From 8627709ff72df3c8119ff310a2bcf6e7bd080613 Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Thu, 7 May 2026 17:14:59 -0400
Subject: [PATCH] import CS git mingw-libtiff-4.0.9-4.el8_10

---
 SOURCES/libtiff-4.4.0-CVE-2026-4775.patch | 39 +++++++++++++++++++++++
 SPECS/mingw-libtiff.spec                  |  7 +++-
 2 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/libtiff-4.4.0-CVE-2026-4775.patch

diff --git a/SOURCES/libtiff-4.4.0-CVE-2026-4775.patch b/SOURCES/libtiff-4.4.0-CVE-2026-4775.patch
new file mode 100644
index 0000000..1ae658f
--- /dev/null
+++ b/SOURCES/libtiff-4.4.0-CVE-2026-4775.patch
@@ -0,0 +1,39 @@
+diff -up tiff-4.0.9/libtiff/tif_getimage.c.CVE-2026-4775 tiff-4.0.9/libtiff/tif_getimage.c
+--- tiff-4.0.9/libtiff/tif_getimage.c.CVE-2026-4775	2026-04-20 14:46:44.329742232 +0200
++++ tiff-4.0.9/libtiff/tif_getimage.c	2026-04-20 14:46:44.337742095 +0200
+@@ -1900,7 +1900,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+     uint32* cp1 = cp+w+toskew;
+     uint32* cp2 = cp1+w+toskew;
+     uint32* cp3 = cp2+w+toskew;
+-    int32 incr = 3*w+4*toskew;
++	const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew;
+ 
+     (void) y;
+     /* adjust fromskew */
+@@ -2004,7 +2004,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+ {
+     uint32* cp1 = cp+w+toskew;
+-    int32 incr = 2*toskew+w;
++    const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ 
+     (void) y;
+     fromskew = (fromskew / 4) * (4*2+2);
+@@ -2130,7 +2130,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+ 	uint32* cp2;
+-	int32 incr = 2*toskew+w;
++	const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ 	(void) y;
+ 	fromskew = (fromskew / 2) * (2*2+2);
+ 	cp2 = cp+w+toskew;
+@@ -2225,7 +2225,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr2
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+ 	uint32* cp2;
+-	int32 incr = 2*toskew+w;
++	const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ 	(void) y;
+ 	fromskew = (fromskew / 1) * (1 * 2 + 2);
+ 	cp2 = cp+w+toskew;
diff --git a/SPECS/mingw-libtiff.spec b/SPECS/mingw-libtiff.spec
index 2cb3ebc..0881b7c 100644
--- a/SPECS/mingw-libtiff.spec
+++ b/SPECS/mingw-libtiff.spec
@@ -3,7 +3,7 @@
 Summary:        MinGW Windows port of the LibTIFF library
 Name:           mingw-libtiff
 Version:        4.0.9
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        libtiff
 Group:          System Environment/Libraries
 URL:            http://www.simplesystems.org/libtiff/
@@ -56,6 +56,7 @@ Patch44:       libtiff-4.6.0-CVE-2024-7006.patch
 Patch45:       libtiff-4.0.9-CVE-2017-17095.patch
 Patch46:       RHEL-112533.patch
 Patch47:       RHEL-120230.patch
+Patch48:       libtiff-4.4.0-CVE-2026-4775.patch
 
 BuildArch:      noarch
 ExclusiveArch:  %{ix86} x86_64
@@ -199,6 +200,10 @@ find $RPM_BUILD_ROOT -name "*.la" -delete
 
 
 %changelog
+* Thu Apr 23 2026 Uri Lublin <uril@redhat.com> - 4.0.9-4
+- fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile
+  Resolves: RHEL-159337
+
 * Tue Nov 04 2025 Lili Zhu <lizhu@redhat.com> - 4.0.9-3
 - Fix CVE-2018-5784 CVE-2018-7456 CVE-2017-9935 CVE-2017-9935
 - Fix CVE-2017-18013 CVE-2018-8905 CVE-2018-10963 CVE-2018-17100