Overview

File tiff-CVE-2025-8851.patch of Package tiff.41422

tiff-CVE-2025-8851.patch
Patch fix for CVE-2025-8851 (bsc#1248278) backported from upstream change 8a7a48d7a645992ca83062b3a1873c951661e2b3.

Fixes stack-based buffer overflow vulnerability in tools/tiffcrop.c function readSeparateStripsIntoBuffer() by implementing additional error handling.

---
 tools/tiffcrop.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -4945,7 +4945,14 @@ static int readSeparateStripsIntoBuffer
       buff = srcbuffs[s];
       strip = (s * strips_per_sample) + j; 
       bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize);
-      rows_this_strip = (uint32)(bytes_read / src_rowsize);
+            if (bytes_read < 0)
+            {
+                rows_this_strip = 0;
+            }
+            else
+            {
+                rows_this_strip = (uint32_t)(bytes_read / src_rowsize);
+            }
       if (bytes_read < 0 && !ignore)
         {
         TIFFError(TIFFFileName(in),
@@ -5347,14 +5354,14 @@ computeInputPixelOffsets(struct crop_mas
       rmargin = _TIFFClampDoubleToUInt32(crop->margins[3] * scale * xres);
       }
 
-    if ((lmargin + rmargin) > image->width)
+    if (lmargin == 0xFFFFFFFFU || rmargin == 0xFFFFFFFFU || (lmargin + rmargin) > image->width)
       {
       TIFFError("computeInputPixelOffsets", "Combined left and right margins exceed image width");
       lmargin = (uint32) 0;
       rmargin = (uint32) 0;
       return (-1);
       }
-    if ((tmargin + bmargin) > image->length)
+    if (tmargin == 0xFFFFFFFFU || bmargin == 0xFFFFFFFFU || (tmargin + bmargin) > image->length)
       {
       TIFFError("computeInputPixelOffsets", "Combined top and bottom margins exceed image length"); 
       tmargin = (uint32) 0; 
@@ -5835,14 +5842,14 @@ computeOutputPixelOffsets (struct crop_m
       vmargin = _TIFFClampDoubleToUInt32(page->vmargin * scale * ((image->bps + 7) / 8));
       }
 
-    if ((hmargin * 2.0) > (pwidth * page->hres))
+    if (hmargin == 0xFFFFFFFFU || (hmargin * 2.0) > (pwidth * page->hres))
       {
       TIFFError("computeOutputPixelOffsets", 
                 "Combined left and right margins exceed page width");
       hmargin = (uint32) 0;
       return (-1);
       }
-    if ((vmargin * 2.0) > (plength * page->vres))
+    if (vmargin == 0xFFFFFFFFU || (vmargin * 2.0) > (plength * page->vres))
       {
       TIFFError("computeOutputPixelOffsets", 
                 "Combined top and bottom margins exceed page length");
openSUSE Build Service is sponsored by
Places