You need to log in before you can comment on or make changes to this bug.
See libtiff5.tif from http://www.openwall.com/lists/oss-security/2015/01/24/16 With 4.0.4 beta I get: $ tiffinfo -d libtiff5.tif TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. libtiff5.tif: Warning, Nonstandard tile width 61, convert file. TIFF Directory at offset 0xa0 (160) Image Width: 32 Image Length: 32 Tile Width: 61 Tile Length: 3 Bits/Sample: 2 Compression Scheme: NeXT FillOrder: lsb-to-msb Orientation: row 0 top, col 0 lhs Samples/Pixel: 1 Rows/Strip: 3 Planar Configuration: single image plane DocumentName: foo.tif TIFFFillTile: Read error at row 4294967295, col 4294967295, tile 0; got 0 bytes, expected 8. TIFFFillTile: 0: Invalid tile byte count, tile 1. TIFFFillTile: 0: Invalid tile byte count, tile 2. TIFFFillTile: 0: Invalid tile byte count, tile 3. Tile (12,0): 05 00 00 00 01 fc 07 0a 00 00 00 00 00 00 00 00 aa aa aa aa 55 55 55 55 57 00 00 00 00 00 00 00 55 55 55 55 aa aa aa aa 00 00 00 00 55 55 55 55 TIFFFillTile: Read error at row 0, col 244, tile 5; got 0 bytes, expected 1. TIFFFillTile: 0: Invalid tile byte count, tile 6. TIFFFillTile: 0: Invalid tile byte count, tile 7. NeXTDecode: Not enough data for scanline 0. NeXTDecode: Not enough data for scanline 0. NeXTDecode: Not enough data for scanline 0. *** Error in `tiffinfo': free(): invalid pointer: 0x0000000001d1c520 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x70cbf)[0x7f89fde67cbf] /lib64/libc.so.6(+0x760be)[0x7f89fde6d0be] /usr/lib64/libtiff.so.5(_TIFFfree+0x18)[0x7f89fe1f6c61] tiffinfo[0x401e0c] tiffinfo[0x401fe8] tiffinfo[0x402452] tiffinfo[0x401708] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f89fde178c5] tiffinfo[0x4012f9] ======= Memory map: ======== Aborted :/ #
I get a slightly different error, but otherwise pretty much the exact same output: [...] NeXTDecode: Not enough data for scanline 0. *** Error in `tiffinfo': free(): invalid next size (fast): 0x093423a0 *** ======= Backtrace: ========= /lib/i686/libc.so.6(+0x6b8f3)[0xb753e8f3] /lib/i686/libc.so.6(+0x731f4)[0xb75461f4] /lib/libtiff.so.5(_TIFFfree+0x1b)[0xb76cf8db] tiffinfo[0x8049836] tiffinfo[0x8049a9d] tiffinfo[0x8049e55] tiffinfo[0x8048fc8] /lib/i686/libc.so.6(__libc_start_main+0xf3)[0xb74ecb33] tiffinfo[0x8049091] ======= Memory map: ========
(gdb) b tiffinfo.c:297 Breakpoint 9 at 0x401cdd: file tiffinfo.c, line 297. (gdb) run -D libtiff5.tif [...] Breakpoint 9, TIFFReadContigTileData (tif=0x604010) at tiffinfo.c:297 297 buf = (unsigned char *)_TIFFmalloc(TIFFTileSize(tif)); (gdb) call TIFFTileSize(tif) $40 = 48 So 48 bytes is malloc'ed for buf. (gdb) b tif_next.c:126 Breakpoint 11 at 0x7ffff7b93609: file tif_next.c, line 126. (gdb) condition 11 op-buf >= 48 [...] Breakpoint 11, NeXTDecode (tif=0x604010, buf=0x604520 "\005", occ=8, s=0) at tif_next.c:126 126 SETPIXEL(op, grey); (gdb) bt #0 NeXTDecode (tif=0x604010, buf=0x604520 "\005", occ=8, s=0) at tif_next.c:126 #1 0x00007ffff7ba6a6a in TIFFReadEncodedTile (tif=0x604010, tile=4, buf=0x604520, size=48) at tif_read.c:668 #2 0x00007ffff7ba6952 in TIFFReadTile (tif=0x604010, buf=0x604520, x=0, y=12, z=0, s=0) at tif_read.c:641 #3 0x0000000000401d9f in TIFFReadContigTileData (tif=0x604010) at tiffinfo.c:308 #4 0x0000000000401fe8 in TIFFReadData (tif=0x604010) at tiffinfo.c:359 #5 0x0000000000402452 in tiffinfo (tif=0x604010, order=0, flags=0, is_image=1) at tiffinfo.c:461 #6 0x0000000000401708 in main (argc=3, argv=0x7fffffffe868) at tiffinfo.c:150
Still not fixed in 4.0.4 final. See: https://bugs.mageia.org/show_bug.cgi?id=15519#c27
Fixed by tif_next.c revision: 1.17 2015-12-27 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif (bugzilla #2508)