Talos is disclosing a single off-by-one read/write vulnerability found in the TIFF image decoder functionality of PDFium as used in Google Chrome up to and including version 60.0.3112.101. Google Chrome is the most widely used web browser today and a specially crafted PDF could trigger the vulnerability resulting in memory corruption, possible information leak, and potential code execution. This issue has been fixed in Google Chrome version 62.0.3202.62.


Discovered by Aleksandar Nikolic of Cisco Talos

Talos-2017-0432 / CVE-2017-5133 is an off-by-one read/write vulnerability residing in the TIFF image decoder functionality of PDFium. PDFium is an open sourced PDF renderer developed by Google and used in the Chrome web browser, online services, and other standalone applications. A heap-based buffer overflow is present in the code that is responsible for decoding a compressed TIFF image stream.

The vulnerability results from the function responsible for parsing a pixel of data.During this process it always reads 4 bytes from the 'dest_buffer' even if the buffer length is less than 4 bytes. This potentially leads to an off-by-one read on the heap, followed immediately by an off-by-one-write. However, there are several conditions that need to be satisfied in order to access the vulnerable code. The resulting off-by-one read/write could result in memory corruption, a possible information leak, or potential code execution.Full details of the vulnerability are available here.


The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 44294-44295