You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=825) [details] poc to trigger the vulnerability on 4.0.9 (the latest version): there is a memory malloc failure in the readSeparateTilesIntoBuffer function (tools/tiffcrp.c), which can be triggered by poc_4.tiff in the attachment. tiffcrop -i poc_4.tiff /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 7426 (0x1d02) encountered. poc_4.tiff: Warning, Nonstandard tile width -2147483644, convert file. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: Warning, Unknown field with tag 512 (0x200) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored. _TIFFVSetField: poc_4.tiff: Bad value 515 for "ResolutionUnit" tag. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFFAdvanceDirectory: Error fetching directory count. ==18653==WARNING: AddressSanitizer failed to allocate 0x002000000208 bytes ==18653==AddressSanitizer's allocator is terminating the process instead of returning 0 ==18653==If you don't like this behavior set allocator_may_return_null=1 ==18653==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0) #0 0x7fb6452f5631 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631) #1 0x7fb6452fa613 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa5613) #2 0x7fb645272425 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d425) #3 0x7fb6452f8865 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa3865) #4 0x7fb645277b4d (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22b4d) #5 0x7fb6452ed5d2 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2) #6 0x432584 in readSeparateTilesIntoBuffer /home/fuzz/libtiff/4.0.9/tools/tiffcrop.c:994 #7 0x432584 in loadImage /home/fuzz/libtiff/4.0.9/tools/tiffcrop.c:6204 #8 0x4038d2 in main /home/fuzz/libtiff/4.0.9/tools/tiffcrop.c:2345 #9 0x7fb64475f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x40d768 in _start (/home/fuzz/libtiff/4.0.9/tools/.libs/lt-tiffcrop+0x40d768)
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.