You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=763) [details] testcase on libtiff 4.0.7 A memory leak vulnerability was found in tiff2pdf.c:751 which allows attackers to cause a denial of service via a crafted file. tiff2pdf $FILE -o out.pdf ==28111==ERROR: LeakSanitizer: detected memory leaks Direct leak of 8 byte(s) in 1 object(s) allocated from: #0 0x7f8063966bb8 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x507dd3 in _TIFFmalloc /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:316 #2 0x452057 in TIFFReadDirEntryLong8Array /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:1919 #3 0x464d88 in TIFFFetchStripThing /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:5402 #4 0x45a226 in TIFFReadDirectory /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:3737 #5 0x4dc630 in TIFFClientOpen /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_open.c:466 #6 0x507b43 in TIFFFdOpen /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:211 #7 0x507d92 in TIFFOpen /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:250 #8 0x404065 in main /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2pdf.c:751 #9 0x7f8062b72b34 in __libc_start_main (/lib64/libc.so.6+0x21b34) SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s). testcase:https://github.com/bestshow/p0cs/blob/master/memory-leak-in-tiff2pdf-2.tif
Credit : ADLab of Venustech
CVE-2017-9815 has been assigned for this issue. Please use it in the ChangeLog and commit messages.
The stack shown here is very similar to the stack shown on the bug 2689. This issue could be a duplicate.
As mentioned in the comment above, the stack is exactly the same to bug 2689 except that the "main" function, are in different files. Also the bug files are exactly the same, byte for byte. This bug is a duplicate of bug 2689 and should be marked so. *** This bug has been marked as a duplicate of bug 2689 ***