From 759fdaaa516bb4fdb4049df378dfb9e5ec3db2a2 Mon Sep 17 00:00:00 2001
From: liningjie <liningjie@xfusion.com>
Date: Wed, 16 Aug 2023 14:47:12 +0800
Subject: [PATCH] fix CVE-2023-3618

(cherry picked from commit 2bdfd6b8a6b618934270944e0848ec6ce2c03a13)
---
 backport-CVE-2023-3618.patch | 42 ++++++++++++++++++++++++++++++++++++
 libtiff.spec                 |  6 +++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2023-3618.patch

diff --git a/backport-CVE-2023-3618.patch b/backport-CVE-2023-3618.patch
new file mode 100644
index 0000000..8d14bb3
--- /dev/null
+++ b/backport-CVE-2023-3618.patch
@@ -0,0 +1,42 @@
+From 4f6da09f67b472a64f684ed8125cc0e316a395b1 Mon Sep 17 00:00:00 2001
+From: liningjie <liningjie@xfusion.com>
+Date: Mon, 14 Aug 2023 23:17:28 +0800
+Subject: [PATCH] Consider error return of writeSelections(). Fixes #553
+
+---
+ tools/tiffcrop.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 39156b5..cb8139b 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -2464,8 +2464,14 @@ main(int argc, char* argv[])
+         {  /* Whole image or sections not based on output page size */
+         if (crop.selections > 0)
+           {
+-	  writeSelections(in, &out, &crop, &image, &dump, seg_buffs,
+-                          mp, argv[argc - 1], &next_page, total_pages);
++				if (writeSelections(in, &out, &crop, &image, &dump,
++                                    seg_buffs, mp, argv[argc - 1],
++                                    &next_page, total_pages))
++                {
++                    TIFFError("main",
++                              "Unable to write new image selections");
++                    exit(EXIT_FAILURE);
++                }
+           }
+ 	else  /* One file all images and sections */
+           {
+@@ -7920,7 +7926,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+   /* Memory is freed before crop_buff_ptr is overwritten */
+   if (*crop_buff_ptr != NULL)
+   {
+-    _TIFFfree(*crop_buff_ptr);
++	  _TIFFfree(*crop_buff_ptr);
+   }
+ 
+   /* process full image, no crop buffer needed */
+-- 
+2.33.0
+
diff --git a/libtiff.spec b/libtiff.spec
index a60c6a0..e0f7948 100644
--- a/libtiff.spec
+++ b/libtiff.spec
@@ -1,6 +1,6 @@
 Name:           libtiff
 Version:        4.3.0
-Release:        30
+Release:        31
 Summary:        TIFF Library and Utilities
 License:        libtiff
 URL:            https://www.simplesystems.org/libtiff/
@@ -46,6 +46,7 @@ Patch6036:      backport-CVE-2023-38288.patch
 Patch6037:      backport-CVE-2023-38289.patch
 
 Patch9000:	fix-raw2tiff-floating-point-exception.patch
+Patch9001:	backport-CVE-2023-3618.patch
 
 
 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-devel jbigkit-devel
@@ -167,6 +168,9 @@ find html -name 'Makefile*' | xargs rm
 %exclude %{_datadir}/html/man/tiffgt.1.html
 
 %changelog
+* Wed Aug 16 2023 liningjie <liningjie@xfusion.com> - 4.3.0-31
+- fix CVE-2023-3618
+
 * Fri Jul 28 2023 zhangpan <zhangpan103@h-partners.com> - 4.3.0-30
 - fix CVE-2023-38288 CVE-2023-38289