CVE-2022-2056

An attacker crafts a malicious TIFF file that, when processed by `tiffcrop` with specific command-line flags (`-R 270 -O auto -P 300.0x300.0`), causes a floating-point exception (FPE) in `computeOutputPixelOffsets` [ref_id=1]. The attacker does not need authentication; they only need to deliver the crafted file to a victim who runs `tiffcrop` on it. The crash results in a denial-of-service condition.

The vulnerability resides in `tools/tiffcrop.c` at line 5817-5818, within the function `computeOutputPixelOffsets`. The issue is triggered when `tiffcrop` is invoked with the `-R 270` (rotation) and `-P 300.0x300.0` (page width/height) options on a crafted TIFF file [ref_id=1].

The fix is available in commit `f3a5e010` of the libtiff repository. While the exact diff is not shown in the advisory, the commit addresses the divide-by-zero condition in `computeOutputPixelOffsets` at `tools/tiffcrop.c:5817` by adding a check to prevent division by zero when computing pixel offsets [ref_id=1]. Users compiling from source should apply this commit to eliminate the FPE.

1. Build libtiff with AddressSanitizer: `CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared && make -j && make install` [ref_id=1]. 2. Obtain the crafted PoC TIFF file from the issue attachment. 3. Run: `./build_asan/bin/tiffcrop -R 270 -O auto -P 300.0x300.0 poc /tmp/foo` [ref_id=1]. 4. Observe the FPE crash at `computeOutputPixelOffsets` in `tiffcrop.c:5818`.