You need to log in before you can comment on or make changes to this bug.
It is possible to end up accessing un-intialized memory from tif_rawdata. A potential fix can be seen at: https://pdfium-review.googlesource.com/c/2150/
The link doesn't work for me. Can you attach the patch and a reproducer to this ticket ?
Created an attachment (id=745) [details] Initialize rawdata Adding the patch file. I don't think I have permission to attach the crashing image file.
A reproducer would have been appreciated, but your suggested change looks safe. I've implemented it a bit differently: Fixed per 2017-01-11 Even Rouault <even.rouault at spatialys.com> * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add _TIFFcalloc() * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero initialize tif_rawdata. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651 /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog new revision: 1.1208; previous revision: 1.1207 /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c new revision: 1.53; previous revision: 1.52 /cvs/maptools/cvsroot/libtiff/libtiff/tif_unix.c,v <-- libtiff/tif_unix.c new revision: 1.28; previous revision: 1.27 /cvs/maptools/cvsroot/libtiff/libtiff/tif_vms.c,v <-- libtiff/tif_vms.c new revision: 1.14; previous revision: 1.13 /cvs/maptools/cvsroot/libtiff/libtiff/tif_win32.c,v <-- libtiff/tif_win32.c new revision: 1.42; previous revision: 1.41 /cvs/maptools/cvsroot/libtiff/libtiff/tiffio.h,v <-- libtiff/tiffio.h new revision: 1.94; previous revision: 1.93
this is CVE-2017-7593