CVE-2012-4564
Description
ppm2tiff does not check the return value of the TIFFScanlineSize function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PPM image that triggers an integer overflow, a zero-memory allocation, and a heap-based buffer overflow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
17cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*+ 4 more
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:6.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
Root cause
"Missing return-value check of TIFFScanlineSize() in ppm2tiff allows a zero-size allocation and heap-based buffer overflow."
Attack vector
A remote attacker supplies a specially-crafted PPM image that triggers an integer overflow inside `TIFFScanlineSize()`, causing it to return zero [ref_id=1]. The `ppm2tiff` tool does not check this return value and passes zero to `_TIFFmalloc`, which allocates a minimum-size buffer. Later, `TIFFWriteScanline` writes image data into that undersized buffer, producing a heap-based buffer overflow that can crash the process or potentially execute arbitrary code with the user's privileges [ref_id=1].
Affected code
The vulnerable code is in `tools/ppm2tiff.c` at line 241, where the return value of `TIFFScanlineSize(out)` is not checked before being passed to `_TIFFmalloc`. When `TIFFScanlineSize` detects an integer overflow it returns zero, but the caller does not validate this result, leading to a zero-size allocation and subsequent heap-based buffer overflow when data is written via `TIFFWriteScanline`.
What the fix does
The upstream fix (committed 2012-11-01 by Frank Warmerdam) adds a check of the return value of `TIFFScanlineSize()` in `tools/ppm2tiff.c` [ref_id=1]. If the value is zero, the tool now handles the error gracefully instead of passing zero to `_TIFFmalloc`. This prevents the zero-size allocation and subsequent heap-based buffer overflow when writing scanline data.
Preconditions
- inputThe attacker must supply a crafted PPM image file that causes an integer overflow in TIFFScanlineSize
- configThe victim must process the crafted PPM image with the ppm2tiff tool
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- bugzilla.redhat.com/show_bug.cginvdExploitIssue TrackingPatchThird Party Advisory
- lists.opensuse.org/opensuse-updates/2013-01/msg00076.htmlnvdMailing ListThird Party Advisory
- rhn.redhat.com/errata/RHSA-2012-1590.htmlnvdThird Party Advisory
- secunia.com/advisories/51133nvdThird Party AdvisoryVendor Advisory
- www.debian.org/security/2012/dsa-2575nvdThird Party Advisory
- www.openwall.com/lists/oss-security/2012/11/02/3nvdMailing ListThird Party Advisory
- www.openwall.com/lists/oss-security/2012/11/02/7nvdMailing ListThird Party Advisory
- www.securityfocus.com/bid/56372nvdThird Party AdvisoryVDB Entry
- www.ubuntu.com/usn/USN-1631-1nvdThird Party Advisory
- exchange.xforce.ibmcloud.com/vulnerabilities/79750nvdThird Party AdvisoryVDB Entry
- www.osvdb.org/86878nvdBroken Link
News mentions
0No linked articles in our index yet.