You need to log in before you can comment on or make changes to this bug.
on 4.0.9 (the latest version): there is a memory malloc failure in the cpDecodedStrips function (tools/tiffcp.c), which can be triggered by poc_2.tiff in the attachment. tiffcp -i poc_2.tiff /tmp/foo ==13056==WARNING: AddressSanitizer failed to allocate 0x003000a92800 bytes ==13056==AddressSanitizer's allocator is terminating the process instead of returning 0 ==13056==If you don't like this behavior set allocator_may_return_null=1 ==13056==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0) #0 0x7fab79de7631 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631) #1 0x7fab79dec613 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa5613) #2 0x7fab79d64425 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d425) #3 0x7fab79dea865 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa3865) #4 0x7fab79d69b4d (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22b4d) #5 0x7fab79ddf5d2 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2) #6 0x40a984 in cpDecodedStrips /home/youwei/submit_poc/libtiff/4.0.9/tools/tiffcp.c:980 #7 0x403e5d in tiffcp /home/youwei/submit_poc/libtiff/4.0.9/tools/tiffcp.c:814 #8 0x403e5d in main /home/youwei/submit_poc/libtiff/4.0.9/tools/tiffcp.c:303 #9 0x7fab7972982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x406bc8 in _start (/home/youwei/submit_poc/libtiff/4.0.9/tools/.libs/tiffcp+0x406bc8)
Created an attachment (id=823) [details] poc to trigger the vulnerability
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.