tifpredict.h and tifpredict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."
[
{
"signature_type": "Function",
"id": "CVE-2016-9535-21a09b17",
"target": {
"function": "PredictorEncodeTile",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33",
"signature_version": "v1",
"digest": {
"function_hash": "33438023922335958403027861108369435097",
"length": 971.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-21a62c3e",
"target": {
"function": "swabHorDiff32",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "202112037355910350314807661606348903076",
"length": 193.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-276fda65",
"target": {
"function": "PredictorDecodeTile",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "184992262770447987855632056899924960410",
"length": 517.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2016-9535-2b43ebde",
"target": {
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"line_hashes": [
"261216747197544161885780539738058574608",
"204875526020822327172325554141205118236",
"169280555840795216092410791154823169671",
"93387289301672846274021466163740944234",
"89722084998747174049558402595045530229",
"53978131051627761841638122305239234594",
"92139698161269378584448546751974355237",
"218033777424840085956168346478189955146",
"173562032052913763204616893670163871529",
"59772104789028288424524406531691133701",
"168216118651488941563407684875687376460",
"276227255640016495411064368422751486583",
"162817855906778422021599614065481804161",
"75239090941942994308511347890910020783",
"26083462127943261703778269971104141551",
"170366677663820355181450097743747993320",
"69088313966155961681384823169459330427",
"98098571162348030533861241892810405897",
"275339619459570386407458966692527532112",
"165524428730503513520768627999054902463",
"253636620897231989402729106626118631509",
"34284046229333531150627043438115893962",
"119588633803753493787033938876036142977",
"114156870765192471573896503769426331647",
"320201969646789997698421904828162994337",
"173878156555487118740790950504304142821",
"181766126657142311974140449970225806607",
"209757422492588127305903305466521894189",
"264432991638146080738392348267745735443",
"264689667708367412735011951792766627566",
"299342770356102123003592761892122574840",
"166742601443984225550752263041498404277",
"230475067189510006469766832980179409543",
"221760411091601688958324600133782232509",
"229447914869026274132167062444563841417",
"25381216824514169848685677087792994761",
"27617578685833025681012773012280994401",
"232721568842987816265073904105127648947",
"101145998970532216299401227395458455341",
"160213832243623736671795706366339924760",
"201127395989126374763197378088961410637",
"269282657674526036962442596161869459674",
"310035838356594104595411171449930729876",
"89469100578155462544569555734643301568",
"212247207482093557517832476673230460101",
"187892194104409241736067288802950282764",
"51720237313748291304069337284147885705",
"116260321921890444634450185616337597462",
"171809281404049194992808159713599505883",
"203486425376982096420026891281156994883",
"324842486338875830146705086966052987864",
"132927347058582409711672473589907375944",
"191432587752728724833189536044353006728",
"254450928878187828843153523964358868875",
"287050658238577614039242154506501323490",
"277713896081436109015161703535506392236",
"295384038813198301273276281040418615259",
"5294313042832535779615571973931726749",
"112381553462187816801670065297946094946",
"236735664121532714673948537690648925492",
"247065014043320309633802494006515324885",
"188045776268132996966400253092030023610",
"38143383255539705788472103239455009309",
"176765799637775392835762278179653170040",
"212247207482093557517832476673230460101",
"187892194104409241736067288802950282764",
"397571604025777735857428835763730489",
"35853964082440227133542547486019387260",
"138499664257233406659551045238237954213",
"16792176028829716719496546036043956049",
"312363574776531423281852985623975443880",
"280561935669420456724292602952252272716",
"279019357776041959397966459962680264814",
"266956413772630722161606270973598878792",
"26996250107358816560686593872477908882",
"223738372855588217240627431939494869244",
"229599646059137685456329063374212000457",
"262577908426894194077380237768717535130",
"40597596588941298990824017465538184829",
"45814490290565097308324146196516716722",
"79283068765131786396493434806802328024",
"287228870289512332876850879528564702455",
"32555078261466544033927279049455346065",
"22414294858626776819702285795817345398",
"259248672351234693092410022745228839237",
"53711036798892785051368833862155738806",
"87376200204613743461556288060442799912",
"18879279871474488644040896044794712896",
"218598709106944436415688398038136408160",
"60817314799231641987651347289767443969",
"144698470728293637566702447340412706692",
"319660836871541674312787001732167154757",
"283334726527911677417741869024291338104",
"59205744002858352497477289977429831432",
"194264458166475910792404654883601885827",
"10099349801893439896173512356159321865",
"238169097015477007146193718115730749752",
"109957946280189619871860065223268910350",
"40858570402993020224607947591474507188",
"165592009938754204630841902916612224059",
"213709958130923717100280030074286427368",
"26367525634198808324867327916250614075",
"269005597747942385559582834913622848583",
"173878156555487118740790950504304142821",
"1727971838967042040762133131665413409",
"215784981163846813072247592659821234770",
"327435520669212449830900635110910366901",
"137019557449877111287644104277021707151",
"201127395989126374763197378088961410637",
"269282657674526036962442596161869459674",
"174229446356323571751667139705589423960",
"321623851913463861327541534261740953775",
"212247207482093557517832476673230460101",
"187892194104409241736067288802950282764",
"332120007208474750311786660793958754606",
"295151076069210490493618185992320196018",
"127537402781650318556533622973528695079",
"203077820274264282809123866217033389981",
"68640494764636047207656350822578296203",
"248550218523045943631657820874455098654",
"133356447557050568539312309201336073978",
"158648737178852531660033527506292608029",
"158559667826735099589143395574645626476",
"49368375461848919139922384529001140953",
"96379463902653958107366181920515327124",
"249784589267379621402534432370315558802",
"247065014043320309633802494006515324885",
"188045776268132996966400253092030023610",
"308049302462863995007742191612405905454",
"83961412082341330045612693702240415752",
"212247207482093557517832476673230460101",
"187892194104409241736067288802950282764",
"104687558795424287761833048677605960307",
"296685850653910284075301847447278613681",
"9196370545177364092206719668277146838",
"217315381591564540302841336918440619151",
"264894580413949111625625975106125515107",
"64400986129603131692552959251640409283",
"68816854897385025850321559002752942431",
"292876760946427832019178946535132435615",
"248868804560951817732601269440589203855",
"51321154998989920628801034125251556548",
"187128180152788120204862597946549688484",
"131534407090690625506586504246323410867",
"312363574776531423281852985623975443880",
"280561935669420456724292602952252272716",
"75327053814029057871931606152360450066",
"291928655029028502005195264959123225209",
"188089470757917946186323001008474526132",
"23262952306847750378571044471285039371",
"149600989531258936506360345957492193437",
"6941662794330502652283678479664977220",
"226722899927806060070115319202730282531",
"320686526123068060023132321327147132592",
"245807925354893737636395260243086035121",
"63869819962082865145497901506337622503",
"137376293972105702542152103200032183188",
"37259134356476570938241045324664025631",
"64903480435328995977485239321147922921",
"320109702306631153089796891664150197962",
"320849409805006650144067212999819378576"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2016-9535-3c164294",
"target": {
"file": "libtiff/tif_predict.h"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"line_hashes": [
"134205239593771686444451453477153038893",
"70181563830162930924240681946432007063",
"334642212587000913486640124980269500319",
"270652846444513752393979056430255246945",
"334453991407783206968120732693852336431",
"149690041145000177838200561337563478565",
"106673241138169917329756552636326767793",
"324678320268165838108172017665335996045",
"212952606156698099132874329029155270704"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-47526f08",
"target": {
"function": "fpAcc",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "171040195149164366728271902811662019313",
"length": 826.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-57736f03",
"target": {
"function": "fpDiff",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33",
"signature_version": "v1",
"digest": {
"function_hash": "247869117750426373389335569286105952556",
"length": 953.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-57b8f762",
"target": {
"function": "PredictorDecodeRow",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "161372326862305423684924876063079885996",
"length": 379.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-7267c10b",
"target": {
"function": "horDiff32",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "274416111811421074790132037766706175902",
"length": 378.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-73608aee",
"target": {
"function": "fpAcc",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33",
"signature_version": "v1",
"digest": {
"function_hash": "214836327272677527236890554075706065370",
"length": 922.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-7505827a",
"target": {
"function": "horAcc32",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "75952545727149332452222831438042026001",
"length": 341.0
},
"deprecated": false
},
{
"signature_type": "Line",
"id": "CVE-2016-9535-9fbb1868",
"target": {
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33",
"signature_version": "v1",
"digest": {
"line_hashes": [
"243537253012095232706018147322584964083",
"328793604765054568277458339384610724883",
"173215819473755194764655104316010686419",
"199422481867919143423721054010706911540",
"8557538063707369504417648543711635394",
"8083623373425167319000831259911679740",
"85368011416744430142508291262187983305",
"78580468177287185386221164314403802048",
"171265541845092943189763909690756428842",
"171127729429503044325544238934172733556",
"170924229996705184237776138572835518269",
"283910340509617888939277177227310435451",
"3663573744890979848304579524704794678",
"8083623373425167319000831259911679740",
"132747715903068621805235146338990386343",
"163310138971906068926364150861312351117",
"295813915796687586699285067718406720854",
"207117491776832991070186849829053997506",
"231698337745173978894984973294697725306"
],
"threshold": 0.9
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-ae521d26",
"target": {
"function": "horAcc8",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "313666045367366105442323613504502185156",
"length": 1262.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-b8d41760",
"target": {
"function": "horDiff8",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "336129129415190154953553427868859441327",
"length": 1488.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-c07c5a9a",
"target": {
"function": "swabHorAcc16",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "245000748359933944360903661653903665701",
"length": 193.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-daf1ee21",
"target": {
"function": "swabHorAcc32",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "122050190341139738960804041940933097822",
"length": 193.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-deaa4e66",
"target": {
"function": "PredictorEncodeRow",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "282693645718852883451823726369794439334",
"length": 350.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-e29415d2",
"target": {
"function": "swabHorDiff16",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "158902631558467282773649354203087184658",
"length": 193.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-e75c9d6c",
"target": {
"function": "PredictorEncodeTile",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "30291917893125969486252093361531272353",
"length": 873.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-e98a0fa6",
"target": {
"function": "horAcc16",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "83933759554897251928352728546898234334",
"length": 419.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-ecf69c41",
"target": {
"function": "fpDiff",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "307214869499057035791033897634522056438",
"length": 851.0
},
"deprecated": false
},
{
"signature_type": "Function",
"id": "CVE-2016-9535-efcd2186",
"target": {
"function": "horDiff16",
"file": "libtiff/tif_predict.c"
},
"source": "https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1",
"signature_version": "v1",
"digest": {
"function_hash": "94877657018150311123884046479567264667",
"length": 456.0
},
"deprecated": false
}
]