Headline
CVE-2022-0924: fix heap buffer overflow in tiffcp (#278) (!311) · Merge requests · libtiff / libtiff
Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 408976c4.
fix #278 (closed).
Note that I currently only do bounds checking on out because I don’t know how to do bounds checking on in without changing the function parameters. But this fix works for this crash.
To add check for in, we need to do this,
if (row * rowsize + s + spp * imagewidth * nrows > scanlinesize * imagelength)
where scanlinesize is assigned in tiffcp.c:1408,
scanlinesize = TIFFRasterScanlineSize(in);
But in (or named tif) is not accessible in writeBufferToSeparateStrips, so I have no idea how to check for this.
By the way, after testing with multiple files, I found that stripsize and scanlinesize always seem to be equal. If so, it will be easy to add bounds checking on in as this,
if (row * rowsize + s + spp * imagewidth * nrows > stripsize * imagelength)
Edited Mar 07, 2022 by