LibTIFF before 4.0.10 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
LibTIFF before 4.0.10 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1697 https://gitlab.com/libtiff/libtiff/merge_requests/38 https://gitlab.com/libtiff/libtiff/commit/681748ec2f5ce88da5f9fa6831e1653e46af8a66