CVE-2013-4231
Description
Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) extension block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3) a long filename for a TIFF image to tools/rgb2ycbcr.c. NOTE: vectors 1 and 3 are disputed by Red Hat, which states that the input cannot exceed the allocated buffer size.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
12cpe:2.3:a:libtiff:libtiff:*:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:libtiff:libtiff:*:*:*:*:*:*:*:*range: <=4.0.2
- cpe:2.3:a:libtiff:libtiff:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:libtiff:libtiff:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:libtiff:libtiff:4.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:libtiff:libtiff:4.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:libtiff:libtiff:4.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:libtiff:libtiff:4.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:libtiff:libtiff:4.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:libtiff:libtiff:4.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:libtiff:libtiff:4.0:beta6:*:*:*:*:*:*
- (no CPE)range: <4.0.3
Patches
Vulnerability mechanics
Root cause
"Missing input validation on datasize, count, and filename length allows out-of-bounds writes in libtiff tools."
Attack vector
An attacker supplies a crafted GIF image or a TIFF image with a long filename. For the GIF LZW decoder issue, the malicious file provides a `datasize` value (e.g., 22) that causes the decoder to compute a `clear` code of 4194304 (`1 << 22`). The subsequent loop `for (code = 0; code < clear; code++)` writes beyond the bounds of the fixed-size `prefix[]` and `suffix[]` arrays, corrupting memory. Similarly, a crafted GIF extension block can supply a `count` larger than 255 that is passed directly to `fread(buf,1,count,infile)`, overflowing a 255-byte buffer. For the `rgb2ycbcr` overflow, a filename longer than 2048 characters triggers a buffer overflow via `sprintf` [CWE-119].
Affected code
The vulnerabilities reside in the `tools/gif2tiff.c` and `tools/rgb2ycbcr.c` tools of libtiff before 4.0.3. In `gif2tiff.c`, the GIF LZW decoder lacks a check on the `datasize` value read from the input file, causing an out-of-bounds memory write during the buffer clearing loop. Another overflow in `gif2tiff.c` occurs when `fread(buf,1,count,infile)` reads attacker-controlled `count` bytes into a fixed 255-byte buffer. In `rgb2ycbcr.c`, a `sprintf` call writes a potentially oversized filename into a 2048-byte stack buffer.
What the fix does
The upstream CVS commit (revision 1.13, 2013-08-14) addressed the GIF LZW datasize issue by adding input validation that rejects corrupt or hostile `datasize` values before they reach the decoding loop. For the `rgb2ycbcr` filename overflow, the earlier fix for CVE-2013-1961 already replaced the vulnerable `sprintf` call with `snprintf`, limiting the copy to the buffer size. These changes prevent out-of-bounds memory writes from crafted input files [ref_id=2].
Preconditions
- inputAttacker must supply a crafted GIF or TIFF file that triggers the vulnerable code paths in gif2tiff or rgb2ycbcr.
- authVictim or automated system must process the malicious file with one of the affected libtiff tools.
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- secunia.com/advisories/54543nvdVendor Advisory
- secunia.com/advisories/54628nvdVendor Advisory
- bugzilla.maptools.org/show_bug.cginvd
- rhn.redhat.com/errata/RHSA-2014-0223.htmlnvd
- www.asmail.be/msg0055359936.htmlnvd
- www.debian.org/security/2013/dsa-2744nvd
- www.openwall.com/lists/oss-security/2013/08/10/2nvd
- www.securityfocus.com/bid/61695nvd
- bugzilla.redhat.com/show_bug.cginvd
News mentions
0No linked articles in our index yet.