CVE-2022-1056

An attacker supplies a crafted TIFF file that, when processed by `tiffcrop` with the `-H` crop-height option (e.g. `tiffcrop -H 341 poc /tmp/foo`), triggers a heap-buffer-overflow read in `_TIFFmemcpy` [ref_id=1]. The malformed file contains numerous invalid or warning-inducing tags (e.g. unknown tags, mismatched color channels, and Fax4 decode errors) that cause `loadImage` to allocate a buffer of insufficient size for the subsequent `extractImageSection` copy operation [ref_id=1]. No authentication or special network access is required; the attacker only needs to deliver the crafted file to a victim running `tiffcrop`.

The out-of-bounds read occurs in `_TIFFmemcpy` at `libtiff/tif_unix.c:346`, called from `extractImageSection` in `tools/tiffcrop.c:6854`, which is invoked by `writeImageSections` at `tools/tiffcrop.c:7103` and ultimately from `main` at `tools/tiffcrop.c:2451` [ref_id=1]. The heap buffer was allocated via `_TIFFmalloc` in `loadImage` at `tools/tiffcrop.c:6210` [ref_id=1].

The fix is available in commit `46dc8fcd` [per the CVE description]. The advisory does not include the patch diff, but the issue report [ref_id=1] identifies the root cause as a heap-buffer-overflow in `_TIFFmemcpy` during `extractImageSection`. The remediation ensures that the copy size passed to `_TIFFmemcpy` does not exceed the allocated buffer bounds, preventing the out-of-bounds read that leads to a denial-of-service.

Build libtiff with AddressSanitizer (`-fsanitize=address`), then run: `./build_asan/bin/tiffcrop -H 341 poc /tmp/foo` using the proof-of-concept file linked in the issue [ref_id=1]. The tool will output numerous TIFF warnings and then crash with a heap-buffer-overflow in `_TIFFmemcpy` [ref_id=1].