You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=855) [details] POC to trigger bug Triggered by "./tiff2ps $POC" Tested on Ubuntu 16.04 (x86) Heap buffer overwrite occurred when processing malformed TIFF file. ASAN output: ==19004==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5d006b0 at pc 0xb760ffb6 bp 0xbf88e798 sp 0xbf88e78c WRITE of size 4 at 0xb5d006b0 thread T0 #0 0xb760ffb5 in Fax3Decode1D /home/min/fuzzing/src/tiff-4.0.9/libtiff/tif_fax3.c:255:3 #1 0xb772fb02 in TIFFReadScanline /home/min/fuzzing/src/tiff-4.0.9/libtiff/tif_read.c:450:7 #2 0x8148012 in PSDataColorSeparate /home/min/fuzzing/src/tiff-4.0.9/tools/tiff2ps.c:2526:8 #3 0x813cd5b in PSpage /home/min/fuzzing/src/tiff-4.0.9/tools/tiff2ps.c:2356:4 #4 0x8136f5b in TIFF2PS /home/min/fuzzing/src/tiff-4.0.9/tools/tiff2ps.c:1612:10 #5 0x8134673 in main /home/min/fuzzing/src/tiff-4.0.9/tools/tiff2ps.c:479:9 #6 0xb7253636 in __libc_start_main /build/glibc-mUak1Y/glibc-2.23/csu/../csu/libc-start.c:291 #7 0x805f687 in _start (/home/min/fuzzing/program/libtiff-4.0.9-aflclang-asan/bin/tiff2ps+0x805f687) Credits: Mingi Cho and Taekyoung Kwon of the Information Security Lab, Yonsei University.
I do not reporduce with latest sources
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.
