From 76ee9a3057a59e9a119e8ee4186072db806d90ea Mon Sep 17 00:00:00 2001
From: Cy Schubert <cy@FreeBSD.org>
Date: Wed, 23 Nov 2022 13:26:19 -0800
Subject: [PATCH] graphics/tiff: Fix CVE-2022-3970

Fix:	TIFFReadRGBATileExt(): fix (unsigned) integer overflow on
	strips/tiles > 2 GB

Obtained from:	Upstream 227500897dfb07fb7d27f7aa570050e62617e3be
		(merged as a05860a0872d323e3fbf4390187ce934dd2b165e)
MFH:		2022Q4
Security:	CVE-2022-3970
Security:	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137
---
 graphics/tiff/Makefile                        |  1 +
 .../tiff/files/patch-libtiff_tif_getimage.c   | 22 +++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 graphics/tiff/files/patch-libtiff_tif_getimage.c

diff --git a/graphics/tiff/Makefile b/graphics/tiff/Makefile
index 63744a0a6554..1b038a6b6930 100644
--- a/graphics/tiff/Makefile
+++ b/graphics/tiff/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	tiff
 DISTVERSION=	4.4.0
+PORTREVISION=	1
 CATEGORIES=	graphics
 MASTER_SITES=	https://download.osgeo.org/libtiff/
 
diff --git a/graphics/tiff/files/patch-libtiff_tif_getimage.c b/graphics/tiff/files/patch-libtiff_tif_getimage.c
new file mode 100644
index 000000000000..d3235c58968f
--- /dev/null
+++ b/graphics/tiff/files/patch-libtiff_tif_getimage.c
@@ -0,0 +1,22 @@
+--- libtiff/tif_getimage.c.orig	2022-02-19 07:33:54.000000000 -0800
++++ libtiff/tif_getimage.c	2022-11-23 11:36:14.192628000 -0800
+@@ -3058,15 +3058,15 @@
+         return( ok );
+ 
+     for( i_row = 0; i_row < read_ysize; i_row++ ) {
+-        memmove( raster + (tile_ysize - i_row - 1) * tile_xsize,
+-                 raster + (read_ysize - i_row - 1) * read_xsize,
++        memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
++                 raster + (size_t)(read_ysize - i_row - 1) * read_xsize,
+                  read_xsize * sizeof(uint32_t) );
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize,
++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize,
+                      0, sizeof(uint32_t) * (tile_xsize - read_xsize) );
+     }
+ 
+     for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) {
+-        _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize,
++        _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize,
+                      0, sizeof(uint32_t) * tile_xsize );
+     }
+