CVE-2022-3570

An attacker crafts a TIFF image file with dimensions and sample parameters that, when processed by tiffcrop, cause conversion subroutines to read or write up to 3 bytes past the end of an allocated buffer [ref_id=1]. The bug is triggered during tiffcrop operations such as tile/strip reading and writing (readContigTilesIntoBuffer, readSeparateTilesIntoBuffer, writeBufferToSeparateStrips, writeBufferToContigTiles, writeBufferToSeparateTiles, readSeparateStripsIntoBuffer) [ref_id=1]. No authentication or special privileges are required — the attacker only needs to deliver the crafted TIFF file to a victim or service that invokes tiffcrop on it.

The vulnerable code is in tiffcrop.c within the libtiff library (version 4.4.0). The affected functions include readContigTilesIntoBuffer, readSeparateTilesIntoBuffer, writeBufferToSeparateStrips, writeBufferToContigTiles, writeBufferToSeparateTiles, and readSeparateStripsIntoBuffer [ref_id=1]. All of these allocate internal buffers without the extra 3 bytes needed by conversion subroutines like extractContigSamples32bits [ref_id=1].

The patch introduces a constant NUM_BUFF_OVERSIZE_BYTES (value 3) and adds that many extra bytes to every buffer allocation in the affected subroutines [ref_id=1]. For example, limitMalloc(tile_buffsize) becomes limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES), and memset calls are extended to cover the larger buffer [ref_id=1]. The commit also adds an assert(NUM_BUFF_OVERSIZE_BYTES >= 3) at the start of main() to enforce the safety margin at runtime [ref_id=1]. These changes ensure that the conversion subroutines have room for the extra bytes they write without corrupting adjacent heap memory.