CVE-2023-25435

An attacker provides a crafted TIFF file (the PoC) and invokes `tiffcrop` with specific command-line options: `-E l -Z 12:50,12:99 -e divided -R 270` [ref_id=1]. The tool processes the malformed image, and during `extractContigSamplesShifted8bits()` it reads beyond the allocated heap buffer, causing a SIGSEGV [ref_id=1]. No authentication or special network access is required — the attacker only needs to deliver the malicious file to a victim who runs `tiffcrop` on it.

The vulnerability resides in the function `extractContigSamplesShifted8bits()` at `/libtiff/tools/tiffcrop.c:3753` [ref_id=1]. The call chain is `main` → `processCropSelections` → `extractSeparateRegion` → `extractContigSamplesShifted8bits` [ref_id=1]. The ASAN report confirms a heap-buffer-overflow read of size 1 at that location [ref_id=1].

The issue report does not include a patch or a fix commit [ref_id=1]. The advisory only documents the heap-buffer-overflow crash and provides a PoC to reproduce it [ref_id=1]. Without a published fix, the remediation guidance is limited to avoiding use of `tiffcrop` on untrusted images or waiting for an upstream patch from the libtiff project.

1. Clone the libtiff repository and build version 4.5.0 (commit a63e18ca) with AddressSanitizer enabled [ref_id=1]. 2. Obtain the PoC file from the issue attachment [ref_id=1]. 3. Run: `./tools/tiffcrop -E l -Z 12:50,12:99 -e divided -R 270 poc /dev/null` [ref_id=1]. 4. Observe the SIGSEGV and the ASAN report confirming a heap-buffer-overflow at `extractContigSamplesShifted8bits` line 3753 [ref_id=1].