VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 7, 2022· Updated Aug 2, 2024

CVE-2022-0865

CVE-2022-0865

Description

Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

36

Patches

Vulnerability mechanics

Root cause

"Reachable assertion failure in TIFFReadAndRealloc due to corrupted buffer state when processing a crafted TIFF file."

Attack vector

An attacker provides a crafted TIFF file that, when processed by `tiffcp`, triggers a reachable assertion failure in `TIFFReadAndRealloc` at `tif_read.c:99` [ref_id=1]. The crafted file contains numerous malformed tags, invalid directory ordering, and corrupted Fax4-encoded strip data that cause the internal buffer state to violate the `TIFF_MYBUFFER` flag assertion [ref_id=1]. The attack requires no authentication and is delivered over the network if the victim can be made to run `tiffcp` on the malicious file [ref_id=1].

Affected code

The crash occurs in `TIFFReadAndRealloc` in `tif_read.c:99` [ref_id=1]. The assertion `(tif->tif_flags & TIFF_MYBUFFER) != 0` fails when `tiffcp` processes a crafted TIFF file [ref_id=1]. The issue is reachable through the `tiffcp` utility and is triggered during the reading of malformed TIFF directory entries and strip data [ref_id=1].

What the fix does

The fix is available in commit 5e180045. The patch addresses the assertion failure by ensuring that the buffer state is correctly managed before `TIFFReadAndRealloc` is called, preventing the `TIFF_MYBUFFER` flag from being unexpectedly unset when reading malformed strip data. Users who compile libtiff from sources should apply this commit [ref_id=1].

Preconditions

  • inputVictim must run tiffcp on a crafted TIFF file
  • authNo authentication required

Reproduction

Use the provided PoC file (`poc`) and run `tiffcp poc /tmp/foo`. The tool will output numerous TIFF warnings and then crash with the assertion failure `tif_read.c:99: TIFFReadAndRealloc: Assertion \`(tif->tif_flags & TIFF_MYBUFFER) != 0' failed.` [ref_id=1].

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.