CVE-2023-0797

An attacker supplies a crafted TIFF file with malformed strip offsets/byte counts and invokes tiffcrop with rotation (-R 270) and extraction (-e multiple -z) options [ref_id=2]. The tool calls extractSeparateRegion (tiffcrop.c:6921) which copies pixel data via extractContigSamplesBytes (tiffcrop.c:2903), ultimately reaching _TIFFmemcpy (tif_unix.c:368) with a corrupted buffer size [ref_id=2]. The out-of-bounds read causes a SEGV, resulting in denial-of-service [ref_id=2].

The out-of-bounds read occurs in `_TIFFmemcpy` at `libtiff/tif_unix.c:368`, reached via `extractContigSamplesBytes` at `tools/tiffcrop.c:2903` and `extractSeparateRegion` at `tools/tiffcrop.c:6921` [ref_id=2]. The root cause is in `rotateImage()` (tools/tiffcrop.c) which unconditionally swapped `image->width` and `image->length` before the patch [ref_id=1].

The patch [ref_id=1] adds a `rot_image_params` parameter to `rotateImage()` and only swaps `image->width`/`image->length` (and xres/yres) when this flag is TRUE. Previously, `rotateImage()` unconditionally updated `image->width` and `image->length` even when rotating a sub-region (not the whole image), causing downstream code to use mismatched dimensions. The callers in `correct_orientation`, `processCropSelections`, and `createCroppedImage` now pass TRUE or FALSE as appropriate, preventing the width/length corruption that led to the out-of-bounds read.

Build with AddressSanitizer (`CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared; make -j; make install`). Run: `./build_asan/bin/tiffcrop -e multiple -z 1,1,2048,2048:1,2049,2048,4097 -R 270 -i poc /tmp/foo` using the attached poc.zip [ref_id=2].