You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=824) [details] poc to trigger the vulnerability on 4.0.9 (the latest version): there is a memory malloc failure in the t2p_readwrite_pdf_image function (tools/tiff2pdf.c), which can be triggered by poc_3.tiff in the attachment. tiff2pdf poc_3.tiff -o /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. tiff2pdf: Warning, RGB image poc_3.tiff has 4 samples per pixel, assuming inverse CMYK. ==17246==WARNING: AddressSanitizer failed to allocate 0x003006a93d25 bytes ==17246==AddressSanitizer's allocator is terminating the process instead of returning 0 ==17246==If you don't like this behavior set allocator_may_return_null=1 ==17246==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0) #0 0x7f79edcf9631 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631) #1 0x7f79edcfe613 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa5613) #2 0x7f79edc76425 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d425) #3 0x7f79edcfc865 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa3865) #4 0x7f79edc7bb4d (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22b4d) #5 0x7f79edcf15d2 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2) #6 0x41eba6 in t2p_readwrite_pdf_image /home/fuzz/libtiff/4.0.9/tools/tiff2pdf.c:2450 #7 0x443355 in t2p_write_pdf /home/fuzz/libtiff/4.0.9/tools/tiff2pdf.c:5567 #8 0x4026d8 in main /home/fuzz/libtiff/4.0.9/tools/tiff2pdf.c:808 #9 0x7f79ed46c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x404818 in _start (/home/fuzz/libtiff/4.0.9/tools/.libs/lt-tiff2pdf+0x404818)
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.