libtiff 4.0.6 heap bufer overflow / out of bounds read (CVE-2016-9273)

heap buffer overflow affecting libtiff 4.0.6 and possibly earlier. This library is baked into web browsers used by millions and also devices like the PlayStation Portable and the iPhone. http://bugzilla.maptools.org/show_bug.cgi?id=2587 Reported to vendor on 7 November 2016: ``` ==18669==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef78 at pc 0x407549 bp 0x7ffeeb10bc00 sp 0x7ffeeb10bbf8 READ of size 8 at 0x60200000ef78 thread T0 #0 0x407548 in cpStrips /root/libtiff/tools/tiffsplit.c:246 #1 0x407548 in tiffcp /root/libtiff/tools/tiffsplit.c:227 #2 0x407548 in main /root/libtiff/tools/tiffsplit.c:89 #3 0x7face2437b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #4 0x40836c (/root/libtiff/tools/tiffsplit+0x40836c) 0x60200000ef78 is located 0 bytes to the right of 8-byte region [0x60200000ef70,0x60200000ef78) allocated by thread T0 here: #0 0x7face2b169f6 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6) #1 0x4a9ea0 in _TIFFCheckRealloc /root/libtiff/libtiff/tif_aux.c:73 #2 0x4a9ea0 in _TIFFCheckMalloc /root/libtiff/libtiff/tif_aux.c:88 SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libtiff/tools/tiffsplit.c:246 cpStrips ``` Fixed by vendor on 10 November 2016: ``` >> 2016-11-10 Even Rouault <even.rouault at spatialys.com> >> * libtiff/tif_strip.c: make TIFFNumberOfStrips() return the >> td->td_nstrips value when it is non-zero, instead of recomputing it. >> This is needed in TIFF_STRIPCHOP mode where td_nstrips is modified. >> Fixes a read outside of array in tiffsplit >> (or other utilities using TIFFNumberOfStrips()). >> >> /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog >> new revision: 1.1151; previous revision: 1.1150 >> /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v <-- libtiff/tif_strip.c >> new revision: 1.37; previous revision: 1.36 https://github.com/vadz/libtiff/commit/d651abc097d91fac57f33b5f9447d0a9183f58e7 ``` CVE requested via oss-security on 9 November 2016: http://www.openwall.com/lists/oss-security/2016/11/09/20 CVE assigned 11 November 2016: http://www.openwall.com/lists/oss-security/2016/11/11/6