CVE-2016-9453: The t2preadwritepdfimagetile function allowed remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES of length one (bsc#1011107).
CVE-2016-5652: An exploitable heap-based buffer overflow existed in the handling of TIFF images in the TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means (bsc#1007280).
CVE-2017-11335: There is a heap based buffer overflow in tools/tiff2pdf.c via a PlanarConfig=Contig image, which caused a more than one hundred bytes out-of-bounds write (related to the ZIPDecode function in tif_zip.c). A crafted input may lead to a remote denial of service attack or an arbitrary code execution attack (bsc#1048937).
CVE-2016-9536: tools/tiff2pdf.c had an out-of-bounds write vulnerabilities in heap allocated buffers in t2pprocessjpegstrip(). Reported as MSVR 35098, aka 't2pprocessjpegstrip heap-buffer-overflow.' (bsc#1011845)
CVE-2017-9935: In LibTIFF, there was a heap-based buffer overflow in the t2pwritepdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2pfree, memory corruption in t2preadwritepdfimage, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution (bsc#1046077).
CVE-2017-17973: There is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. (bsc#1074318)
CVE-2015-7554: The TIFFVGetField function in tifdir.c allowed attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image (bsc#960341).
CVE-2016-5318: Stack-based buffer overflow in the _TIFFVGetField function allowed remote attackers to crash the application via a crafted tiff (bsc#983436).
CVE-2016-10095: Stack-based buffer overflow in the TIFFVGetField function in tifdir.c allowed remote attackers to cause a denial of service (crash) via a crafted TIFF file (bsc#1017690,).
CVE-2016-10268: tools/tiffcp.c allowed remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to 'READ of size 78490' and libtiff/tif_unix.c:115:23 (bsc#1031255)
An overlapping of memcpy parameters was fixed which could lead to content corruption (bsc#1017691).
Fixed an invalid memory read which could lead to a crash (bsc#1017692).
Fixed a NULL pointer dereference in TIFFReadRawData (tiffinfo.c) that could crash the decoder (bsc#1017688).