From 69a151f61d394c665877b61229fb86cfc9431c87 Mon Sep 17 00:00:00 2001
From: Michal Hlavinka <mhlavink@redhat.com>
Date: Mon, 20 Apr 2026 15:13:46 +0200
Subject: [PATCH] fix CVE-2026-4775: signed integer overflow in
 putcontig8bitYCbCr44tile (RHEL-159316)

Resolves: RHEL-159316
---
 libtiff-4.4.0-CVE-2026-4775.patch | 39 +++++++++++++++++++++++++++++++
 libtiff.spec                      |  9 ++++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 libtiff-4.4.0-CVE-2026-4775.patch

diff --git a/libtiff-4.4.0-CVE-2026-4775.patch b/libtiff-4.4.0-CVE-2026-4775.patch
new file mode 100644
index 0000000..1ae658f
--- /dev/null
+++ b/libtiff-4.4.0-CVE-2026-4775.patch
@@ -0,0 +1,39 @@
+diff -up tiff-4.0.9/libtiff/tif_getimage.c.CVE-2026-4775 tiff-4.0.9/libtiff/tif_getimage.c
+--- tiff-4.0.9/libtiff/tif_getimage.c.CVE-2026-4775	2026-04-20 14:46:44.329742232 +0200
++++ tiff-4.0.9/libtiff/tif_getimage.c	2026-04-20 14:46:44.337742095 +0200
+@@ -1900,7 +1900,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+     uint32* cp1 = cp+w+toskew;
+     uint32* cp2 = cp1+w+toskew;
+     uint32* cp3 = cp2+w+toskew;
+-    int32 incr = 3*w+4*toskew;
++	const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew;
+ 
+     (void) y;
+     /* adjust fromskew */
+@@ -2004,7 +2004,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+ {
+     uint32* cp1 = cp+w+toskew;
+-    int32 incr = 2*toskew+w;
++    const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ 
+     (void) y;
+     fromskew = (fromskew / 4) * (4*2+2);
+@@ -2130,7 +2130,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+ 	uint32* cp2;
+-	int32 incr = 2*toskew+w;
++	const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ 	(void) y;
+ 	fromskew = (fromskew / 2) * (2*2+2);
+ 	cp2 = cp+w+toskew;
+@@ -2225,7 +2225,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr2
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+ 	uint32* cp2;
+-	int32 incr = 2*toskew+w;
++	const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ 	(void) y;
+ 	fromskew = (fromskew / 1) * (1 * 2 + 2);
+ 	cp2 = cp+w+toskew;
diff --git a/libtiff.spec b/libtiff.spec
index affd234..6ba04e6 100644
--- a/libtiff.spec
+++ b/libtiff.spec
@@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.0.9
-Release:       36%{?dist}
+Release:       37%{?dist}
 License:       libtiff
 Group:         System Environment/Libraries
 URL:           http://www.simplesystems.org/libtiff/
@@ -71,6 +71,10 @@ Patch46:       RHEL-112533.patch
 # CVE-2025-8176
 Patch47:       RHEL-120230.patch
 
+# from upstream, for <= 4.7.1, RHEL-159316
+# https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c
+Patch48:       libtiff-4.4.0-CVE-2026-4775.patch
+
 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel
 BuildRequires: libtool automake autoconf pkgconfig
@@ -223,6 +227,9 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*
 
 %changelog
+* Mon Apr 20 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.0.9-37
+- fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159316)
+
 * Mon Nov 03 2025 RHEL Packaging Agent <jotnar@redhat.com> - 4.0.9-36
 - fix CVE-2025-8176: prevent skipping first line in tiffdither and
   tiffmedian tools (RHEL-120230)