-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe analysis started by examining the provided commit cadff5fb6e73398de26a92e96d3d7cac893af255. The commit message explicitly states, 'These changes repair bugs of #871 and #872'. Consulting the linked GitHub issue #871 ('Heap overflow in tiftoimage caused by integer overflow') confirmed the vulnerability in tiftoimage as described in the problem statement. Further investigation of the commit diff for src/bin/jp2/converttif.c revealed changes in two functions: tiftoimage and imagetotif.
For tiftoimage, the patch modified variable types for image dimensions (e.g., tiWidth, tiHeight, tiBps, tiSpp) from smaller integer types to uint32 and introduced several validation checks for these dimensions and calculated sizes. The core vulnerability was in the calculation of rowStride and the allocation size for buffer32s, where a multiplication of large input dimensions could overflow, leading to a small buffer allocation and subsequent heap overflow. This aligns perfectly with the CVE description.
For imagetotif, similar changes were observed: variable types for width, height, and bps were changed to uint32, and the logic for rowStride calculation and buffer32s allocation was also adjusted. The commit message's reference to bug #872 ('Heap overflow in imagetotif caused by integer overflow') confirms that this function also suffered from a similar integer overflow vulnerability leading to a heap buffer overflow.
Both functions process image dimensions and properties, perform calculations that are susceptible to integer overflows if these inputs are maliciously large, and use the results of these calculations for memory allocation. The overflows lead to heap-based buffer overflows when image data is written. Therefore, both functions are identified as vulnerable.