CVE-2022-2057

An attacker provides a crafted TIFF file that, when processed by `tiffcrop` with options such as `-R 270 -P 300.0x300.0`, triggers a divide-by-zero (floating-point exception) in `computeOutputPixelOffsets` [ref_id=1]. The crafted file contains numerous malformed or missing TIFF tags (e.g., invalid tag ordering, missing required fields like `StripByteCounts` and `PhotometricInterpretation`), which cause the function to compute pixel offsets using a zero divisor. The attack requires no authentication and is delivered over the network by inducing a user or automated service to run `tiffcrop` on the malicious file.

The vulnerability is a floating-point exception (FPE) in the function `computeOutputPixelOffsets` at line 5936 of `tools/tiffcrop.c` [ref_id=1]. The crash occurs when `tiffcrop` processes a crafted TIFF file with specific command-line arguments (`-R 270 -P 300.0x300.0`).

The fix is available with commit `f3a5e010` in the libtiff repository [ref_id=1]. The patch adds a check to ensure the divisor used in `computeOutputPixelOffsets` is non-zero before performing the division, preventing the floating-point exception. Without this fix, a crafted TIFF file with malformed or missing tags causes a division by zero, leading to a denial-of-service crash.

1. Compile libtiff with debug symbols: `CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --prefix=$PWD/build_orig --disable-shared && make -j && make install` [ref_id=1]. 2. Run `./build_orig/bin/tiffcrop -R 270 -P 300.0x300.0 poc /tmp/foo` on the provided PoC file [ref_id=1]. 3. Observe the floating-point exception (core dump) at `tiffcrop.c:5936` in `computeOutputPixelOffsets` [ref_id=1].