Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow.
Vector
NETWORK
Complexity
LOW
Authentication
NONE
Confidentiality
PARTIAL
Integrity
PARTIAL
Availability
PARTIAL
LibTIFF 3.7.3
LibTIFF 3.7.2
LibTIFF 3.7.1
LibTIFF 3.7.0 beta2
LibTIFF 3.7.0 beta
LibTIFF 3.7.0 alpha
LibTIFF 3.7.0
LibTIFF 3.6.1
LibTIFF 3.6.0 beta2
LibTIFF 3.6.0 beta
LibTIFF 3.6.0
LibTIFF 3.5.7 beta
LibTIFF 3.5.7 alpha4
LibTIFF 3.5.7 alpha3
LibTIFF 3.5.7 alpha2
LibTIFF 3.5.7 alpha
LibTIFF 3.5.7
LibTIFF 3.5.6 beta
LibTIFF 3.5.6
LibTIFF 3.5.5
LibTIFF 3.5.4
LibTIFF 3.5.3
LibTIFF 3.5.2
LibTIFF 3.5.1
LibTIFF 3.4 beta37
LibTIFF 3.4 beta36
LibTIFF 3.4 beta35
LibTIFF 3.4 beta34
LibTIFF 3.4 beta32
LibTIFF 3.4 beta31
LibTIFF 3.4 beta29
LibTIFF 3.4 beta28
LibTIFF 3.4 beta24
LibTIFF 3.4 beta18
LibTIFF 3.4
LibTIFF 3.7.4
LibTIFF 3.8.0
LibTIFF 3.8.1
LibTIFF 3.8.2
LibTIFF 3.9
LibTIFF 3.9.0
LibTIFF 3.9.0 beta
LibTIFF 3.9.1
LibTIFF 3.9.2
LibTIFF 3.9.2-5.2.1
LibTIFF 3.9.3
LibTIFF 3.9.4