libtiff Signed Integer Overflow Vulnerability Leading to Out-of-Bounds Heap Write

A signed integer overflow vulnerability has been identified in the libtiff library, specifically within the putcontig8bitYCbCr44tile function. This vulnerability arises when the function processes specially crafted TIFF files that have extremely large widths and specific YCbCr subsampling. The overflow occurs in the calculation of a pointer progression variable, causing memory pointers to incorrectly progress negatively. This flaw can be exploited by remote attackers to perform out-of-bounds writes to the heap, potentially leading to application crashes or arbitrary code execution.

Impact

Exploitation of this vulnerability can cause application crashes or allow for arbitrary code execution.

Reproduction

To reproduce this vulnerability, use a TIFF file that is crafted to have an extremely large width and specific YCbCr subsampling that triggers the signed integer overflow in the putcontig8bitYCbCr44tile function. When this file is processed by an application linked against the libtiff library, the overflow can be exploited, leading to an out-of-bounds heap write.

Remediation

Avoid processing untrusted or maliciously crafted TIFF files with applications that use the libtiff library. If it is necessary to process such files, consider running the applications in a sandboxed environment to limit the potential impact of exploitation.