VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 23, 2023· Updated Apr 3, 2025

CVE-2022-48281

CVE-2022-48281

Description

processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., "WRITE of size 307203") via a crafted TIFF image.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

38

Patches

Vulnerability mechanics

Root cause

"Incorrect buffer size calculation in processCropSelections leads to a heap-buffer-overflow when memset writes beyond the allocated region."

Attack vector

An attacker supplies a crafted TIFF image that triggers the `-Z` (crop zones) and `-e divided` options in `tiffcrop`. The tool reads the malformed image, which produces numerous warnings about unknown tags and missing PhotometricInterpretation, but continues processing. When `processCropSelections` computes the crop buffer size, it underestimates the required space, leading to a heap-buffer-overflow of size 307203 during a `memset` operation [ref_id=1].

Affected code

The vulnerability resides in `processCropSelections` in `tools/tiffcrop.c` (line 7826 in the ASan report). The function allocates a 38403-byte buffer via `limitMalloc` (line 7803) and then writes 307203 bytes into it via `_TIFFmemset` (line 7826), causing a heap-buffer-overflow [ref_id=1].

What the fix does

The issue report does not include a patch. The advisory [ref_id=1] documents the crash and ASan output but does not provide a fix commit. Remediation would require correcting the buffer size calculation in `processCropSelections` so that the allocated region is large enough for the `memset` write, or adding validation to reject images that produce an invalid crop region size.

Preconditions

  • inputThe attacker must provide a crafted TIFF file that triggers the oversized crop selection.
  • inputThe victim must run `tiffcrop` with the `-Z` (crop zones) and `-e divided` flags on the malicious file.

Reproduction

Clone the libtiff repository, configure with `./configure CFLAGS='-fsanitize=address -g3'`, build, and run: `./tools/tiffcrop -Z 1:3,2:4 -e divided ./poc /dev/null`. The tool will crash with a SIGSEGV and ASan reports a heap-buffer-overflow of size 307203 in `processCropSelections` [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.