CVE-2023-0795

An attacker supplies a crafted TIFF file that triggers a segmentation violation in `extractContigSamplesShifted16bits` when processed by `tiffcrop` [ref_id=2]. The reproduction command uses `-e multiple -z` (crop zones) combined with `-R 270` (rotation) on a malformed TIFF, causing the tool to read out-of-bounds memory [ref_id=2]. No authentication or special privileges are required; the attack is delivered by convincing a user to run `tiffcrop` on the malicious file, resulting in a denial-of-service.

The out-of-bounds read occurs in `tools/tiffcrop.c` at line 3488 within the function `extractContigSamplesShifted16bits` [ref_id=2]. The call chain leading to the crash is `main` → `processCropSelections` → `extractSeparateRegion` → `extractContigSamplesShifted16bits` [ref_id=2]. The patch modifies `rotateImage()` to accept a new `rot_image_params` parameter so that image dimensions are only swapped when rotating the whole image, preventing mismatched width/length values from being passed to downstream extraction functions [ref_id=1].

The commit [ref_id=1] adds a `rot_image_params` parameter to `rotateImage()`. Previously, `rotateImage()` unconditionally swapped `image->width` and `image->length` (and the xres/yres) for 90° and 270° rotations. The patch guards those assignments behind `if (rot_image_params)`, so that when `rotateImage()` is called for a sub-region (not the whole image), the global image dimensions are left unchanged. This prevents the mismatch between the region's stored width/length and the image's width/length that caused the out-of-bounds read in `extractContigSamplesShifted16bits`.

Build libtiff with AddressSanitizer (`CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared`), then run: `./build_asan/bin/tiffcrop -e multiple -z 1,1,2048,2048:1,2049,2048,4097 -R 270 -i poc /tmp/foo` against the provided PoC file [ref_id=2]. The tool will crash with a SEGV at `tiffcrop.c:3488` in `extractContigSamplesShifted16bits` [ref_id=2].