You need to log in before you can comment on or make changes to this bug.
A bug report together with the PoC are in the attachment. Here are the stacktraces: Stacktrace(with ASAN): ==28966==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4001bfc at pc 0x08061ab2 bp 0xbfde2b18 sp 0xbfde2b08 WRITE of size 4 at 0xb4001bfc thread T0 #0 0x8061ab1 in t2p_write_pdf /home/lyk/tiff-4.0.7-asan/tools/tiff2pdf.c:5538 #1 0x804a474 in main /home/lyk/tiff-4.0.7-asan/tools/tiff2pdf.c:808 #2 0xb6ff6636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #3 0x804b6d5 (/media/sf_AFL_Dyninst_ADV/tiff/tiff2pdf-asan+0x804b6d5) 0xb4001bfc is located 0 bytes to the right of 76-byte region [0xb4001bb0,0xb4001bfc) allocated by thread T0 here: #0 0xb729adee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee) #1 0x8060329 in t2p_write_pdf /home/lyk/tiff-4.0.7-asan/tools/tiff2pdf.c:5415 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lyk/tiff-4.0.7-asan/tools/tiff2pdf.c:5538 t2p_write_pdf Stacktrace(with gdb): Program received signal SIGSEGV, Segmentation fault. 0xb7df9e41 in _int_free (av=0xb7f3e780 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4015 4015 malloc.c: No such file or directory. #0 0xb7df9e41 in _int_free (av=0xb7f3e780 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4015 size = 80 fb = <optimized out> nextchunk = 0x805b2a0 nextsize = 3016 nextinuse = 0 prevsize = <optimized out> bck = 0x636f6c2f fwd = 0x6374652f errstr = 0x0 locked = <optimized out> __func__ = "_int_free" #1 0xb7f83478 in _TIFFfree () from /usr/lib/i386-linux-gnu/libtiff.so.5 No symbol table info available. #2 0x08049ee8 in t2p_free (t2p=0x805a008) at tiff2pdf.c:969 i = 0 #3 0x08049ba8 in main (argc=4, argv=0xbffff054) at tiff2pdf.c:824 outfilename = 0xbffff260 "out.pdf" t2p = 0x805a008 input = 0x805abd0 output = 0x805b470 c = -1 ret = 1
Created an attachment (id=748) [details] The poc and bug report The poc and bug report
Looks like it might be similar to http://bugzilla.maptools.org/show_bug.cgi?id=2704 which also involves TransferFunction
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.