CVE-2012-1173
Description
Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
Root cause
"Integer overflow in tile/strip size multiplication in tif_getimage.c leads to undersized heap allocation and buffer overflow."
Attack vector
An attacker crafts a TIFF file with a malicious tile size (or strip size) that, when multiplied by 3 or 4 inside `gtTileSeparate` or `gtStripSeparate`, causes an integer overflow. The overflowed value is passed to `_TIFFmalloc`, allocating an undersized heap buffer, and subsequent writes overflow that buffer, leading to arbitrary code execution. The attack is delivered over the network by tricking a user or service into processing the malformed TIFF file. [ref_id=1]
What the fix does
The patch replaces the direct multiplication `(alpha?4:3)*tilesize` (and the analogous `stripsize` expression) with a call to `TIFFSafeMultiply`, which checks for overflow before performing the multiplication. If overflow is detected, `bufsize` is set to 0, the allocation is skipped, and an error is returned instead of proceeding with a corrupted size. The same safe-multiply result is also used for the subsequent `_TIFFmemset` call, ensuring the memset operates on the correctly computed buffer size. [ref_id=1]
Preconditions
- inputThe attacker must supply a TIFF file with a crafted tile or strip size that triggers an integer overflow when multiplied by 3 or 4.
- inputThe victim must open the malicious TIFF file with a vulnerable version of LibTIFF (3.9.4).
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
27- secunia.com/advisories/48684nvdVendor Advisory
- secunia.com/advisories/48722nvdVendor Advisory
- secunia.com/advisories/48735nvdVendor Advisory
- secunia.com/advisories/48757nvdVendor Advisory
- secunia.com/advisories/48893nvdVendor Advisory
- bugzilla.maptools.org/attachment.cginvd
- bugzilla.maptools.org/show_bug.cginvd
- home.gdal.org/private/zdi-can-1221/zdi-can-1221.txtnvd
- lists.apple.com/archives/security-announce/2012/Sep/msg00003.htmlnvd
- lists.apple.com/archives/security-announce/2012/Sep/msg00004.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2012-April/077463.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2012-April/078403.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2012-April/078835.htmlnvd
- rhn.redhat.com/errata/RHSA-2012-0468.htmlnvd
- secunia.com/advisories/50726nvd
- security.gentoo.org/glsa/glsa-201209-02.xmlnvd
- support.apple.com/kb/HT5501nvd
- support.apple.com/kb/HT5503nvd
- ubuntu.com/usn/usn-1416-1nvd
- www.debian.org/security/2012/dsa-2447nvd
- www.mandriva.com/security/advisoriesnvd
- www.osvdb.org/81025nvd
- www.securityfocus.com/bid/52891nvd
- www.securitytracker.com/idnvd
- downloads.avaya.com/css/P8/documents/100161772nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/74656nvd
- hermes.opensuse.org/messages/14302713nvd
News mentions
0No linked articles in our index yet.