Apple Mac OS X ImageIO TIFF Integer Overflow

Summary – 28.06.2011

Name: Apple Mac OS X ImageIO TIFF Integer Overflow
Reference: NGS00057
Discoverer: Dominic Chell <>
Vendor: Apple
Vendor Reference: 142522746
Systems Affected: Mac OS X v10.6 through v10.6.6, Mac OS X Server v10.6 through v10.6.6. This issue does not affect systems prior to Mac OS X v10.6
Risk: High
Status: Published


Discovered: 8 March 2011
Released: 8 March 2011
Approved: 8 March 2011
Reported: 8 March 2011
Fixed: 21 March 2011
Published: 28 June 2011


A heap overflow is caused by a signedness vulnerability within copyImageBlockSetTiff().
The crash occurs within any application using the framework, including Preview, QuickLook, Safari Mail.

Technical Details

exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movdqa %xmm1,CONSTANT(%rdi,%rcx):instruction_address=0x00007fffffe0088c:access_type=write:access_address=0x00000001159d0000:

Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes.
Test case was copyImageBlockSetTiff


Process: qlmanage [4763]


Identifier: qlmanage
Version: ??? (???)
Code Type: X86-64 (Native)
Parent Process: exc_handler [4762]

PlugIn Path: /usr/bin/qlmanage
PlugIn Identifier: qlmanage
PlugIn Version: ??? (???)

Date/Time: 2011-03-07 21:47:33.598 +0000
OS Version: Mac OS X 10.6.6 (10J567)
Report Version: 6

Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000001159d0000 Crashed Thread: 6

Fix Information

Call us before you need us.

Our experts will help you.

Get in touch