REDHAT-BUG-2392784

Write-What-Where in libtiff via TIFFReadRGBAImageOriented The vulnerability resides in the raster decoding logic of libtiff, specifically when processing paletted (indexed color) images with malformed metadata. The function TIFFReadRGBAImageOriented() computes a pointer offset into the raster buffer based on user-controlled image metadata: raster + (rheight - img.height) * rwidth If the attacker supplies a very large value for img.height (e.g., 0xFFFF) and a valid rheight (e.g., 256), this computation results in a large positive offset, causing the raster pointer (cp) passed into functions like put8bitcmaptile() or put1bitbwtile() to point beyond the bounds of the allocated buffer. Inside those functions, memory writes occur like this: *cp++ = PALmap[*pp][0]; • The write address (cp) is attacker-controlled via the offset calculation from img.height. • The value written (PALmap[*pp][0]) is also attacker-controlled: ◦ *pp is dereferenced from pixel data in the image file. ◦ PALmap is constructed from the image's color palette, which the attacker also controls. This constitutes a write-what-where vulnerability with a attacker control. Exploitation of a write-what-where primitive can lead to denial of service or code execution through supply of maliciously crafted files.