https://github.com/libsdl-org/libtiff/commit/aac006e5796437f1729b1284fbfa506b2b730aff
From aac006e5796437f1729b1284fbfa506b2b730aff Mon Sep 17 00:00:00 2001
From: Su Laus <[EMAIL REDACTED]>
Date: Sat, 19 Feb 2022 16:08:15 +0000
Subject: [PATCH] tiffcrop: buffsize check formula in loadImage() amended
(fixes #273,#275)
---
tools/tiffcrop.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index e4a08ca9..f2e5474a 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -6153,9 +6153,15 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
TIFFError("loadImage", "Integer overflow detected.");
exit(EXIT_FAILURE);
}
- if (buffsize < (uint32_t) (((length * width * spp * bps) + 7) / 8))
+ /* The buffsize_check and the possible adaptation of buffsize
+ * has to account also for padding of each line to a byte boundary.
+ * This is assumed by mirrorImage() and rotateImage().
+ * Otherwise buffer-overflow might occur there.
+ */
+ buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8);
+ if (buffsize < buffsize_check)
{
- buffsize = ((length * width * spp * bps) + 7) / 8;
+ buffsize = buffsize_check;
#ifdef DEBUG2
TIFFError("loadImage",
"Stripsize %"PRIu32" is too small, using imagelength * width * spp * bps / 8 = %"PRIu32,