You need to log in before you can comment on or make changes to this bug.
Hello, """ Affected Versions: latest Vulnerability Type: Out-of-bounds Write Caused by memcpy and no bound check. Credit: Aibot, Alpha lab, Topsec When libtiff latest tiff2pdf handle malicious tiff file will cause illegal write. An attacker may control the write address and/or value to result in denial-of-service or command execution. if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { if (count > 0) { :2890 _TIFFmemcpy(buffer, jpt, count); bufferoffset += count - 2; table_end[0] = buffer[bufferoffset-2]; table_end[1] = buffer[bufferoffset-1]; } if (count > 0) { different case than:http://bugzilla.maptools.org/show_bug.cgi?id=2545#c0 out-of-bounds write vulnerability in the tiff2pdf tool has been reported in: http://www.openwall.com/lists/oss-security/2016/09/29/ """
Created an attachment (id=678) [details] poc
(In reply to comment #1) > Created an attachment (id=678) [details] [details] > poc in file tiff2pdf.c line 2890
Just fixed per 2016-10-08 Even Rouault <even.rouault at spatialys.com> * tools/tiff2pdf.c: fix read -largely- outsize of buffer in t2p_readwrite_pdf_image_tile(), causing crash, when reading a JPEG compressed image with TIFFTAG_JPEGTABLES length being one. Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from the MSRC Vulnerabilities & Mitigations team. /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c new revision: 1.93; previous revision: 1.92
CVE request: http://www.openwall.com/lists/oss-security/2016/11/18/4
CVE assigned: http://www.openwall.com/lists/oss-security/2016/11/19/1