You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=749) [details] poc the stack trace is as follows and the command is: libtiff/tools/bmp2tiff -c lzw poc out.tif ==26872== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb53fe830 at pc 0x81844a4 bp 0xbf962628 sp 0xbf96261c READ of size 1 at 0xb53fe830 thread T0 #0 0x81844a3 in LZWEncode /home/b/asan/libtiff/libtiff/tif_lzw.c:925 #1 0x810833f in TIFFWriteScanline /home/b/asan/libtiff/libtiff/tif_write.c:173 #2 0x804df67 in main /home/b/asan/libtiff/tools/bmp2tiff.c:775 #3 0xb5f5fa82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) #4 0x8051060 in _start (/home/b/asan/libtiff/tools/bmp2tiff+0x8051060) 0xb53fe830 is located 0 bytes to the right of 3158064-byte region [0xb50fb800,0xb53fe830) allocated by thread T0 here: #0 0xb6151854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854) #1 0x804c7da in main /home/b/asan/libtiff/tools/bmp2tiff.c:678 #2 0xb5f5fa82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/b/asan/libtiff/libtiff/tif_lzw.c:921 LZWEncode Shadow bytes around the buggy address: 0x36a7fcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36a7fcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36a7fcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36a7fce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36a7fcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x36a7fd00: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa 0x36a7fd10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a7fd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a7fd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a7fd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a7fd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe
Created an attachment (id=757) [details] Patch that solves this issue This patch sanitizes the code so that it does not read past the initialized data.
The bmp2tif utility has been removed from libtiff upstream. Closing as wontfix