CVE-2016-9535

tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."

critical 9.8 CVSS 3.1

Published: Nov 22, 2016

Modified: May 29, 2026

Vendor: Libtiff

Product: Libtiff

Versions: 4.0.6

Description

tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."

References

http://rhn.redhat.com/errata/RHSA-2017-0225.html
http://www.debian.org/security/2017/dsa-3844
http://www.securityfocus.com/bid/94484
http://www.securityfocus.com/bid/94744
https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
http://rhn.redhat.com/errata/RHSA-2017-0225.html
http://www.debian.org/security/2017/dsa-3844
http://www.securityfocus.com/bid/94484
http://www.securityfocus.com/bid/94744

Related CVEs

CVSS Breakdown

Version	3.1
Score	9.8 / 10
Severity	critical

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness (CWE)

CWE-119

Affected Product

Vendor	Libtiff
Product	Libtiff
Versions	4.0.6