Ubuntu 14.04.5LTS
wget https://github.com/mudongliang/source-packages/raw/master/CVE-2006-2025/tiff-3.8.0.tar.gz
tar -xvf tiff-3.8.0.tar.gz
cd tiff-3.8.0
./configure
make
sudo make install
/usr/local/bin/tiffinfo input.tiff.11
LibTiff TIFFFetchData Integer Overflow Vulnerability
LibTiff 3.x - TIFFFetchData Integer Overflow
if (!isMapped(tif)) {
if (!SeekOK(tif, dir->tdir_offset))
goto bad;
if (!ReadOK(tif, cp, cc))
goto bad;
} else {
if (dir->tdir_offset + cc > tif->tif_size)
goto bad;
_TIFFmemcpy(cp, tif->tif_base + dir->tdir_offset, cc);
}
--- tiff-v3.5.7/libtiff/tif_dirread.c.multiple 2006-04-26 08:52:01.000000000 -0400
+++ tiff-v3.5.7/libtiff/tif_dirread.c 2006-04-26 08:52:24.000000000 -0400
@@ -683,13 +683,20 @@
int w = tiffDataWidth[dir->tdir_type];
tsize_t cc = dir->tdir_count * w;
+ /* Check for overflow. */
+ if (!dir->tdir_count || !w || cc / w != (tsize_t)dir->tdir_count)
+ goto bad;
+
if (!isMapped(tif)) {
if (!SeekOK(tif, dir->tdir_offset))
goto bad;
if (!ReadOK(tif, cp, cc))
goto bad;
} else {
- if (dir->tdir_offset + cc > tif->tif_size)
+ /* Check for overflow. */
+ if ((tsize_t)dir->tdir_offset + cc < (tsize_t)dir->tdir_offset
+ || (tsize_t)dir->tdir_offset + cc < cc
+ || (tsize_t)dir->tdir_offset + cc > (tsize_t)tif->tif_size)
goto bad;
_TIFFmemcpy(cp, tif->tif_base + dir->tdir_offset, cc);
}