I have been trying to reproduce this bug (buffer overflow), but instead
I get increasing memory usage until my computer crashes. With versions
from Jessie, Stretch, and Sid. So maybe another security issue?
I note that CVE-2017-11613 and CVE-2018-5784 can use unbounded
memory. However these are marked as fixed everywhere but Stretch.
As far as I can tell, the relevant code is:
uint64* newcounts;
...
newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
"for chopped \"StripByteCounts\" array");
...
for (strip = 0; strip < nstrips; strip++) {
...
newcounts[strip] = stripbytes;
...
}
However, I cannot see how this could cause a buffer overflow
condition. We appear to allocate nstrips uint64, and then use nstrips
uint64.
--
Brian May <b...@debian.org>
