fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159331)

Resolves: RHEL-159331
2026-04-20 13:46:57 +02:00 · 2026-04-20 13:46:57 +02:00 · 9c9f2f8ce9
commit 9c9f2f8ce9
parent 7a139d971e
2 changed files with 46 additions and 1 deletions
--- a/libtiff-4.6.0-CVE-2026-4775.patch
+++ b/libtiff-4.6.0-CVE-2026-4775.patch
@ -0,0 +1,39 @@
+diff -up tiff-4.4.0/libtiff/tif_getimage.c.CVE-2026-4775 tiff-4.4.0/libtiff/tif_getimage.c
+--- tiff-4.4.0/libtiff/tif_getimage.c.CVE-2026-4775	2026-04-20 13:21:08.882223234 +0200
+++ tiff-4.4.0/libtiff/tif_getimage.c	2026-04-20 13:21:56.640529927 +0200
+@@ -1914,7 +1914,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+     uint32_t* cp1 = cp + w + toskew;
+     uint32_t* cp2 = cp1 + w + toskew;
+     uint32_t* cp3 = cp2 + w + toskew;
+-    int32_t incr = 3 * w + 4 * toskew;
+	const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew;
+ 
+     (void) y;
+     /* adjust fromskew */
+@@ -2018,7 +2018,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+ {
+     uint32_t* cp1 = cp + w + toskew;
+-    int32_t incr = 2 * toskew + w;
+    const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ 
+     (void) y;
+     fromskew = (fromskew / 4) * (4*2+2);
+@@ -2144,7 +2144,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+ 	uint32_t* cp2;
+-	int32_t incr = 2 * toskew + w;
+	const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ 	(void) y;
+ 	fromskew = (fromskew / 2) * (2*2+2);
+ 	cp2 = cp+w+toskew;
+@@ -2239,7 +2239,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr2
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+ 	uint32_t* cp2;
+-	int32_t incr = 2 * toskew + w;
+	const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ 	(void) y;
+ 	fromskew = (fromskew / 1) * (1 * 2 + 2);
+ 	cp2 = cp+w+toskew;
--- a/libtiff.spec
+++ b/libtiff.spec
@ -1,7 +1,7 @@
 Summary:       Library of functions for manipulating TIFF format image files
 Name:          libtiff
 Version:       4.4.0
-Release:       16%{?dist}
+Release:       17%{?dist}
 License:       libtiff
 URL:           http://www.simplesystems.org/libtiff/

@ -49,6 +49,9 @@ Patch26:       libtiff-4.4.0-cve-2025-9900.patch
 # frin upstream, for < 4.7.1, RHEL-120238
 # https://gitlab.com/libtiff/libtiff/-/commit/fe10872e53efba9cc36c66ac4ab3b41a839d5172
 Patch27:       libtiff-4.4.0-cve-2025-8176.patch
+# from upstream, for <= 4.7.1, RHEL-159331
+# https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c
+Patch28:       libtiff-4.6.0-CVE-2026-4775.patch

 BuildRequires: gcc, gcc-c++
 BuildRequires: zlib-devel libjpeg-devel jbigkit-devel libzstd-devel libwebp-devel
@ -207,6 +210,9 @@ find html -name 'Makefile*' | xargs rm
 %{_mandir}/man1/*

 %changelog
+* Thu May 07 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-15.3
+- fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159331)
+
 * Sun Jan 18 2026 Michal Hlavinka <mhlavink@redhat.com> - 4.4.0-16
 - fix CVE-2025-9900: Out-of-Bounds Write in TIFFReadRGBAImageOriented (RHEL-112543)
 - fix CVE-2025-8176: use after free in tiffmedian (RHEL-120238)