VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 21, 2022· Updated May 7, 2025

CVE-2022-3597

CVE-2022-3597

Description

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

45

Patches

Vulnerability mechanics

Root cause

"Missing input validation allows incompatible crop and page-mode options to be used together, causing an out-of-bounds write in _TIFFmemcpy."

Attack vector

An attacker supplies a crafted TIFF file that, when processed by `tiffcrop` with specific option combinations (e.g. `-Z 1:4,3:3 -R 90 -H 300`), triggers a heap-buffer-overflow in `_TIFFmemcpy` [ref_id=1]. The overflow occurs because the crop options `-X`, `-Y`, `-Z`, or `-z` are used together with other `PAGE_MODE_x` options such as `-H`, `-V`, `-P`, `-J`, or `-K`, which the advisory explicitly states "are not supported and may cause buffer overflows" [ref_id=2]. No authentication is required; the attacker only needs to deliver the malformed file to a victim running `tiffcrop`.

Affected code

The out-of-bounds write occurs in `_TIFFmemcpy` at `libtiff/tif_unix.c:346`, called from `extractImageSection` at `tools/tiffcrop.c:6826` [ref_id=1]. The call chain continues through `writeImageSections` (tools/tiffcrop.c:7093) and `main` (tools/tiffcrop.c:2451) [ref_id=1]. The heap buffer is allocated by `limitMalloc` (tools/tiffcrop.c:627) via `loadImage` (tools/tiffcrop.c:6220) [ref_id=1].

What the fix does

The fix (commit 236b7191) adds input validation in `process_command_opts` to reject unsupported option combinations at startup [ref_id=2]. Specifically, it checks whether any of the crop options (`-X`, `-Y`, `-Z`, `-z`) are active together with other `PAGE_MODE_x` options (such as `-H`, `-V`, `-P`, `-J`, `-K`) and exits with an error message if so [ref_id=2]. The commit also updates documentation (the man page, source comments, and usage string) to add "Note 2" warning that these combinations "are not supported and may cause buffer overflows" [ref_id=2]. By preventing the dangerous option combination from reaching the cropping logic, the patch closes the code path that led to the heap-buffer-overflow.

Preconditions

  • inputVictim must run tiffcrop with a combination of crop options (-X, -Y, -Z, or -z) together with other PAGE_MODE_x options (-H, -V, -P, -J, or -K)
  • inputAttacker must supply a crafted TIFF file that triggers the overflow when processed with those options

Reproduction

Build libtiff with AddressSanitizer (`CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared; make -j; make install`). Then run: `./build_asan/bin/tiffcrop -Z 1:4,3:3 -R 90 -H 300 -i poc /tmp/foo` using the provided PoC file [ref_id=1]. The tool will crash with a heap-buffer-overflow in `_TIFFmemcpy` at `tif_unix.c:346` [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.