new file mode 100644
@@ -0,0 +1,97 @@
+From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Tue, 14 Feb 2023 20:43:43 +0100
+Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
+ Fix issue 527
+
+Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
+
+Closes #527
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf]
+CVE: CVE-2023-26965
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 47 +++++++++++++++--------------------------------
+ 1 file changed, 15 insertions(+), 32 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index b811fbb..ce77c74 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -6066,9 +6066,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ uint32_t tw = 0, tl = 0; /* Tile width and length */
+ tmsize_t tile_rowsize = 0;
+ unsigned char *read_buff = NULL;
+- unsigned char *new_buff = NULL;
+ int readunit = 0;
+- static tmsize_t prev_readsize = 0;
+
+ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+ TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -6361,47 +6359,32 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ }
+
+ read_buff = *read_ptr;
+- /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
+- /* outside buffer */
+- if (!read_buff)
+- {
+- if( buffsize > 0xFFFFFFFFU - 3 )
++ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit
++ * outside buffer */
++ /* Reuse of read_buff from previous image is quite unsafe, because other
++ * functions (like rotateImage() etc.) reallocate that buffer with different
++ * size without updating the local prev_readsize value. */
++ if (read_buff)
+ {
+- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+- return (-1);
++ _TIFFfree(read_buff);
+ }
+- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+- }
+- else
++ if (buffsize > 0xFFFFFFFFU - 3)
+ {
+- if (prev_readsize < buffsize)
+- {
+- if( buffsize > 0xFFFFFFFFU - 3 )
+- {
+- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+- return (-1);
+- }
+- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+- if (!new_buff)
+- {
+- free (read_buff);
+- read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+- }
+- else
+- read_buff = new_buff;
+- }
++ TIFFError("loadImage", "Required read buffer size too large");
++ return (-1);
+ }
+- if (!read_buff)
++ read_buff =
++ (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
++ if (!read_buff)
+ {
+- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+- return (-1);
++ TIFFError("loadImage", "Unable to allocate read buffer");
++ return (-1);
+ }
+
+ read_buff[buffsize] = 0;
+ read_buff[buffsize+1] = 0;
+ read_buff[buffsize+2] = 0;
+
+- prev_readsize = buffsize;
+ *read_ptr = read_buff;
+
+ /* N.B. The read functions used copy separate plane data into a buffer as interleaved
+--
+2.25.1
+
@@ -37,6 +37,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-0795_0796_0797_0798_0799.patch \
file://CVE-2023-25433.patch \
file://CVE-2023-25434-CVE-2023-25435.patch \
+ file://CVE-2023-26965.patch \
"
SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"