Miggo Logo
Miggo Vulnerability Database
CVE-2017-9937

CVE-2017-9937: In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can...

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-9937
GHSA ID
GHSA-75hc-fg4q-39vp
EPSS Score
0.50315%
CWE
CWE-119
Published
5/13/2022
Updated
4/20/2025
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis is based on the vulnerability description and the detailed stack trace provided in the Bugzilla report (http://bugzilla.maptools.org/show_bug.cgi?id=2707). The vulnerability is a memory allocation failure in the libjbig library, specifically in the jbg_dec_in function. LibTIFF's JBIGDecode function in tif_jbig.c calls jbg_dec_in. When a crafted TIFF file is processed, JBIGDecode invokes jbg_dec_in which then fails due to an attempt to allocate an excessive amount of memory, leading to a program abort and denial of service. The NVD description also points to tif_jbig.c. Thus, JBIGDecode is the primary LibTIFF function involved in triggering the vulnerability. TIFFReadEncodedStrip is also included as it's a direct caller of JBIGDecode in the exploit path shown in the stack trace.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Li*TI** *.*.*, t**r* is * m*mory m*llo* **ilur* in ti*_j*i*.*. * *r**t** TI** *o*um*nt **n l*** to *n **ort r*sultin* in * r*mot* **ni*l o* s*rvi** *tt**k.

Reasoning

T** *n*lysis is **s** on t** vuln*r**ility **s*ription *n* t** **t*il** st**k tr*** provi*** in t** *u*zill* r*port (*ttp://*u*zill*.m*ptools.or*/s*ow_*u*.**i?i*=****). T** vuln*r**ility is * m*mory *llo**tion **ilur* in t** `li*j*i*` li*r*ry, sp**i*