You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=894) [details] there is a global-buffer-overflow in libtiff-4.0.10 in libtiff/tif_dir.c:1116 tiffcp -i file /dev/null there is a global-buffer-overflow in libtiff-4.0.10 in libtiff/tif_dir.c:1116 ==24551==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001195240 at pc 0x7f91ea72bc41 bp 0x7ffe1fa62e80 sp 0x7ffe1fa62e78 WRITE of size 4 at 0x000001195240 thread T0 #0 0x7f91ea72bc40 in _TIFFVGetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:1116:29 #1 0x7f91ea712106 in TIFFVGetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:1237:6 #2 0x7f91ea711eeb in TIFFGetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:1221:11 #3 0x4f1f0a in tiffcp /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:747:5 #4 0x4f008d in main /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:301:9 #5 0x7f91e8e73b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #6 0x41b719 in _start (/home/digger/afl-adapative/env/libtiff/install-asan/bin/tiffcp+0x41b719) 0x000001195242 is located 0 bytes to the right of global variable 'predictor' defined in 'tiffcp.c:73:15' (0x1195240) of size 2 SUMMARY: AddressSanitizer: global-buffer-overflow /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:1116:29 in _TIFFVGetField Shadow bytes around the buggy address: 0x00008022a9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008022aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008022aa10: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 0x00008022aa20: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x00008022aa30: 04 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 =>0x00008022aa40: 02 f9 f9 f9 f9 f9 f9 f9[02]f9 f9 f9 f9 f9 f9 f9 0x00008022aa50: 04 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 0x00008022aa60: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x00008022aa70: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x00008022aa80: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x00008022aa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==24551==ABORTING
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.