CVE-2022-4645
Description
LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5- osv-coords3 versions
< 4.4.0-7.el9+ 2 more
- (no CPE)range: < 4.4.0-7.el9
- (no CPE)range: < 4.4.0-7.el9
- (no CPE)range: < 4.4.0-7.el9
Patches
Vulnerability mechanics
Root cause
"Missing bounds validation on the TIFFTAG_INKNAMES string allows a heap-buffer-overflow read when strlen() is called on an unterminated ink-name buffer in tiffcp."
Attack vector
An attacker crafts a TIFF file with a malformed TIFFTAG_INKNAMES tag whose value lacks a NUL terminator within the declared buffer length. When the tiffcp utility (tools/tiffcp.c:948) calls strlen() on this buffer, it reads past the allocated heap region, causing a heap-buffer-overflow [ref_id=2]. The overflow is a read of size 1 at the byte immediately after the 15-byte allocation, which results in a denial-of-service (crash) [ref_id=2]. No authentication or special privileges are required; the attacker only needs to deliver the crafted TIFF file to a victim who processes it with tiffcp.
Affected code
The out-of-bounds read occurs in tools/tiffcp.c at line 948, where strlen() is called on an ink-name buffer that lacks a NUL terminator [ref_id=2]. The root cause is in libtiff's handling of TIFFTAG_INKNAMES in _TIFFVSetField() (libtiff/tif_dir.c), where the old checkInkNamesString() function assumed the buffer contained exactly td_samplesperpixel NUL-terminated names without verifying that a NUL byte exists within the allocated length [ref_id=1].
What the fix does
The commit e8131125 [ref_id=1] replaces the old checkInkNamesString() function with countInkNamesString(), which iterates through the ink-name buffer using a pointer (cp) bounded by the buffer end (ep = s + slen) instead of relying on td_samplesperpixel. It also adds proper validation when setting TIFFTAG_INKNAMES: the new countInkNamesString() returns the number of NUL-separated ink names found, and the code now rejects the tag if no NUL is found at the expected buffer end location. Additionally, TIFFTAG_NUMBEROFINKS is promoted from FIELD_CUSTOM to its own field bit FIELD_NUMBEROFINKS, ensuring consistent handling between InkNames and NumberOfInks tags during both read and write operations [ref_id=1].
Preconditions
- inputVictim must process a crafted TIFF file using the tiffcp utility (or any tool that triggers the vulnerable code path).
- inputThe crafted TIFF file must contain a TIFFTAG_INKNAMES tag with a buffer that lacks a NUL terminator within its declared length.
Reproduction
1. Compile libtiff 4.3.0 (or 4.4.0) with AddressSanitizer: `export CFLAGS="-O -g -fsanitize=address"` and `./configure --prefix=$PWD/build_asan && make -j64 && make install`. 2. Obtain the PoC file from the issue tracker (attached as `poc_tiffcp_948` in [ref_id=2]). 3. Run `./build_asan/bin/tiffcp poc /tmp/foo`. 4. Observe the ASan report showing a heap-buffer-overflow read at `tiffcp.c:948` in `strlen()` [ref_id=2].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZTFA6GGOKFPIQNHDBMXYUR4XUXUJESE/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BA6GRCAQ7NR2OK5N44UQRGUJBIYKWJJH/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLM763GGZVVOAXIQXG6YGTYJ5VFYNECQ/mitrevendor-advisory
- gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4645.jsonmitre
- gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246mitre
- gitlab.com/libtiff/libtiff/-/issues/277mitre
- security.netapp.com/advisory/ntap-20230331-0001/mitre
News mentions
0No linked articles in our index yet.