From f7c06c395daf1b2c52ab431e00db2d9fc2ac993e Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Tue, 10 May 2022 20:03:17 +0000
Subject: [PATCH] tiffcrop: Fix issue #330 and some more from 320 to 349

Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u7.debian.tar.xz ]
CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>

Origin: https://gitlab.com/libtiff/libtiff/-/commit/e319508023580e2f70e6e626f745b5b2a1707313
Origin: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf
Origin: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba
Origin: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2023-01-17

---
 tools/tiffcrop.c | 50 ++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 42 insertions(+), 8 deletions(-)

diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index c923920..a0789a3 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -103,7 +103,12 @@
  *                selects which functions dump data, with higher numbers selecting
  *                lower level, scanline level routines. Debug reports a limited set
  *                of messages to monitor progess without enabling dump logs.
- */
+ *
+ * Note 1:  The (-X|-Y), -Z, -z and -S options are mutually exclusive.
+ *          In no case should the options be applied to a given selection successively.
+ * Note 2:  Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
+ *          such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
+  */
 
 static   char tiffcrop_version_id[] = "2.4.1";
 static   char tiffcrop_rev_date[] = "03-03-2010";
@@ -176,12 +181,12 @@ extern int getopt(int argc, char * const argv[], const char *optstring);
 #define ROTATECW_270 32
 #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270)
 
-#define CROP_NONE     0
-#define CROP_MARGINS  1
-#define CROP_WIDTH    2
-#define CROP_LENGTH   4
-#define CROP_ZONES    8
-#define CROP_REGIONS 16
+#define CROP_NONE     0     /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */
+#define CROP_MARGINS  1     /* "-m" */
+#define CROP_WIDTH    2     /* "-X" */
+#define CROP_LENGTH   4     /* "-Y" */
+#define CROP_ZONES    8     /* "-Z" */
+#define CROP_REGIONS 16     /* "-z" */
 #define CROP_ROTATE  32
 #define CROP_MIRROR  64
 #define CROP_INVERT 128
@@ -323,7 +328,7 @@ struct crop_mask {
 #define PAGE_MODE_RESOLUTION   1
 #define PAGE_MODE_PAPERSIZE    2
 #define PAGE_MODE_MARGINS      4
-#define PAGE_MODE_ROWSCOLS     8
+#define PAGE_MODE_ROWSCOLS     8    /* for -S option */
 
 #define INVERT_DATA_ONLY      10
 #define INVERT_DATA_AND_TAG   11
@@ -754,6 +759,12 @@ static   char* usage_info[] = {
 "             The four debug/dump options are independent, though it makes little sense to",
 "             specify a dump file without specifying a detail level.",
 " ",
+"Note 1:      The (-X|-Y), -Z, -z and -S options are mutually exclusive.",
+"             In no case should the options be applied to a given selection successively.",
+" ",
+"Note 2:      Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options",
+"             such as - H, -V, -P, -J or -K are not supported and may cause buffer overflows.",
+" ",
 NULL
 };
 
@@ -2112,6 +2123,27 @@ void  process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
 		/*NOTREACHED*/
       }
     }
+    /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/
+    char XY, Z, R, S;
+    XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0;
+    Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0;
+    R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0;
+    S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0;
+    if (XY + Z + R + S > 1) {
+        TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit");
+        exit(EXIT_FAILURE);
+    }
+
+    /* Check for not allowed combination:
+     * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options
+     * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows.
+.    */
+    if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) {
+        TIFFError("tiffcrop input error",
+            "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit");
+        exit(EXIT_FAILURE);
+    }
+
   }  /* end process_command_opts */
 
 /* Start a new output file if one has not been previously opened or
@@ -2384,6 +2416,7 @@ main(int argc, char* argv[])
         exit (-1);
 	}
 
+      /* Crop input image and copy zones and regions from input image into seg_buffs or crop_buff. */
       if (crop.selections > 0)
         {
         if (processCropSelections(&image, &crop, &read_buff, seg_buffs))
@@ -2400,6 +2433,7 @@ main(int argc, char* argv[])
           exit (-1);
 	  }
 	}
+      /* Format and write selected image parts to output file(s). */
       if (page.mode == PAGE_MODE_NONE)
         {  /* Whole image or sections not based on output page size */
         if (crop.selections > 0)