diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch
new file mode 100644
index 0000000000..6722781a3a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch
@@ -0,0 +1,99 @@
+From 848434a81c443f59ec90d41218eba6e48a450a11 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Thu, 16 Mar 2023 16:16:54 +0800
+Subject: [PATCH] Fix heap-buffer-overflow in function extractImageSection
+
+CVE: CVE-2023-1916
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/848434a81c443f59ec90d41218eba6e48a450a11 https://gitlab.com/libtiff/libtiff/-/merge_requests/535]
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 44 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 40 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 05ba4d2..8a08536 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -5700,6 +5700,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+              crop->combined_width += (uint32_t)zwidth;
+            else
+              crop->combined_width = (uint32_t)zwidth;
++
++	   /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++           if (((crop->rotation == 90) || (crop->rotation == 270))
++                && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++           {
++                TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++                return -1;
++           }
++
+            break;
+       case EDGE_BOTTOM: /* width from left, zones from bottom to top */
+            zwidth = offsets.crop_width;
+@@ -5735,6 +5744,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+            else
+              crop->combined_length = (uint32_t)zlength;
+            crop->combined_width = (uint32_t)zwidth;
++
++	   /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++           if (((crop->rotation == 90) || (crop->rotation == 270))
++                && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++           {
++                TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++                return -1;
++           }
++
+            break;
+       case EDGE_RIGHT: /* zones from right to left, length from top */
+ 		  zlength = offsets.crop_length;
+@@ -5772,6 +5790,15 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+ 			  crop->combined_width += (uint32_t)zwidth;
+ 		  else
+ 			  crop->combined_width = (uint32_t)zwidth;
++
++		/* When the degrees clockwise rotation is 90 or 270, check the boundary */
++                if (((crop->rotation == 90) || (crop->rotation == 270))
++                    && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++                {
++                    TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++                    return -1;
++                }
++
+ 		  break;
+       case EDGE_TOP: /* width from left, zones from top to bottom */
+       default:
+@@ -5818,7 +5845,16 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt
+            else
+              crop->combined_length = (uint32_t)zlength;
+            crop->combined_width = (uint32_t)zwidth;
+-           break;
++
++	   /* When the degrees clockwise rotation is 90 or 270, check the boundary */
++           if (((crop->rotation == 90) || (crop->rotation == 270))
++                && ((crop->combined_length > image->width) || (crop->combined_width > image->length)))
++           {
++                TIFFError("getCropOffsets", "The crop size exceeds the image boundary size");
++                return -1;
++           }
++
++	   break;
+       } /* end switch statement */
+ 
+     buffsize = (uint32_t)
+@@ -7016,9 +7052,9 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+      * regardless of the way the data are organized in the input file.
+      * Furthermore, bytes and bits are arranged in buffer according to COMPRESSION=1 and FILLORDER=1 
+      */
+-    img_rowsize = (((img_width * spp * bps) + 7) / 8);    /* row size in full bytes of source image */
+-    full_bytes = (sect_width * spp * bps) / 8;            /* number of COMPLETE bytes per row in section */
+-    trailing_bits = (sect_width * spp * bps) % 8;         /* trailing bits within the last byte of destination buffer */
++    img_rowsize = (((img_width * spp * bps) + 7) / 8);  /* row size in full bytes of source image */
++    full_bytes = (sect_width * spp * bps) / 8;          /* number of COMPLETE bytes per row in section */
++    trailing_bits = (sect_width * spp * bps) % 8;       /* trailing bits within the last byte of destination buffer */
+ 
+ #ifdef DEVELMODE
+     TIFFError ("", "First row: %"PRIu32", last row: %"PRIu32", First col: %"PRIu32", last col: %"PRIu32"\n",
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 9e1e6fa099..8ef98fe5d0 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -44,6 +44,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://CVE-2023-3618-2.patch \
            file://CVE-2023-26966.patch \
            file://CVE-2022-40090.patch \
+           file://CVE-2023-1916.patch \
            "
 
 SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"