CVE-2022-2058

An attacker supplies a crafted TIFF file that triggers a floating-point exception (FPE) in `computeOutputPixelOffsets` when `tiffcrop` is invoked with options such as `-R 90 -H 300 -O landscape -P 300.0x300.0 -i` [ref_id=1]. The crafted file contains numerous malformed TIFF directory tags, invalid data types for `StripOffsets` and `StripByteCounts`, and lacks a PhotometricInterpretation tag, ultimately causing a division-by-zero error at `tiffcrop.c:5941` [ref_id=1]. No authentication is required; the attacker only needs to deliver the malicious file to a user or service that runs `tiffcrop` on it.

The vulnerability resides in `tools/tiffcrop.c` at line 5941, within the function `computeOutputPixelOffsets` [ref_id=1]. This function is called from `main()` at line 2459 when processing a crafted TIFF file with the `tiffcrop` utility [ref_id=1].

The fix is available with commit `f3a5e010` in the libtiff repository [ref_id=1]. While the exact diff is not shown in the issue, the commit addresses the division-by-zero condition in `computeOutputPixelOffsets` by adding a check to prevent a zero divisor before performing the division at line 5941 of `tiffcrop.c`. Users who compile from source should apply this commit; otherwise, they should update to a libtiff release that includes the fix.

1. Build libtiff 4.4.0 (commit 19db1d316bf959de10df7491b7b78a256811b6e4) with debug flags: `CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --prefix=$PWD/build_orig --disable-shared && make -j && make install`. 2. Run the crafted PoC file through tiffcrop: `./build_orig/bin/tiffcrop -R 90 -H 300 -O landscape -P 300.0x300.0 -i poc /tmp/foo`. 3. Observe the "Floating point exception (core dumped)" output, confirming the FPE at `tiffcrop.c:5941` in `computeOutputPixelOffsets` [ref_id=1].