CVE-2023-0802

An attacker supplies a crafted TIFF file with multiple crop regions of unequal dimensions when using the `-E` (edge reference) option of `tiffcrop`. The tool's composite-image mode (`COMPOSITE_IMAGES`) assumes all regions have the same width (for top/bottom edge references) or same length (for left/right edge references). When this assumption is violated, `extractContigSamplesShifted32bits` writes past the allocated buffer, causing a heap-buffer-overflow [ref_id=2]. The attack is triggered remotely by convincing a user to run `tiffcrop` with the malicious file and specific crop parameters such as `-E left -z 1,1,2048,2048:1,2049,2048,4097` [ref_id=2].

The out-of-bounds write occurs in `extractContigSamplesShifted32bits` at `tools/tiffcrop.c:3724` [ref_id=2]. The root cause is in `extractCompositeRegions` (called from `processCropSelections`), which lacked validation that all regions being composited have equal width or length depending on the edge reference direction [ref_id=1]. The patch adds consistency checks in both `computeInputPixelOffsets` and `extractCompositeRegions` to reject mismatched region dimensions before any buffer operations occur [ref_id=1].

The fix adds two validation layers. In `computeInputPixelOffsets`, after computing region dimensions, the code checks that for `EDGE_LEFT`/`EDGE_RIGHT` all regions have equal length, and for `EDGE_TOP`/`EDGE_BOTTOM` all regions have equal width, returning an error if mismatched [ref_id=1]. In `extractCompositeRegions`, a new upfront loop validates that all region widths or lengths are consistent before any processing begins, and the existing per-iteration checks are corrected to compare against the next region (`i+1`) instead of the previous region (`i-1`) [ref_id=1]. These changes prevent the buffer overrun by rejecting malformed composite region definitions early.

1. Build libtiff with AddressSanitizer: `CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared && make -j && make install` [ref_id=2]. 2. Run: `./build_asan/bin/tiffcrop -E left -z 1,1,2048,2048:1,2049,2048,4097 -i poc /tmp/foo` using the provided poc.zip file [ref_id=2]. 3. Observe the ASAN heap-buffer-overflow report at `extractContigSamplesShifted32bits` in `tiffcrop.c:3724` [ref_id=2].