You need to log in before you can comment on or make changes to this bug.
This vulnerability was reported in http://seclists.org/oss-sec/2016/q2/543 It was always corrupted when I use rgb2ycbcr command followed by a crafted TIFF image. The vulnerability of out-of-bound writes comes from PixarLogDecode() function without checking the buffer length, which cause the head of next heap could be filled with any data, crash occurs when malloc() or free() is called.Attackers could exploit this issue to result in DoS. The problem was found using rgb2ycbcr (which AFAIK is being removed in 4.0.7) but the code is in libtiff, so this may affect any libtiff user and not just rgb2ycbcr.
CVE-2016-5320 talks about a possible arbitrary code execution vulnerability, but mentions this PixarLogDecode bug, so I'm not sure if it's a separate issue or a duplicate of this. See http://seclists.org/oss-sec/2016/q2/551
Created an attachment (id=654) [details] CVE-2016-5314.tif MD5: 1383f74a9a29f20b7ceda44a9694d863 SHA1: 20a0d74af6a84f133cfc533e669852430469f315
(In reply to comment #1) > CVE-2016-5320 talks about a possible arbitrary code execution vulnerability, > but mentions this PixarLogDecode bug, so I'm not sure if it's a separate issue > or a duplicate of this. > > See http://seclists.org/oss-sec/2016/q2/551 It probably is. PixarLogDecode() overwrites the pointer to sp->vgetparent libtiff/tif_pixarlog.c:787: int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); which is then later executed in PredictorVGetField().
(In reply to comment #3) > libtiff/tif_pixarlog.c:787 While we're here, I think I'd like to note: llen = sp->stride * td->td_imagewidth; (void) s; assert(sp != NULL); just a few lines above.
Was fixed by : 2016-06-28 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_pixarlog.c: fix potential buffer write overrun in PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson) (CVE-2016-5875)
*** Bug 2556 has been marked as a duplicate of this bug. ***
*** Bug 2557 has been marked as a duplicate of this bug. ***
*** Bug 2555 has been marked as a duplicate of this bug. ***