CVE-2023-0801

An attacker crafts a TIFF file with multiple crop regions of unequal width or length and invokes tiffcrop with the `-E` composite flag (e.g., `-E right -z 1,1,2048,2048:1,2049,2048,4097`). The `extractCompositeRegions` function at `tools/tiffcrop.c:6778` passes mismatched region dimensions to `extractContigSamplesBytes` at `tools/tiffcrop.c:2903`, which calls `_TIFFmemcpy` at `libtiff/tif_unix.c:368` with a computed buffer size that exceeds the allocated heap buffer, causing a heap-buffer-overflow write [ref_id=2]. No authentication is required; the attack is triggered by processing a malicious file.

The vulnerable code paths are in `tools/tiffcrop.c`: `extractCompositeRegions` (line 6778) calls `extractContigSamplesBytes` (line 2903), which performs the out-of-bounds `_TIFFmemcpy` in `libtiff/tif_unix.c:368` [ref_id=2]. The patch modifies `computeInputPixelOffsets` and `extractCompositeRegions` in the same file [ref_id=1].

The patch [ref_id=1] adds two validation checks. In `computeInputPixelOffsets`, it verifies that when `EDGE_LEFT` or `EDGE_RIGHT` is used, all regions have equal `zlength`, and when `EDGE_TOP` or `EDGE_BOTTOM` is used, all regions have equal `zwidth`, returning -1 on mismatch. In `extractCompositeRegions`, it adds a pre-loop that checks all region widths (for top/bottom) or lengths (for left/right) are equal before proceeding, and corrects the adjacent-region comparison from checking `i-1` to checking `i+1` to avoid off-by-one logic errors. These changes ensure composite operations only proceed when region dimensions are consistent, preventing the buffer overrun.

Build libtiff with AddressSanitizer (`-fsanitize=address`), then run: `./build_asan/bin/tiffcrop -E right -z 1,1,2048,2048:1,2049,2048,4097 -i poc /tmp/foo` using the attached `poc.zip` file [ref_id=2].