A buffer overflow vulnerability was reported in libtiff library, in gif2tiff component. A maliciously crafted file could cause the application to crash. Original bug report with reproducer: https://bugzilla.redhat.com/show_bug.cgi?id=1319503
Acknowledgments: Name: Aladdin Mubaied
Created libtiff tracking bugs for this issue: Affects: fedora-all [bug 1322307]
Created mingw-libtiff tracking bugs for this issue: Affects: fedora-all [bug 1322309]
Created mingw-libtiff tracking bugs for this issue: Affects: epel-7 [bug 1322310]
Also disclosed on oss-security mailing list via: http://www.openwall.com/lists/oss-security/2016/03/30/2
Created attachment 1144235 [details] Patch solving this buffer overflow When getc detects that that it is at the end of file, it returns EOF which is a negative number. The exact value depends on implementation, but it is always a negative number. On Linux it is normally -1. That while loop check only if the count is <= 255. If the number count is negative, that condition is satisfied. Nonetheless, in the subsequent fread, the count is casted to size_t where it becomes a huge number, hence the buffer overflow. This patch is adding a check for the return of getc being positive, which solves the buffer overflow.
For your information I noticed additional buffer overflow issue in readgifimage(), which have been reported to upstream in http://bugzilla.maptools.org/show_bug.cgi?id=2552
CVE-2016-5102 has been assigned to buffer overflow issue in readgifimage(), which was reported in http://bugzilla.maptools.org/show_bug.cgi?id=2552 I am not sure how this should be reported to bugzilla.redhat.com as a separate issue.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2053 https://access.redhat.com/errata/RHSA-2019:2053