff-%{version}/LICENSE.md

%changelog
* Fri Jul 03 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 4.6.0-14
- Patch for CVE-2026-12912

* Thu Apr 23 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 4.6.0-13
- Patch for CVE-2026-4775

Expand Down
Loading