You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=836) [details] poc There is a segment fault in t2p_write_pdf function tiff2pdf.c line 1585 in libtiff 4.0.7. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 794 (0x31a) encountered. TIFFReadDirectory: Warning, Unknown field with tag 769 (0x301) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFAdvanceDirectory: Error fetching directory count. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 794 (0x31a) encountered. TIFFReadDirectory: Warning, Unknown field with tag 769 (0x301) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 794 (0x31a) encountered. TIFFReadDirectory: Warning, Unknown field with tag 769 (0x301) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 794 (0x31a) encountered. TIFFReadDirectory: Warning, Unknown field with tag 769 (0x301) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. ASAN:DEADLYSIGNAL ================================================================= ==12518==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000053a9e8 bp 0x7fffd4e698e0 sp 0x7fffd4e68680 T0) ==12518==The signal is caused by a READ memory access. ==12518==Hint: address points to the zero page. #0 0x53a9e7 in t2p_read_tiff_data /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/tools/tiff2pdf.c:1585:49 #1 0x52f070 in t2p_write_pdf /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/tools/tiff2pdf.c:5463:3 #2 0x52bd9b in main /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/tools/tiff2pdf.c:808:2 #3 0x7f3677830f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287 #4 0x41c8eb in _start (/home/binzhang/Desktop/tiff2pdf/tiff2pdf+0x41c8eb) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/tools/tiff2pdf.c:1585:49 in t2p_read_tiff_data ==12518==ABORTING
I do not reproduce with latest master. I think the bug has been fixed since 4.0.7
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.
