{"id":"CVE-2016-9535","details":"tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka \"Predictor heap-buffer-overflow.\"","modified":"2026-04-16T06:16:47.810640771Z","published":"2016-11-22T19:59:03.387Z","related":["SUSE-SU-2018:1835-1"],"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/94744"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2017-0225.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3844"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/94484"},{"type":"FIX","url":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1"},{"type":"FIX","url":"https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vadz/libtiff","events":[{"introduced":"0"},{"last_affected":"8a37c8e244de3457283b54986d09a8db4d24381c"},{"fixed":"3ca657a8793dd011bf869695d72ad31c779c3cc1"},{"fixed":"6a984bf7905c6621281588431f384e79d11a2e33"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.0.6"}]}}],"versions":["Pre360","Release-","Release-3-7-0","Release-v3-5-","Release-v3-5-4","Release-v3-5-5","Release-v3-5-7","Release-v3-6-0","Release-v3-6-0beta2","Release-v3-6-1","Release-v3-7-0-alpha","Release-v3-7-0beta","Release-v3-7-0beta2","Release-v3-7-1","Release-v3-7-2","Release-v3-7-3","Release-v3-7-4","Release-v3-8-0","Release-v3-8-1","Release-v3-8-2","Release-v4-0-0","Release-v4-0-0alpha","Release-v4-0-0alpha4","Release-v4-0-0alpha5","Release-v4-0-0alpha6","Release-v4-0-0beta7","Release-v4-0-1","Release-v4-0-2","Release-v4-0-3","Release-v4-0-4","Release-v4-0-4beta","Release-v4-0-5","Release-v4-0-6"],"database_specific":{"vanir_signatures":[{"id":"CVE-2016-9535-21a09b17","digest":{"function_hash":"33438023922335958403027861108369435097","length":971},"signature_version":"v1","deprecated":false,"target":{"file":"libtiff/tif_predict.c","function":"PredictorEncodeTile"},"source":"https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33","signature_type":"Function"},{"id":"CVE-2016-9535-21a62c3e","digest":{"function_hash":"202112037355910350314807661606348903076","length":193},"signature_version":"v1","deprecated":false,"target":{"file":"libtiff/tif_predict.c","function":"swabHorDiff32"},"source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"target":{"file":"libtiff/tif_predict.c","function":"PredictorDecodeTile"},"digest":{"function_hash":"184992262770447987855632056899924960410","length":517},"signature_version":"v1","deprecated":false,"id":"CVE-2016-9535-276fda65","source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"target":{"file":"libtiff/tif_predict.c"},"digest":{"threshold":0.9,"line_hashes":["261216747197544161885780539738058574608","204875526020822327172325554141205118236","169280555840795216092410791154823169671","93387289301672846274021466163740944234","89722084998747174049558402595045530229","53978131051627761841638122305239234594","92139698161269378584448546751974355237","218033777424840085956168346478189955146","173562032052913763204616893670163871529","59772104789028288424524406531691133701","168216118651488941563407684875687376460","276227255640016495411064368422751486583","162817855906778422021599614065481804161","75239090941942994308511347890910020783","26083462127943261703778269971104141551","170366677663820355181450097743747993320","69088313966155961681384823169459330427","98098571162348030533861241892810405897","275339619459570386407458966692527532112","165524428730503513520768627999054902463","253636620897231989402729106626118631509","34284046229333531150627043438115893962","119588633803753493787033938876036142977","114156870765192471573896503769426331647","320201969646789997698421904828162994337","173878156555487118740790950504304142821","181766126657142311974140449970225806607","209757422492588127305903305466521894189","264432991638146080738392348267745735443","264689667708367412735011951792766627566","299342770356102123003592761892122574840","166742601443984225550752263041498404277","230475067189510006469766832980179409543","221760411091601688958324600133782232509","229447914869026274132167062444563841417","25381216824514169848685677087792994761","27617578685833025681012773012280994401","232721568842987816265073904105127648947","101145998970532216299401227395458455341","160213832243623736671795706366339924760","201127395989126374763197378088961410637","269282657674526036962442596161869459674","310035838356594104595411171449930729876","89469100578155462544569555734643301568","212247207482093557517832476673230460101","187892194104409241736067288802950282764","51720237313748291304069337284147885705","116260321921890444634450185616337597462","171809281404049194992808159713599505883","203486425376982096420026891281156994883","324842486338875830146705086966052987864","132927347058582409711672473589907375944","191432587752728724833189536044353006728","254450928878187828843153523964358868875","287050658238577614039242154506501323490","277713896081436109015161703535506392236","295384038813198301273276281040418615259","5294313042832535779615571973931726749","112381553462187816801670065297946094946","236735664121532714673948537690648925492","247065014043320309633802494006515324885","188045776268132996966400253092030023610","38143383255539705788472103239455009309","176765799637775392835762278179653170040","212247207482093557517832476673230460101","187892194104409241736067288802950282764","397571604025777735857428835763730489","35853964082440227133542547486019387260","138499664257233406659551045238237954213","16792176028829716719496546036043956049","312363574776531423281852985623975443880","280561935669420456724292602952252272716","279019357776041959397966459962680264814","266956413772630722161606270973598878792","26996250107358816560686593872477908882","223738372855588217240627431939494869244","229599646059137685456329063374212000457","262577908426894194077380237768717535130","40597596588941298990824017465538184829","45814490290565097308324146196516716722","79283068765131786396493434806802328024","287228870289512332876850879528564702455","32555078261466544033927279049455346065","22414294858626776819702285795817345398","259248672351234693092410022745228839237","53711036798892785051368833862155738806","87376200204613743461556288060442799912","18879279871474488644040896044794712896","218598709106944436415688398038136408160","60817314799231641987651347289767443969","144698470728293637566702447340412706692","319660836871541674312787001732167154757","283334726527911677417741869024291338104","59205744002858352497477289977429831432","194264458166475910792404654883601885827","10099349801893439896173512356159321865","238169097015477007146193718115730749752","109957946280189619871860065223268910350","40858570402993020224607947591474507188","165592009938754204630841902916612224059","213709958130923717100280030074286427368","26367525634198808324867327916250614075","269005597747942385559582834913622848583","173878156555487118740790950504304142821","1727971838967042040762133131665413409","215784981163846813072247592659821234770","327435520669212449830900635110910366901","137019557449877111287644104277021707151","201127395989126374763197378088961410637","269282657674526036962442596161869459674","174229446356323571751667139705589423960","321623851913463861327541534261740953775","212247207482093557517832476673230460101","187892194104409241736067288802950282764","332120007208474750311786660793958754606","295151076069210490493618185992320196018","127537402781650318556533622973528695079","203077820274264282809123866217033389981","68640494764636047207656350822578296203","248550218523045943631657820874455098654","133356447557050568539312309201336073978","158648737178852531660033527506292608029","158559667826735099589143395574645626476","49368375461848919139922384529001140953","96379463902653958107366181920515327124","249784589267379621402534432370315558802","247065014043320309633802494006515324885","188045776268132996966400253092030023610","308049302462863995007742191612405905454","83961412082341330045612693702240415752","212247207482093557517832476673230460101","187892194104409241736067288802950282764","104687558795424287761833048677605960307","296685850653910284075301847447278613681","9196370545177364092206719668277146838","217315381591564540302841336918440619151","264894580413949111625625975106125515107","64400986129603131692552959251640409283","68816854897385025850321559002752942431","292876760946427832019178946535132435615","248868804560951817732601269440589203855","51321154998989920628801034125251556548","187128180152788120204862597946549688484","131534407090690625506586504246323410867","312363574776531423281852985623975443880","280561935669420456724292602952252272716","75327053814029057871931606152360450066","291928655029028502005195264959123225209","188089470757917946186323001008474526132","23262952306847750378571044471285039371","149600989531258936506360345957492193437","6941662794330502652283678479664977220","226722899927806060070115319202730282531","320686526123068060023132321327147132592","245807925354893737636395260243086035121","63869819962082865145497901506337622503","137376293972105702542152103200032183188","37259134356476570938241045324664025631","64903480435328995977485239321147922921","320109702306631153089796891664150197962","320849409805006650144067212999819378576"]},"signature_version":"v1","deprecated":false,"id":"CVE-2016-9535-2b43ebde","source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Line"},{"id":"CVE-2016-9535-3c164294","digest":{"threshold":0.9,"line_hashes":["134205239593771686444451453477153038893","70181563830162930924240681946432007063","334642212587000913486640124980269500319","270652846444513752393979056430255246945","334453991407783206968120732693852336431","149690041145000177838200561337563478565","106673241138169917329756552636326767793","324678320268165838108172017665335996045","212952606156698099132874329029155270704"]},"signature_version":"v1","deprecated":false,"target":{"file":"libtiff/tif_predict.h"},"source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Line"},{"target":{"file":"libtiff/tif_predict.c","function":"fpAcc"},"digest":{"function_hash":"171040195149164366728271902811662019313","length":826},"deprecated":false,"signature_version":"v1","id":"CVE-2016-9535-47526f08","source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"id":"CVE-2016-9535-57736f03","digest":{"function_hash":"247869117750426373389335569286105952556","length":953},"deprecated":false,"signature_version":"v1","target":{"file":"libtiff/tif_predict.c","function":"fpDiff"},"source":"https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33","signature_type":"Function"},{"id":"CVE-2016-9535-57b8f762","digest":{"function_hash":"161372326862305423684924876063079885996","length":379},"deprecated":false,"signature_version":"v1","target":{"file":"libtiff/tif_predict.c","function":"PredictorDecodeRow"},"source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"id":"CVE-2016-9535-7267c10b","digest":{"function_hash":"274416111811421074790132037766706175902","length":378},"deprecated":false,"signature_version":"v1","target":{"file":"libtiff/tif_predict.c","function":"horDiff32"},"source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"id":"CVE-2016-9535-73608aee","digest":{"function_hash":"214836327272677527236890554075706065370","length":922},"deprecated":false,"signature_version":"v1","target":{"file":"libtiff/tif_predict.c","function":"fpAcc"},"source":"https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33","signature_type":"Function"},{"target":{"file":"libtiff/tif_predict.c","function":"horAcc32"},"digest":{"function_hash":"75952545727149332452222831438042026001","length":341},"deprecated":false,"signature_version":"v1","id":"CVE-2016-9535-7505827a","source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"target":{"file":"libtiff/tif_predict.c"},"digest":{"threshold":0.9,"line_hashes":["243537253012095232706018147322584964083","328793604765054568277458339384610724883","173215819473755194764655104316010686419","199422481867919143423721054010706911540","8557538063707369504417648543711635394","8083623373425167319000831259911679740","85368011416744430142508291262187983305","78580468177287185386221164314403802048","171265541845092943189763909690756428842","171127729429503044325544238934172733556","170924229996705184237776138572835518269","283910340509617888939277177227310435451","3663573744890979848304579524704794678","8083623373425167319000831259911679740","132747715903068621805235146338990386343","163310138971906068926364150861312351117","295813915796687586699285067718406720854","207117491776832991070186849829053997506","231698337745173978894984973294697725306"]},"signature_version":"v1","deprecated":false,"id":"CVE-2016-9535-9fbb1868","source":"https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33","signature_type":"Line"},{"id":"CVE-2016-9535-ae521d26","digest":{"function_hash":"313666045367366105442323613504502185156","length":1262},"deprecated":false,"signature_version":"v1","target":{"file":"libtiff/tif_predict.c","function":"horAcc8"},"source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"id":"CVE-2016-9535-b8d41760","digest":{"function_hash":"336129129415190154953553427868859441327","length":1488},"signature_version":"v1","deprecated":false,"target":{"file":"libtiff/tif_predict.c","function":"horDiff8"},"source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"target":{"file":"libtiff/tif_predict.c","function":"swabHorAcc16"},"digest":{"function_hash":"245000748359933944360903661653903665701","length":193},"signature_version":"v1","deprecated":false,"id":"CVE-2016-9535-c07c5a9a","source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"target":{"file":"libtiff/tif_predict.c","function":"swabHorAcc32"},"digest":{"function_hash":"122050190341139738960804041940933097822","length":193},"deprecated":false,"signature_version":"v1","id":"CVE-2016-9535-daf1ee21","source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"target":{"file":"libtiff/tif_predict.c","function":"PredictorEncodeRow"},"digest":{"function_hash":"282693645718852883451823726369794439334","length":350},"signature_version":"v1","deprecated":false,"id":"CVE-2016-9535-deaa4e66","source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"target":{"file":"libtiff/tif_predict.c","function":"swabHorDiff16"},"digest":{"function_hash":"158902631558467282773649354203087184658","length":193},"signature_version":"v1","deprecated":false,"id":"CVE-2016-9535-e29415d2","source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"target":{"file":"libtiff/tif_predict.c","function":"PredictorEncodeTile"},"digest":{"function_hash":"30291917893125969486252093361531272353","length":873},"deprecated":false,"signature_version":"v1","id":"CVE-2016-9535-e75c9d6c","source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"target":{"file":"libtiff/tif_predict.c","function":"horAcc16"},"digest":{"function_hash":"83933759554897251928352728546898234334","length":419},"deprecated":false,"signature_version":"v1","id":"CVE-2016-9535-e98a0fa6","source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"id":"CVE-2016-9535-ecf69c41","digest":{"function_hash":"307214869499057035791033897634522056438","length":851},"deprecated":false,"signature_version":"v1","target":{"file":"libtiff/tif_predict.c","function":"fpDiff"},"source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"},{"target":{"file":"libtiff/tif_predict.c","function":"horDiff16"},"digest":{"function_hash":"94877657018150311123884046479567264667","length":456},"deprecated":false,"signature_version":"v1","id":"CVE-2016-9535-efcd2186","source":"https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1","signature_type":"Function"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9535.json","vanir_signatures_modified":"2026-04-11T03:56:42Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}