CVE-2022-0891

An attacker supplies a crafted TIFF image with malformed tags (e.g., missing `StripByteCounts`, invalid `PageNumber` count) and specific crop/rotate parameters (`-E l -H 10 -V 10 -S 8:4 -R 270`). When `tiffcrop` processes the image, `rotateImage` allocates a buffer, then frees it, and `extractImageSection` subsequently reads from the freed buffer (heap-use-after-free at line 6866) [ref_id=2]. The incorrect offset calculations in `extractImageSection` also cause heap buffer overflows by reading beyond the allocated region [ref_id=1].

The vulnerability resides in `extractImageSection` in `tools/tiffcrop.c` (line 6866). The function computes buffer offsets using `shift2` and `offset2` variables that were removed in the patch; the old code used `offset2` (derived from `last_col * bps / 8`) without accounting for `spp`, leading to out-of-bounds reads. The patch also corrects the `img_rowsize` calculation and the `sectsize` computation in `writeImageSections` (line 7091) to multiply by `spp` before dividing by 8 [ref_id=1].

The patch removes the `shift2` and `offset2` variables and corrects all offset calculations to multiply by `spp` before dividing by 8, ensuring proper byte alignment for multi-sample pixels [ref_id=1]. It also fixes `img_rowsize` to `((img_width * spp * bps) + 7) / 8` and `full_bytes` to `(sect_width * spp * bps) / 8`, and corrects `sectsize` in `writeImageSections` to `ceil((width * bps * spp + 7) / 8.0) * length`. These changes prevent out-of-bounds reads and writes by computing accurate buffer sizes and offsets.

Clone libtiff source, compile with AddressSanitizer (`-fsanitize=address,undefined`), then run: `./tiffcrop -i -E l -H 10 -V 10 -S 8:4 -R 270 poc.tif a.tif` [ref_id=2]. The ASAN log confirms a heap-use-after-free read at `extractImageSection` line 6866, with the freed region originating from `rotateImage` at line 8697 [ref_id=2].