CVE-2022-2953
Description
LibTIFF 4.4.0 has an out-of-bounds read in extractImageSection in tools/tiffcrop.c:6905, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 48d6ece8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5- osv-coords3 versions
< 4.0.9-26.el8_7+ 2 more
- (no CPE)range: < 4.0.9-26.el8_7
- (no CPE)range: < 4.0.9-26.el8_7
- (no CPE)range: < 4.0.9-26.el8_7
Patches
Vulnerability mechanics
Root cause
"Missing mutual-exclusivity validation allows the `-S` option to be combined with other crop options, causing `extractImageSection` to read past the allocated image buffer."
Attack vector
An attacker provides a crafted TIFF file and invokes `tiffcrop` with a combination of mutually exclusive options such as `-Z 1:4,3:3 -R 90 -H 300 -S 2:2 -i` [ref_id=1]. The tool reads the malformed TIFF, which triggers numerous TIFF tag warnings and errors, then `loadImage` allocates a heap buffer based on the image dimensions [ref_id=1]. When `extractImageSection` later processes the image data using the `-S` (rows/cols) option, it reads beyond the allocated buffer, causing a heap-buffer-overflow [ref_id=1]. The precondition is that the attacker must supply a crafted TIFF file and the victim must run `tiffcrop` with the conflicting option combination.
Affected code
The vulnerability is in `extractImageSection` at `tools/tiffcrop.c:6905` [ref_id=1]. The heap-buffer-overflow occurs when `tiffcrop` processes a crafted TIFF file with the `-S` option combined with other crop options (`-Z`, `-R`, `-H`) that are supposed to be mutually exclusive [ref_id=1][ref_id=2]. The `loadImage` function allocates a buffer of 1,142,421 bytes, but `extractImageSection` reads one byte past the end of that allocation [ref_id=1].
What the fix does
The fix, commit 48d6ece8, adds the `-S` option to the mutual-exclusivity check in `process_command_opts` [ref_id=2]. Previously the code only checked that `(-X|-Y)`, `-Z`, and `-z` were mutually exclusive; the `-S` option (which sets `PAGE_MODE_ROWSCOLS`) was not included in the validation [ref_id=2]. The patch updates the comment, the `CROP_NONE` definition, the `PAGE_MODE_ROWSCOLS` comment, the usage string, and the validation logic to treat `-S` as mutually exclusive with the other crop options, causing `tiffcrop` to exit with an error if conflicting options are supplied [ref_id=2].
Preconditions
- inputAttacker must supply a crafted TIFF file that triggers the heap-buffer-overflow
- inputVictim must run tiffcrop with a combination of mutually exclusive options (e.g., -Z and -S together)
Reproduction
Build libtiff with AddressSanitizer enabled (`CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer"`). Run: `./build_asan/bin/tiffcrop -Z 1:4,3:3 -R 90 -H 300 -S 2:2 -i poc /tmp/foo` where `poc` is the crafted TIFF file [ref_id=1]. The tool will crash with a heap-buffer-overflow at `extractImageSection` in `tiffcrop.c:6905` [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.debian.org/security/2023/dsa-5333mitrevendor-advisory
- gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-2953.jsonmitre
- gitlab.com/libtiff/libtiff/-/commit/48d6ece8389b01129e7d357f0985c8f938ce3da3mitre
- gitlab.com/libtiff/libtiff/-/issues/414mitre
- security.netapp.com/advisory/ntap-20221014-0008/mitre
News mentions
0No linked articles in our index yet.