From 3e164d0fa9c48dbdc76620442ffbb02de9e5724e Mon Sep 17 00:00:00 2001
From: Su Laus <sulau@freenet.de>
Date: Wed, 11 Jun 2025 19:45:19 +0000
Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster
 rows at TIFFReadRGBAImageOriented()

---
 libtiff/tif_getimage.c | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
index 4f32b3a..70a0362 100644
--- a/libtiff/tif_getimage.c
+++ b/libtiff/tif_getimage.c
@@ -511,6 +511,22 @@ TIFFRGBAImageGet(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
 		"No \"put\" routine setupl; probably can not handle image format");
 		return (0);
     }
+    /* Verify raster width and height against image width and height. */
+    if (h > img->height)
+    {
+        /* Adapt parameters to read only available lines and put image at
+         * the bottom of the raster. */
+        raster += (size_t)(h - img->height) * w;
+        h = img->height;
+    }
+    if (w > img->width)
+    {
+        TIFFWarningExt(img->tif->tif_clientdata, TIFFFileName(img->tif),
+                        "Raster width of %d shall not be larger than image "
+                        "width of %d -> raster width adapted for reading",
+                        w, img->width);
+        w = img->width;
+    }
     return (*img->get)(img, raster, w, h);
 }
 
@@ -529,9 +545,7 @@ TIFFReadRGBAImageOriented(TIFF* tif,
 
 	if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) {
 		img.req_orientation = (uint16)orientation;
-		/* XXX verify rwidth and rheight against width and height */
-		ok = TIFFRGBAImageGet(&img, raster+(rheight-img.height)*rwidth,
-			rwidth, img.height);
+		ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight);
 		TIFFRGBAImageEnd(&img);
 	} else {
 		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "%s", emsg);
-- 
2.47.3