[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

tiff / CVE-2018-15209

I have been trying to reproduce this bug (buffer overflow), but instead
I get increasing memory usage until my computer crashes. With versions
from Jessie, Stretch, and Sid. So maybe another security issue?

I note that CVE-2017-11613 and CVE-2018-5784 can use unbounded
memory. However these are marked as fixed everywhere but Stretch.

As far as I can tell, the relevant code is:

        uint64* newcounts;


        newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
                                "for chopped \"StripByteCounts\" array");


        for (strip = 0; strip < nstrips; strip++) {
                newcounts[strip] = stripbytes;

However, I cannot see how this could cause a buffer overflow
condition. We appear to allocate nstrips uint64, and then use nstrips
Brian May <bam@debian.org>

Reply to: