You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=888) [details] testcase
version: libtiff 4.0.10 (commit ae0bed1fe530a82faf2e9ea1775109dbf301a971) OS: Ubuntu 16.04 x86_64 To reproduce, $ tiffcp -i crash /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag ignored. ================================================================= ==4529== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040000df9f at pc 0x40447d bp 0x7ffce657ef50 sp 0x7ffce657ef48 READ of size 1 at 0x60040000df9f thread T0 #0 0x40447c in tiffcp ./libtiff/tools/tiffcp.c:800 #1 0x4028a4 in main ./libtiff/tools/tiffcp.c:301 #2 0x7f862f43ef44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287 #3 0x401958 in _start (./libtiff/install-asan-new/bin/tiffcp+0x401958) 0x60040000df9f is located 0 bytes to the right of 15-byte region [0x60040000df90,0x60040000df9f) allocated by thread T0 here: #0 0x7f862fb6341a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a) #1 0x7f862f8f2883 in _TIFFmalloc ./libtiff/libtiff/tif_unix.c:314 #2 0x7f862f80a92a in setByteArray ./libtiff/libtiff/tif_dir.c:52 #3 0x7f862f80aaa2 in _TIFFsetNString ./libtiff/libtiff/tif_dir.c:62 #4 0x7f862f810f0e in _TIFFVSetField ./libtiff/libtiff/tif_dir.c:494 #5 0x7f862f8f12c0 in ZIPVSetField ./libtiff/libtiff/tif_zip.c:373 #6 0x7f862f8d24f8 in PredictorVSetField ./libtiff/libtiff/tif_predict.c:772 #7 0x7f862f8147ca in TIFFVSetField ./libtiff/libtiff/tif_dir.c:878 #8 0x7f862f8142ef in TIFFSetField ./libtiff/libtiff/tif_dir.c:822 #9 0x7f862f83c526 in TIFFFetchNormalTag ./libtiff/libtiff/tif_dirread.c:5210 #10 0x7f862f83407f in TIFFReadDirectory ./libtiff/libtiff/tif_dirread.c:3985 #11 0x7f862f8bb50e in TIFFClientOpen ./libtiff/libtiff/tif_open.c:464 #12 0x7f862f8f262b in TIFFFdOpen ./libtiff/libtiff/tif_unix.c:209 #13 0x7f862f8f2842 in TIFFOpen ./libtiff/libtiff/tif_unix.c:248 #14 0x401e96 in openSrcImage ./libtiff/tools/tiffcp.c:150 #15 0x402776 in main ./libtiff/tools/tiffcp.c:279 #16 0x7f862f43ef44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287 SUMMARY: AddressSanitizer: heap-buffer-overflow ./libtiff/tools/tiffcp.c:800 tiffcp Shadow bytes around the buggy address: 0x0c00ffff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c00ffff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c00ffff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c00ffff9bd0: fa fa fa fa fa fa fa fa fa fa 02 fa fa fa fd fa 0x0c00ffff9be0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa =>0x0c00ffff9bf0: fa fa 00[07]fa fa fd fd fa fa 02 fa fa fa 00 00 0x0c00ffff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c00ffff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c00ffff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c00ffff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c00ffff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==4529== ABORTING
I think this is a duplicate of http://bugzilla.maptools.org/show_bug.cgi?id=2835
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.
