From aac006e5796437f1729b1284fbfa506b2b730aff Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Sat, 19 Feb 2022 16:08:15 +0000
Subject: [PATCH] tiffcrop: buffsize check  formula in loadImage() amended 
 (fixes #273,#275)

---
 tools/tiffcrop.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index e4a08ca9..f2e5474a 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -6153,9 +6153,15 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
 	TIFFError("loadImage", "Integer overflow detected.");
 	exit(EXIT_FAILURE);
     }
-    if (buffsize < (uint32_t) (((length * width * spp * bps) + 7) / 8))
+    /* The buffsize_check and the possible adaptation of buffsize 
+     * has to account also for padding of each line to a byte boundary. 
+     * This is assumed by mirrorImage() and rotateImage().
+     * Otherwise buffer-overflow might occur there.
+     */
+    buffsize_check = length * (uint32_t)(((width * spp * bps) + 7) / 8);
+    if (buffsize < buffsize_check)
       {
-      buffsize =  ((length * width * spp * bps) + 7) / 8;
+      buffsize = buffsize_check;
 #ifdef DEBUG2
       TIFFError("loadImage",
 	        "Stripsize %"PRIu32" is too small, using imagelength * width * spp * bps / 8 = %"PRIu32,
-- 
GitLab