Index: tiff-4.5.0/tools/tiffcrop.c
===================================================================
Upstream commit:
https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00
From 82a7fbb1fa7228499ffeb3a57a1d106a9626d57c Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Sun, 5 Feb 2023 15:53:15 +0000
Subject: [PATCH] tiffcrop: added check for assumption on composite images
 (fixes #496)

tiffcrop: For composite images with more than one region, the combined_length or combined_width always needs to be equal, respectively. Otherwise, even the first section/region copy action might cause buffer overrun. This is now checked before the first copy action.

Closes #496, #497, #498, #500, #501.
---
 tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 66 insertions(+), 2 deletions(-)

diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 84e26ac6..480b927c 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -5935,18 +5935,40 @@ static int computeInputPixelOffsets(struct crop_mask *crop,
 
             crop->regionlist[i].buffsize = buffsize;
             crop->bufftotal += buffsize;
+
+            /* For composite images with more than one region, the
+             * combined_length or combined_width always needs to be equal,
+             * respectively.
+             * Otherwise, even the first section/region copy
+             * action might cause buffer overrun. */
             if (crop->img_mode == COMPOSITE_IMAGES)
             {
                 switch (crop->edge_ref)
                 {
                     case EDGE_LEFT:
                     case EDGE_RIGHT:
+                        if (i > 0 && zlength != crop->combined_length)
+                        {
+                            TIFFError(
+                                "computeInputPixelOffsets",
+                                "Only equal length regions can be combined for "
+                                "-E left or right");
+                            return (-1);
+                        }
                         crop->combined_length = zlength;
                         crop->combined_width += zwidth;
                         break;
                     case EDGE_BOTTOM:
                     case EDGE_TOP: /* width from left, length from top */
                     default:
+                        if (i > 0 && zwidth != crop->combined_width)
+                        {
+                            TIFFError("computeInputPixelOffsets",
+                                      "Only equal width regions can be "
+                                      "combined for -E "
+                                      "top or bottom");
+                            return (-1);
+                        }
                         crop->combined_width = zwidth;
                         crop->combined_length += zlength;
                         break;
@@ -7301,6 +7323,46 @@ static int extractCompositeRegions(struct image_data *image,
     crop->combined_width = 0;
     crop->combined_length = 0;
 
+    /* If there is more than one region, check beforehand whether all the width
+     * and length values of the regions are the same, respectively. */
+    switch (crop->edge_ref)
+    {
+        default:
+        case EDGE_TOP:
+        case EDGE_BOTTOM:
+            for (i = 1; i < crop->selections; i++)
+            {
+                uint32_t crop_width0 =
+                    crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1;
+                uint32_t crop_width1 =
+                    crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1;
+                if (crop_width0 != crop_width1)
+                {
+                    TIFFError("extractCompositeRegions",
+                              "Only equal width regions can be combined for -E "
+                              "top or bottom");
+                    return (1);
+                }
+            }
+            break;
+        case EDGE_LEFT:
+        case EDGE_RIGHT:
+            for (i = 1; i < crop->selections; i++)
+            {
+                uint32_t crop_length0 =
+                    crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1;
+                uint32_t crop_length1 =
+                    crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1;
+                if (crop_length0 != crop_length1)
+                {
+                    TIFFError("extractCompositeRegions",
+                              "Only equal length regions can be combined for "
+                              "-E left or right");
+                    return (1);
+                }
+            }
+    }
+
     for (i = 0; i < crop->selections; i++)
     {
         /* rows, columns, width, length are expressed in pixels */
@@ -7325,7 +7387,8 @@ static int extractCompositeRegions(struct image_data *image,
             default:
             case EDGE_TOP:
             case EDGE_BOTTOM:
-                if ((i > 0) && (crop_width != crop->regionlist[i - 1].width))
+                if ((crop->selections > i + 1) &&
+                    (crop_width != crop->regionlist[i + 1].width))
                 {
                     TIFFError("extractCompositeRegions",
                               "Only equal width regions can be combined for -E "
@@ -7418,7 +7481,8 @@ static int extractCompositeRegions(struct image_data *image,
             case EDGE_LEFT: /* splice the pieces of each row together, side by
                                side */
             case EDGE_RIGHT:
-                if ((i > 0) && (crop_length != crop->regionlist[i - 1].length))
+                if ((crop->selections > i + 1) &&
+                    (crop_length != crop->regionlist[i + 1].length))
                 {
                     TIFFError("extractCompositeRegions",
                               "Only equal length regions can be combined for "
-- 
GitLab