VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 10, 2013· Updated Apr 29, 2026

CVE-2013-4243

CVE-2013-4243

Description

Heap-based buffer overflow in the readgifimage function in the gif2tiff tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted height and width values in a GIF image.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

63
  • LibTIFF/Libtiff60 versions
    cpe:2.3:a:libtiff:libtiff:*:*:*:*:*:*:*:*+ 59 more
    • cpe:2.3:a:libtiff:libtiff:*:*:*:*:*:*:*:*range: <=4.0.3
    • cpe:2.3:a:libtiff:libtiff:3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.4:beta18:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.4:beta24:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.4:beta28:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.4:beta29:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.4:beta31:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.4:beta32:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.4:beta34:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.4:beta35:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.4:beta36:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.4:beta37:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.5.6:beta:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.5.7:alpha:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.5.7:alpha2:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.5.7:alpha3:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.5.7:alpha4:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.5.7:beta:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.6.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.6.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.7.0:alpha:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.7.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.7.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.8.2:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.9:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.9.0:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.9.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.9.2-5.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:3.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:4.0:alpha:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:4.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:4.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:4.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:4.0:beta4:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:4.0:beta5:*:*:*:*:*:*
    • cpe:2.3:a:libtiff:libtiff:4.0:beta6:*:*:*:*:*:*
    • (no CPE)range: <=4.0.3
  • Debian/Debian Linux2 versions
    cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
    • cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
  • osv-coords
    pkg:rpm/opensuse/tiff&distro=openSUSE%20Tumbleweed
    Range: < 4.0.7-1.1

Patches

Vulnerability mechanics

Root cause

"Missing bounds check in the LZW decompression loop within `process()` allows writing past the end of the heap-allocated raster buffer."

Attack vector

A remote attacker supplies a crafted GIF file with manipulated width and height values (e.g., setting them to 0 or decreasing them below the actual raster data size). When `gif2tiff` processes this file, the `readgifimage()` function allocates a heap buffer based on the declared dimensions, but the subsequent LZW decompression in `process()` writes more data than the buffer can hold, causing a heap-based buffer overflow [CWE-119]. This can lead to a crash or, potentially, arbitrary code execution with the privileges of the user running `gif2tiff` [ref_id=1].

Affected code

The vulnerability resides in the `readgifimage()` function in `tools/gif2tiff.c` (revision 1.15). The `rasterize()` function at line 476 and the `process()` function are also involved in the heap overflow path.

What the fix does

The patch (attached in comment #10 of [ref_id=1]) adds a bounds check inside the `process()` function: before writing a decoded byte to the raster buffer, it verifies `*fill < raster + width*height`. If the fill pointer has already reached or exceeded the end of the allocated raster, the function prints an error and returns early. This prevents the heap overflow by ensuring decompression stops when the buffer is full. Additionally, a check for zero width or height was added to `readgifimage()` to reject invalid dimensions early.

Preconditions

  • inputThe attacker must provide a crafted GIF file with manipulated width/height values (e.g., zero or smaller than the actual raster data).
  • configThe victim must run the gif2tiff tool on the malicious GIF file.

Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.