OL CVE Issue Summary:

xmlSnprintfElementContent() in valid.c is supposed to recursively dump the element content definition into a char buffer buf of size size. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then
(i) the content->prefix is appended to buf (if it actually fits) 
whereupon: 
(ii)content->name is written to the buffer 
However, the check is whether the content->name actually fits also uses len rather than the updated buffer length strlen(buf). This allows writing about "size" many bytes beyond the allocated memory. 

OL CVE Issue Summary:

xmlSnprintfElementContent() in valid.c is supposed to recursively dump the element content definition into a char buffer buf of size size. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then
(i) the content->prefix is appended to buf (if it actually fits) 
whereupon: 
(ii)content->name is written to the buffer 
However, the check is whether the content->name actually fits also uses len rather than the updated buffer length strlen(buf). This allows writing about "size" many bytes beyond the allocated memory. 

OL CVE Issue Summary:

xmlSnprintfElementContent() in valid.c is supposed to recursively dump the element content definition into a char buffer buf of size size. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then
(i) the content->prefix is appended to buf (if it actually fits) 
whereupon: 
(ii)content->name is written to the buffer 
However, the check is whether the content->name actually fits also uses len rather than the updated buffer length strlen(buf). This allows writing about "size" many bytes beyond the allocated memory. 

OL CVE Issue Summary:

heap-based buffer overflow in `utf_ptr2char()` in `mbyte.c`
Heap use-after-free in `nv_replace()`
Heap use-after-free in `nv_replace()`
Illegal memory access when C-indenting
heap-buffer-overflow in `inc()` (`misc2.c`).
 

OL CVE Issue Summary:

heap-based buffer overflow in `utf_ptr2char()` in `mbyte.c`
Heap use-after-free in `nv_replace()`
Heap use-after-free in `nv_replace()`
Illegal memory access when C-indenting
heap-buffer-overflow in `inc()` (`misc2.c`).

OL CVE Issue Summary:

When g_byte_array_new_take() is called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.

OL CVE Issue Summary:

`cvtClump()` in rgb2ycbcr in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the `-v` option to `-1`. `_TIFFFax3fillruns()` in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.`DumpModeDecode()` could be exploited to cause denial-of-service via a crafted Tiff image. A heap-based buffer overflow in the `t2p_write_pdf()` in `tools/tiff2pdf.c`. This heap overflow could lead to various damages. For example, a crafted TIFF document can lead to an out-of-bounds read in `TIFFCleanup()`, an invalid free in `TIFFClose()` or `t2p_free()`, memory corruption in `t2p_readwrite_pdf_image()`, or a double free in `t2p_free()`. Given these possibilities, it probably could result in arbitrary code execution. This affects `TIFFReadRGBATileExt()` in `libtiff/tif_getimage.c`. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public. The identifier VDB-213549 was assigned to this vulnerability.

OL CVE Issue Summary:

`cvtClump()` in rgb2ycbcr in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the `-v` option to `-1`. `_TIFFFax3fillruns()` in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.`DumpModeDecode()` could be exploited to cause denial-of-service via a crafted Tiff image. A heap-based buffer overflow in the `t2p_write_pdf()` in `tools/tiff2pdf.c`. This heap overflow could lead to various damages. For example, a crafted TIFF document can lead to an out-of-bounds read in `TIFFCleanup()`, an invalid free in `TIFFClose()` or `t2p_free()`, memory corruption in `t2p_readwrite_pdf_image()`, or a double free in `t2p_free()`. Given these possibilities, it probably could result in arbitrary code execution. This affects `TIFFReadRGBATileExt()` in `libtiff/tif_getimage.c`. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public. The identifier VDB-213549 was assigned to this vulnerability.

OL CVE Issue Summary:

`cvtClump()` in rgb2ycbcr in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the `-v` option to `-1`. `_TIFFFax3fillruns()` in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.`DumpModeDecode()` could be exploited to cause denial-of-service via a crafted Tiff image. A heap-based buffer overflow in the `t2p_write_pdf()` in `tools/tiff2pdf.c`. This heap overflow could lead to various damages. For example, a crafted TIFF document can lead to an out-of-bounds read in `TIFFCleanup()`, an invalid free in `TIFFClose()` or `t2p_free()`, memory corruption in `t2p_readwrite_pdf_image()`, or a double free in `t2p_free()`. Given these possibilities, it probably could result in arbitrary code execution. This affects `TIFFReadRGBATileExt()` in `libtiff/tif_getimage.c`. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public. The identifier VDB-213549 was assigned to this vulnerability.

OL CVE Issue Summary:

`cvtClump()` in rgb2ycbcr in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the `-v` option to `-1`. `_TIFFFax3fillruns()` in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.`DumpModeDecode()` could be exploited to cause denial-of-service via a crafted Tiff image. A heap-based buffer overflow in the `t2p_write_pdf()` in `tools/tiff2pdf.c`. This heap overflow could lead to various damages. For example, a crafted TIFF document can lead to an out-of-bounds read in `TIFFCleanup()`, an invalid free in `TIFFClose()` or `t2p_free()`, memory corruption in `t2p_readwrite_pdf_image()`, or a double free in `t2p_free()`. Given these possibilities, it probably could result in arbitrary code execution. This affects `TIFFReadRGBATileExt()` in `libtiff/tif_getimage.c`. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public. The identifier VDB-213549 was assigned to this vulnerability.