CVE-2023-0800

An attacker crafts a TIFF file with multiple crop regions of unequal width or length and invokes tiffcrop with the `-E` (edge) composite option, e.g. `-E right -z 1,1,2048,2048:1,2049,2048,4097` [ref_id=2]. The tool computes buffer sizes based on the first region's dimensions but then writes pixel data from a larger region, causing a heap-buffer-overflow at `tools/tiffcrop.c:3502` in `extractContigSamplesShifted16bits` [ref_id=2]. No authentication is required; the attack is delivered via a local crafted TIFF file.

The out-of-bounds write occurs in `extractContigSamplesShifted16bits` at `tools/tiffcrop.c:3502` [ref_id=2]. The root cause is in `extractCompositeRegions` (around line 6801) and `computeInputPixelOffsets` (around line 5935), which lacked validation that composite regions have equal dimensions [ref_id=1].

The patch [ref_id=1] adds validation checks in `computeInputPixelOffsets` and `extractCompositeRegions` to ensure that when `crop->img_mode == COMPOSITE_IMAGES`, all regions have equal length (for EDGE_LEFT/EDGE_RIGHT) or equal width (for EDGE_TOP/EDGE_BOTTOM) before proceeding. If the dimensions mismatch, the functions return an error instead of allowing the out-of-bounds copy. The fix also corrects a comparison in the existing check at lines 7387 and 7481 to compare against the next region rather than the previous one.

Build libtiff with AddressSanitizer: `CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared && make -j && make install`. Then run: `./build_asan/bin/tiffcrop -E right -z 1,1,2048,2048:1,2049,2048,4097 poc /tmp/foo` using the provided poc.zip [ref_id=2].