From 0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5 Mon Sep 17 00:00:00 2001 From: Lee Howard Date: Fri, 5 Sep 2025 21:42:35 +0000 Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue #721 CVE: CVE-2025-8961 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5] Signed-off-by: Peter Marko --- tools/tiffcrop.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c index ae414efc..be250cc9 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -1072,6 +1072,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, "Unable to extract row %" PRIu32 " from tile %" PRIu32, row, TIFFCurrentTile(in)); + _TIFFfree(tilebuf); return 1; } break; @@ -1086,6 +1087,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, "Unable to extract row %" PRIu32 " from tile %" PRIu32, row, TIFFCurrentTile(in)); + _TIFFfree(tilebuf); return 1; } break; @@ -1098,6 +1100,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, "Unable to extract row %" PRIu32 " from tile %" PRIu32, row, TIFFCurrentTile(in)); + _TIFFfree(tilebuf); return 1; } break; @@ -1110,6 +1113,7 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, "Unable to extract row %" PRIu32 " from tile %" PRIu32, row, TIFFCurrentTile(in)); + _TIFFfree(tilebuf); return 1; } break; @@ -1124,12 +1128,14 @@ static int readContigTilesIntoBuffer(TIFF *in, uint8_t *buf, "Unable to extract row %" PRIu32 " from tile %" PRIu32, row, TIFFCurrentTile(in)); + _TIFFfree(tilebuf); return 1; } break; default: TIFFError("readContigTilesIntoBuffer", "Unsupported bit depth %" PRIu16, bps); + _TIFFfree(tilebuf); return 1; } } @@ -2901,7 +2907,7 @@ int main(int argc, char *argv[]) } /* If we did not use the read buffer as the crop buffer */ - if (read_buff) + if (read_buff && read_buff != crop_buff) _TIFFfree(read_buff); if (crop_buff)