Posted by Hans Jerry Illikainen on Dec 26

`_TIFFVGetField()’ in libtiff-4.0.6 may write field data for certain
extension tags to invalid or possibly arbitrary memory.

Each tag has a `field_passcount’ variable in their TIFFField struct:

tiff-4.0.6/libtiff/tif_dir.h #276..289:
,—-
| struct _TIFFField {
| uint32 field_tag; /* field’s tag */
| short field_readcount; /* read count/TIFF_VARIABLE/TIFF_SPP */
| short…