From cf89677ea62da8136a5bd5f3f691107bb38cc546 Mon Sep 17 00:00:00 2001
From: Michal Hlavinka <mhlavink@redhat.com>
Date: Wed, 22 Apr 2026 13:47:37 +0200
Subject: [PATCH] fix CVE-2026-4775: signed integer overflow in
 putcontig8bitYCbCr44tile (RHEL-159315)

Resolves: RHEL-159315
---
 compat-libtiff3.spec        |  9 ++++++++-
 libtiff-CVE-2026-4775.patch | 39 +++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 libtiff-CVE-2026-4775.patch

diff --git a/compat-libtiff3.spec b/compat-libtiff3.spec
index cef6b6a..206dcfb 100644
--- a/compat-libtiff3.spec
+++ b/compat-libtiff3.spec
@@ -1,7 +1,7 @@
 Summary: Compatibility package for libtiff 3
 Name: compat-libtiff3
 Version: 3.9.4
-Release: 14%{?dist}
+Release: 15%{?dist}
 
 License: libtiff
 Group: System Environment/Libraries
@@ -41,6 +41,9 @@ Patch34: libtiff-coverity.patch
 # from upstream, for <= 4.7.0, RHEL-112528
 # https://gitlab.com/libtiff/libtiff/-/merge_requests/732.patch
 Patch35: libtiff-3.9.4-CVE-2025-9900.patch
+# from upstream, for <= 4.7.1, RHEL-159315
+# https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c
+Patch36: libtiff-CVE-2026-4775.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: zlib-devel libjpeg-devel
@@ -88,6 +91,7 @@ to use the current version of libtiff.
 %patch -P 33 -p1
 %patch -P 34 -p1
 %patch -P 35 -p1 -b .CVE-2025-9900
+%patch -P 36 -p1 -b .CVE-2026-4775
 
 # Use build system's libtool.m4, not the one in the package.
 rm -f libtool.m4
@@ -132,6 +136,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libtiffxx.so.*
 
 %changelog
+* Wed Apr 22 2026 Michal Hlavinka <mhlavink@redhat.com> - 3.9.4-15
+- fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159315)
+
 * Thu Sep 25 2025 Michal Hlavinka <mhlavink@redhat.com> - 3.9.4-14
 - fix CVE-2025-9900: Write-What-Where via TIFFReadRGBAImageOriented (RHEL-112528)
 
diff --git a/libtiff-CVE-2026-4775.patch b/libtiff-CVE-2026-4775.patch
new file mode 100644
index 0000000..0350ef8
--- /dev/null
+++ b/libtiff-CVE-2026-4775.patch
@@ -0,0 +1,39 @@
+diff -up tiff-3.9.4/libtiff/tif_getimage.c.CVE-2026-4775 tiff-3.9.4/libtiff/tif_getimage.c
+--- tiff-3.9.4/libtiff/tif_getimage.c.CVE-2026-4775	2026-04-22 13:16:40.507960671 +0200
++++ tiff-3.9.4/libtiff/tif_getimage.c	2026-04-22 13:19:48.732219288 +0200
+@@ -1656,7 +1656,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+     uint32* cp1 = cp+w+toskew;
+     uint32* cp2 = cp1+w+toskew;
+     uint32* cp3 = cp2+w+toskew;
+-    int32 incr = 3*w+4*toskew;
++    const int64 incr = 3 * (int64)w + 4 * (int64)toskew;
+ 
+     (void) y;
+     /* adjust fromskew */
+@@ -1751,7 +1751,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+ {
+     uint32* cp1 = cp+w+toskew;
+-    int32 incr = 2*toskew+w;
++    const int64 incr = 2 * (int64)toskew + w;
+ 
+     (void) y;
+     fromskew = (fromskew * 10) / 4;
+@@ -1873,7 +1873,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+ 	uint32* cp2;
+-	int32 incr = 2*toskew+w;
++	const int64 incr = 2 * (int64)toskew + w;
+ 	(void) y;
+ 	fromskew = (fromskew / 2) * 6;
+ 	cp2 = cp+w+toskew;
+@@ -1967,7 +1967,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr2
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+ 	uint32* cp2;
+-	int32 incr = 2*toskew+w;
++	const int64 incr = 2 * (int64)toskew + w;
+ 	(void) y;
+ 	fromskew = (fromskew / 2) * 4;
+ 	cp2 = cp+w+toskew;