`_TIFFVGetField()' in libtiff-4.0.6 may write field data for certain
extension tags to invalid or possibly arbitrary memory.
Each tag has a `field_passcount' variable in their TIFFField struct:
tiff-4.0.6/libtiff/tif_dir.h #276..289:
,
| struct _TIFFField {
| uint32 field_tag;
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ACCESSDIVER-BUFFER-OVERFLOW.txt
Vendor:
==
M. Jean Fages
www.accessdiver.com
circa 1998-2006
Product:
=
AccessDiver V4.301 build 5888
Details
===
Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Heap Overflow
Security Risk: High
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2015-8668
Credit: riusksk of Tencent Security Platform Department
Introduction
libtiff v4.0.6 bmp2tiff function
