CVE-2022-3627

An attacker supplies a crafted TIFF file and invokes `tiffcrop` with a combination of mutually exclusive options — specifically, any of `-X`, `-Y`, `-Z`, or `-z` together with other `PAGE_MODE_x` options such as `-H`, `-V`, `-P`, `-J`, or `-K` [ref_id=2]. The reproducer uses `tiffcrop -Z 1:4,3:3 -R 90 -H 300 -i poc2 /tmp/foo` [ref_id=1]. The tool reads the malformed image, allocates a buffer based on incorrect size calculations, and then `_TIFFmemcpy` writes beyond the allocated heap region, causing a heap-buffer-overflow [ref_id=1]. No authentication or special network access is required; the attacker only needs to deliver the crafted file to a victim who runs `tiffcrop` on it.

The out-of-bounds write occurs in `_TIFFmemcpy` at `libtiff/tif_unix.c:346`, called from `extractImageSection` at `tools/tiffcrop.c:6860` [ref_id=1]. The allocation is performed by `limitMalloc` at `tools/tiffcrop.c:627` during `loadImage` at `tools/tiffcrop.c:6220` [ref_id=1]. The patch adds a validation check in `process_command_opts` at `tools/tiffcrop.c:2143` to reject unsafe option combinations before they reach the image-processing code [ref_id=2].

The commit [ref_id=2] adds a new validation block in `process_command_opts` that checks whether any of the crop options (`-X`, `-Y`, `-Z`, `-z`) are active together with other `PAGE_MODE_x` options (such as `-H`, `-V`, `-P`, `-J`, `-K`). If such a combination is detected, the program prints an error and exits immediately with `EXIT_FAILURE`. The patch also updates all documentation strings (the file header comment, the `usage_info` string, and the `tiffcrop` man page) with a new "Note 2" explicitly warning that these option combinations are unsupported and may cause buffer overflows [ref_id=2]. By rejecting the dangerous option combination at the argument-parsing stage, the fix prevents the corrupted state that led to the heap-buffer-overflow in `extractImageSection`.

1. Build libtiff with AddressSanitizer: `CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared && make -j && make install` [ref_id=1]. 2. Obtain the PoC file `poc2` from the issue attachment [ref_id=1]. 3. Run: `./build_asan/bin/tiffcrop -Z 1:4,3:3 -R 90 -H 300 -i poc2 /tmp/foo` [ref_id=1]. 4. Observe the AddressSanitizer heap-buffer-overflow report at `_TIFFmemcpy` in `tif_unix.c:346` [ref_id=1].