You need to log in before you can comment on or make changes to this bug.
Hi, We found a DoS using a crafted tiff file that causes a OOM kill in low memory system (usually less than 3GB). This was tested in Ubuntu 14.04 (64bit) but the issue exists even in the CVS libtiff version. Please find attached the compressed test case (otherwise it can kill my browser since gdk-pixbuf is loading tiff files in the preview dialog!). You can test it executing: $ tiffdither oom.tif /dev/null If you run it with ltrace, you can see some very large reallocs: libtiff.so.5->realloc(0, 1636178024) = 0x7f71a42b6010 libtiff.so.5->realloc(0, 1636178024) = 0x7f7142a54010 Despite it is a low risk security issue, it could be hiding some more severe issues and i think it should be investigated. This vulnerability was found using QuickFuzz. Regards,
FYI, the file has a # of image lines around four billion. I didn't dig into it closely when first reported, but it might be that auto-strip-chopping is creating an expensive/large data structure. I'm not entirely confident whether to treat library requests for large amounts of memory as a defect in the library. It makes me sad that modern operating systems seem to have trouble just return NULL for malloc() calls for which there isn't enough memory available. (If my assumptions are correct).
See also: https://github.com/ome/ome-files-cpp/issues/22 This includes testcases and some initial investigation into where the problems lie and how they might be fixed. It would be useful to add checks to functions which would read data after the end of file since this is clearly invalid. I'm looking at whether libtiff stores the file size anywhere on read, but haven't found it yet. I've found _tiffSizeProc(fd) but it's not exposed even in internal headers. Could this be made more public so we can query the file size when accessing field data or anywhere else using offsets?
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.