libtiff Stack-Based Buffer Overflow Vulnerability in readSeparateStripsIntoBuffer Function

A stack-based buffer overflow vulnerability has been identified in libtiff versions prior to 4.7.1. The issue arises in the tiffcrop tool within the readSeparateStripsIntoBuffer function, where improper handling of malformed TIFF directories leads to an overflow of a stack-allocated array. This vulnerability was detected by AddressSanitizer, which reported a buffer over-read and subsequent crash.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, leading to a crash and potential arbitrary code execution.

Reproduction

The vulnerability can be reproduced using the tiffcrop tool with a crafted TIFF file that has an improperly ordered directory or missing StripByteCounts. The command should include options to dump debug information, specify the input and output files, and manipulate the TIFF processing order, which triggers the buffer overflow by causing the readSeparateStripsIntoBuffer function to access memory beyond the allocated bounds of the srcbuffs array.

Remediation

Users are advised to update to libtiff version 4.7.1 or later, where this vulnerability has been fixed.