An Out-of-bounds write vulnerability caused by heap overflow when using tiffcrop tool was found in the libtiff library. The vulnerability is in loadImage() function in tiffcrop.c. loadImage() will read the numbers of tiles by calling TIFFNumberOfTiles(). However, if the numbers of tiles is 0, loadImage() will still read tile data by calling readContigTilesIntoBuffer() from the image, regardless of the numbers. In that case, loadImage() will allocate 3 bytes in the heap to store a tile data. This creates a potential attack vector via crafted tiff tiles, which may result in DoS or code execution. Upstream bug report: http://bugzilla.maptools.org/show_bug.cgi?id=2543
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html
It would have been good to attach your patch to the upstream bug instead of letting libtiff maintainers to dig into the .src.rpm
*** Bug 1346683 has been marked as a duplicate of this bug. ***