Created an attachment (id=815) [details]
poc

Hello,

I was recently fuzzing the pdf viewer evince that makes use of libtiff.
One of the mutated pdfs lead to multiple valgrind messages 'invalid write' in
libtiff and segfaults evince as you can see in the valgrind message below.

I first reported the bug to the evince devs, but they lead me here.
https://bugzilla.gnome.org/show_bug.cgi?id=788980 

Please find attached the pdf. 

cheers

----------

==17142== Invalid write of size 4
==17142==    at 0x1D175C8C: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17DF95: TIFFReadRGBAImageOriented (in
/usr/lib/libtiff.so.5.2.6)
==17142==    by 0x20FEF103: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142==  Address 0x461fa14c is 0 bytes after a block of size 603,992,332
alloc'd
==17142==    at 0x4C2CE5F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17142==    by 0x20FEF0A4: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142== 
==17142== Invalid write of size 4
==17142==    at 0x1D175C94: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17DF95: TIFFReadRGBAImageOriented (in
/usr/lib/libtiff.so.5.2.6)
==17142==    by 0x20FEF103: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142==  Address 0x461fa150 is 4 bytes after a block of size 603,992,332
alloc'd
==17142==    at 0x4C2CE5F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17142==    by 0x20FEF0A4: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142== 
==17142== Invalid write of size 4
==17142==    at 0x1D175C9C: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17DF95: TIFFReadRGBAImageOriented (in
/usr/lib/libtiff.so.5.2.6)
==17142==    by 0x20FEF103: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142==  Address 0x461fa154 is 8 bytes after a block of size 603,992,332
alloc'd
==17142==    at 0x4C2CE5F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17142==    by 0x20FEF0A4: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142== 
==17142== Invalid write of size 4                                               
==17142==    at 0x1D175CA4: ??? (in /usr/lib/libtiff.so.5.2.6)                  
==17142==    by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6)                  
==17142==    by 0x1D17DF95: TIFFReadRGBAImageOriented (in
/usr/lib/libtiff.so.5.2.6)                     
==17142==    by 0x20FEF103: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)                       
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)                
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)                
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142==  Address 0x461fa158 is 12 bytes after a block of size 603,992,332
alloc'd
==17142==    at 0x4C2CE5F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17142==    by 0x20FEF0A4: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142== 
==17142== Invalid write of size 4
==17142==    at 0x1D175CAC: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17DF95: TIFFReadRGBAImageOriented (in
/usr/lib/libtiff.so.5.2.6)
==17142==    by 0x20FEF103: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142==  Address 0x461fa15c is 16 bytes after a block of size 603,992,332
alloc'd
==17142==    at 0x4C2CE5F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17142==    by 0x20FEF0A4: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142== 
==17142== Invalid write of size 4
==17142==    at 0x1D175CB4: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17DF95: TIFFReadRGBAImageOriented (in
/usr/lib/libtiff.so.5.2.6)
==17142==    by 0x20FEF103: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142==  Address 0x461fa160 is 20 bytes after a block of size 603,992,332
alloc'd
==17142==    at 0x4C2CE5F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17142==    by 0x20FEF0A4: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142== 
==17142== Invalid write of size 4
==17142==    at 0x1D175CBE: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17DF95: TIFFReadRGBAImageOriented (in
/usr/lib/libtiff.so.5.2.6)
==17142==    by 0x20FEF103: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142==  Address 0x461fa164 is 603,992,356 bytes inside a block of size
603,996,064 in arena "client"
==17142==
==17142== Invalid write of size 4
==17142==    at 0x1D175D50: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17DF95: TIFFReadRGBAImageOriented (in
/usr/lib/libtiff.so.5.2.6)
==17142==    by 0x20FEF103: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142==  Address 0x461fa168 is 603,992,360 bytes inside a block of size
603,996,064 in arena "client"
==17142==
==17142== Invalid write of size 4
==17142==    at 0x1D175C84: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17DF95: TIFFReadRGBAImageOriented (in
/usr/lib/libtiff.so.5.2.6)
==17142==    by 0x20FEF103: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142==  Address 0x461fa16c is 603,992,364 bytes inside a block of size
603,996,064 in arena "client"
==17142==
TIFFFillStrip: Invalid strip byte count 0, strip 48104.
==17142==
==17142== Process terminating with default action of signal 11 (SIGSEGV)
==17142==  Access not within mapped region at address 0x461FB000
==17142==    at 0x1D175C8C: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17AAEE: ??? (in /usr/lib/libtiff.so.5.2.6)
==17142==    by 0x1D17DF95: TIFFReadRGBAImageOriented (in
/usr/lib/libtiff.so.5.2.6)
==17142==    by 0x20FEF103: ??? (in
/usr/lib/evince/4/backends/libtiffdocument.so)
==17142==    by 0x509000A: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x50920C2: ??? (in /usr/lib/libevview3.so.3.0.0)
==17142==    by 0x77931EA: ??? (in /usr/lib/libglib-2.0.so.0.5400.0)
==17142==    by 0x9074089: start_thread (in /usr/lib/libpthread-2.26.so)
==17142==    by 0x7E931BE: clone (in /usr/lib/libc-2.26.so)
==17142==  If you believe this happened as a result of a stack
==17142==  overflow in your program's main thread (unlikely but
==17142==  possible), you can try to increase the size of the
==17142==  main thread stack using the --main-stacksize= flag.
==17142==  The main thread stack size used in this run was 8388608.
==17142==
==17142== HEAP SUMMARY:
==17142==     in use at exit: 618,127,297 bytes in 93,160 blocks
==17142==   total heap usage: 495,867 allocs, 402,707 frees, 666,656,551 bytes
allocated
==17142==
==17142== LEAK SUMMARY:
==17142==    definitely lost: 7,856 bytes in 14 blocks
==17142==    indirectly lost: 42,512 bytes in 1,803 blocks
==17142==      possibly lost: 26,140 bytes in 89 blocks
==17142==    still reachable: 616,817,229 bytes in 83,130 blocks
==17142==                       of which reachable via heuristic:
==17142==                         length64           : 16,912 bytes in 214
blocks
==17142==                         newarray           : 2,656 bytes in 86 blocks
==17142==         suppressed: 0 bytes in 0 blocks
==17142== Rerun with --leak-check=full to see details of leaked memory
==17142==
==17142== For counts of detected and suppressed errors, rerun with: -v
==17142== ERROR SUMMARY: 942 errors from 9 contexts (suppressed: 0 from 0)