Created an attachment (id=779) [details]
Crash reproducer

Hello libtiff,

As part of our fuzzing <https://www.owasp.org/index.php/Fuzzing> efforts at
Google, we have identified an issue in version 4.0.7 (and latest from CVS) of
libtiff.  To reproduce requires compiling the project with the LLVM compiler,
taking advantage of the sanitizers that it offers (this issue was discovered
using AddressSanitizer
<https://github.com/google/sanitizers/wiki/AddressSanitizer>).

To reproduce you will need to build your project using that sanitizer, and
execute the attached stub code on the reproducer input that we have also
provided.  This stub code could also serve as a useful template for fuzzing in
your project with libFuzzer <http://libfuzzer.info> and/or AFL
<http://lcamtuf.coredump.cx/afl/>, which may help you uncover additional
issues.  Some documentation on how to get started with libFuzzer is here: 

-Getting Started Documentation
<http://llvm.org/docs/LibFuzzer.html#getting-started>    
-LibFuzzer Tutorial <http://llvm.org/docs/LibFuzzer.html#getting-started>   
-OSS-Fuzz target example
<https://github.com/google/oss-fuzz/blob/a143b9b39a51412d133f846688194d68fe
> 4197ba/projects/libchewing/chewing_default_fuzzer.c>    

The following options / environment variables may be necessary for accurate
reproduction of the issue as well:
ASAN_OPTIONS="exitcode=1,handle_segv=1,detect_leaks=1,leak_check_at_exit=1,a
llocator_may_return_null=1,detect_odr_violation=0"  MSAN_OPTIONS=...

The sanitizer error that we encountered is here: 
==79737==WARNING: AddressSanitizer failed to allocate 0xf00000008002c00 bytes
Live Heap Allocations: 63277374 bytes from 3478 allocations; showing top 95%
43158110 byte(s) (68%) in 739 allocation(s)
    #0 0x4f856b in operator new(unsigned long)
    #1 0x70fb1a in allocate
    #2 0x70fb1a in allocate
    #3 0x70fb1a in _M_allocate
    #4 0x70fb1a in _M_allocate_and_copy<__gnu_cxx::__normal_iterator<const
unsigned char *, std::vector<unsigned char, std::allocator<unsigned char> > > > 
    #5 0x70fb1a in std::vector<unsigned char, std::allocator<unsigned char>
>::operator=(std::vector<unsigned char, std::allocator<unsigned char> > const&)
    #6 0x70f666 in fuzzer::InputCorpus::AddToCorpus(std::vector<unsigned char,
std::allocator<unsigned char> > const&, unsigned long, bool)
    #7 0x7178af in
fuzzer::Fuzzer::ShuffleAndMinimize(std::vector<std::vector<unsigned char,
std::allocator<unsigned char> >, std::allocator<std::vector<unsigned char,
std::allocator<unsigned char> > > >*) 
    #8 0x70e668 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char
const*, unsigned long))
    #9 0x71c812 in main
    #10 0x7f3d7bb13ce7 in __libc_start_main
    #11 0x428038 in _start


Other relevant info/repro instructions:

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we’d appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the
report to “Google Autofuzz project”. 

We are also pleased to inform you that your project is also eligible for
inclusion to the OSS-Fuzz project, which can provide additional continuous
fuzzing, and encourage you to investigate integration options
<https://github.com/google/oss-fuzz/blob/master/docs/new_project_guide.md>. 

Don’t hesitate to let us know if you have any questions!

Google AutoFuzz Team