You need to log in before you can comment on or make changes to this bug.
Hello again, Another issue found in bmp2tif. It is an out-of-bounds memory read which occurs in tif_packbits.c 84 b = *bp++, cc--, n = 1; This is caused by the value of length variable which is set in bmp2tiff:405. The function TIFFWriteScanline continues to read values after the end of the BMP file until it reaches out of bounds memory. I attach both gdb and valgrind output. The issue was found using 4.0.3 source code.
Created an attachment (id=578) [details] bmp crash file
Created an attachment (id=579) [details] gdb output
Created an attachment (id=580) [details] valgrind output
Fixed by 2014-12-21 Even Rouault <even.rouault@spatialys.com> Fix various crasher bugs on fuzzed images. * libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing the directory * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or TransferFunction if BitsPerSample has not yet been read, otherwise reading it later will cause user code to crash if BitsPerSample > 1 * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or BitsPerSample != 8 * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images instead of imagewidth to avoid crash * tools/bmp2tiff.c: fix crash due to int overflow related to input BMP dimensions * tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be checked by libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for CIELAB / ITULAB * tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight * tools/tiffdump.c: fix crash due to overflow of entry count.