REDHAT-BUG-601274: Integer Overflow

First published: Mon Jun 07 2010(Updated: )

Sauli Pahlman of CERT-FI provided us with fuzzed TIFF file which crashes image viewers using libtiff library. TIFF image triggers an integer overflow in TIFFroundup() macro called from TIFFFillStrip(). Sufficient large bytecount from the file can cause TIFFroundup() to return 0 and cause TIFFReadBufferSetup() to allocate an insufficiently-sized buffer. Later in TIFFReadRawStrip1(), application-provided read callback is called via TIFFReadFile() that possibly overflows the buffer. This flaw occurs in libtiff 3.9.2, where bytecount in TIFFFillStrip() is defined as uint32. Older libtiff versions (e.g. those shipped with Red Hat Enterprise Linux 3, 4, and 5) use tsize_t (signed int32) as its type and reject bytecount values that may lead to integer overflow earlier. Issues was reported in launchpad (bug is currently restricted): <a href="https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589565">https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589565</a>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/type
• agent/last-modified-date
• agent/first-publish-date
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2010-2065
• agent/weakness
• agent/references
• agent/severity
• agent/description
• agent/event
• agent/trending
• agent/source
• agent/tags
• agent/softwarecombine
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/libtiff
• canonical/tiff
• vendor/red hat
• canonical/red hat enterprise linux