A denial of service flaw was found in the way libtiff parsed certain tiff files. An attacker could use this flaw to create a specially crafted TIFF file that would cause an application using libtiff to exhaust all available memory on the system.
Created libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1265999]
Created mingw-libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1266000]
On Fedora and RHEL7, disabling memory overcommit (echo 2 > /proc/sys/vm/overcommit_memory) seems to "fix" this issue. Thus, there is nothing wrong with the libtiff code. Instead, the memory overcommit will prevent certain memory errors to be passed to the libtiff code, ultimately "bypassing" the libtiff error checks, leading to an OOM kill instead of a libtiff exit.
On RHEL6, it detects and integer overflow and exits:
TIFFReadDirectory: Warning, oom.tif: Bogus "StripByteCounts" field, ignoring and calculating from imagelength.
oom.tif: Integer overflow in TIFFVStripSize.
TIFFReadDirectory: oom.tif: cannot handle zero strip size.
A variant with "bus error" was seen libtiff 3.4 http://markmail.org/message/igqy46wj7kzhnkjv