Libtiff: heap-based buffer overflow in cpstriptotile() in tools/tiffcp.c
Description
An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
15cpe:/a:redhat:enterprise_linux:8::crb+ 4 more
- cpe:/a:redhat:enterprise_linux:8::crbrange: 0:4.0.9-32.el8_10
- cpe:/a:redhat:enterprise_linux:9::crbrange: 0:4.4.0-12.el9
- cpe:/o:redhat:enterprise_linux:6
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:8
- osv-coords9 versionspkg:apk/chainguard/tiffpkg:apk/chainguard/tiff-devpkg:apk/chainguard/tiff-docpkg:apk/wolfi/tiffpkg:apk/wolfi/tiff-devpkg:apk/wolfi/tiff-docpkg:rpm/almalinux/libtiffpkg:rpm/almalinux/libtiff-develpkg:rpm/almalinux/libtiff-tools
< 4.6.0-r2+ 8 more
- (no CPE)range: < 4.6.0-r2
- (no CPE)range: < 4.6.0-r2
- (no CPE)range: < 4.6.0-r2
- (no CPE)range: < 4.6.0-r2
- (no CPE)range: < 4.6.0-r2
- (no CPE)range: < 4.6.0-r2
- (no CPE)range: < 4.4.0-12.el9
- (no CPE)range: < 4.4.0-12.el9
- (no CPE)range: < 4.4.0-12.el9
Patches
Vulnerability mechanics
Root cause
"Missing bounds checking in cpStripToTile() allows a heap-based buffer overflow when processing a crafted TIFF file."
Attack vector
An attacker crafts a malicious TIFF file that, when processed by the `tiffcp` utility, triggers a heap-based buffer overflow in the `cpStripToTile()` function [ref_id=1]. The overflow occurs during the copying of strip data to tile data without proper bounds checking. This can cause the application to crash, resulting in a denial of service.
Affected code
The vulnerability resides in the `cpStripToTile()` function in `tools/tiffcp.c` of the libtiff package. A crafted TIFF file processed by the `tiffcp` utility triggers a heap-based buffer overflow, leading to an application crash.
What the fix does
The advisory does not include a patch diff, but the fix addresses the missing bounds validation in `cpStripToTile()` that allowed the heap buffer overflow [ref_id=1]. The update ensures that when copying strip data into a tile buffer, the size of the destination buffer is properly checked against the amount of data being written. This prevents writes beyond the allocated heap memory.
Preconditions
- inputThe attacker must supply a crafted TIFF file that triggers the overflow in cpStripToTile().
- inputThe victim must process the malicious TIFF file using the tiffcp utility.
Generated on Jun 14, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- access.redhat.com/errata/RHSA-2024:2289mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:5079mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/security/cve/CVE-2023-6228mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
News mentions
0No linked articles in our index yet.