new file mode 100644
@@ -0,0 +1,99 @@
+From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Thu, 16 Mar 2023 16:16:54 +0800
+Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection
+
+CVE: CVE-2023-1916
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535]
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 44 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 40 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 05ba4d2..8a08536 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -5700,6 +5700,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+ crop->combined_width += (uint32_t)zwidth;
+ else
+ crop->combined_width = (uint32_t)zwidth;
++
++ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++ if (((crop->rotation == 90) || (crop->rotation == 270))
++ && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++ {
++ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++ return -1;
++ }
++
+ break;
+ case EDGE_BOTTOM: /* width from left, zones from bottom to top */
+ zwidth = offsets.crop_width;
+@@ -5735,6 +5744,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+ else
+ crop->combined_length = (uint32_t)zlength;
+ crop->combined_width = (uint32_t)zwidth;
++
++ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++ if (((crop->rotation == 90) || (crop->rotation == 270))
++ && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++ {
++ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++ return -1;
++ }
++
+ break;
+ case EDGE_RIGHT: /* zones from right to left, length from top */
+ zlength = offsets.crop_length;
+@@ -5772,6 +5790,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+ crop->combined_width += (uint32_t)zwidth;
+ else
+ crop->combined_width = (uint32_t)zwidth;
++
++ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++ if (((crop->rotation == 90) || (crop->rotation == 270))
++ && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++ {
++ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++ return -1;
++ }
++
+ break;
+ case EDGE_TOP: /* width from left, zones from top to bottom */
+ default:
+@@ -5818,7 +5845,16 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+ else
+ crop->combined_length = (uint32_t)zlength;
+ crop->combined_width = (uint32_t)zwidth;
+- break;
++
++ /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++ if (((crop->rotation == 90) || (crop->rotation == 270))
++ && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++ {
++ TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++ return -1;
++ }
++
++ break;
+ } /* end switch statement */
+
+ buffsize = (uint32_t)
+@@ -7016,9 +7052,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ * regardless of the way the data are organized in the input file.
+ * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1
+ */
+- img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
+- full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
+- trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
++ img_rowsize = (((img_width * spp * bps) + 7) / 8); /* row size in full bytes of source image */
++ full_bytes = (sect_width * spp * bps) / 8; /* number of COMPLETE bytes per row in section */
++ trailing_bits = (sect_width * spp * bps) % 8; /* trailing bits within the last byte of destination buffer */
+
+ #ifdef DEVELMODE
+ TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
+--
+2.25.1
+
@@ -44,6 +44,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-3618-2.patch \
file://CVE-2023-26966.patch \
file://CVE-2022-40090.patch \
+ file://CVE-2023-1916.patch \
"
SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"