You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=770) [details] testcase on libtiff 4.0.7 The TIFFReadDirEntryLong8Array function in tif_dirread.c:1919 allows remote attackers to cause a denial of service (memory leak) via a crafted file. #tiff2ps $FILE ================================================================= ==11378==ERROR: LeakSanitizer: detected memory leaks Direct leak of 8 byte(s) in 1 object(s) allocated from: #0 0x7f9553673bb8 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x45f0cd in _TIFFmalloc /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:316 #2 0x436c31 in TIFFReadDirEntryLong8Array /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:1919 #3 0x449962 in TIFFFetchStripThing /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:5402 #4 0x43ee00 in TIFFReadDirectory /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:3737 #5 0x44d461 in TIFFClientOpen /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_open.c:466 #6 0x45ee3d in TIFFFdOpen /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:211 #7 0x45f08c in TIFFOpen /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:250 #8 0x4036ff in main /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:465 #9 0x7f955287fb34 in __libc_start_main (/lib64/libc.so.6+0x21b34) SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s). testcase:https://github.com/bestshow/p0cs/blob/master/memory-leak-TIFFReadDirEntryLong8Array-tiff2ps-2.tif
Fixed per /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog new revision: 1.1219; previous revision: 1.1218 /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c new revision: 1.208; previous revision: 1.207 /cvs/maptools/cvsroot/libtiff/tools/tiff2ps.c,v <-- tools/tiff2ps.c new revision: 1.56; previous revision: 1.55 2017-04-27 * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD mode (ie default) when there is both a StripOffsets and TileOffsets tag, or a StripByteCounts and TileByteCounts Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689 * tools/tiff2ps.c: call TIFFClose() in error code paths.
*** Bug 2680 has been marked as a duplicate of this bug. ***
(In reply to comment #0) > Created an attachment (id=770) [details] [details] > testcase > > on libtiff 4.0.7 > > The TIFFReadDirEntryLong8Array function in tif_dirread.c:1919 allows remote > attackers to cause a denial of service (memory leak) via a crafted file. > > #tiff2ps $FILE > ================================================================= > ==11378==ERROR: LeakSanitizer: detected memory leaks > > Direct leak of 8 byte(s) in 1 object(s) allocated from: > #0 0x7f9553673bb8 in __interceptor_malloc > ../../../../libsanitizer/asan/asan_malloc_linux.cc:62 > #1 0x45f0cd in _TIFFmalloc > /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:316 > #2 0x436c31 in TIFFReadDirEntryLong8Array > /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:1919 > #3 0x449962 in TIFFFetchStripThing > /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:5402 > #4 0x43ee00 in TIFFReadDirectory > /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:3737 > #5 0x44d461 in TIFFClientOpen > /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_open.c:466 > #6 0x45ee3d in TIFFFdOpen > /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:211 > #7 0x45f08c in TIFFOpen > /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:250 > #8 0x4036ff in main > /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:465 > #9 0x7f955287fb34 in __libc_start_main (/lib64/libc.so.6+0x21b34) > > SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s). > > testcase:https://github.com/bestshow/p0cs/blob/master/memory-leak-TIFFReadDirEntryLong8Array-tiff2ps-2.tif Credit: ADLab of Venustech
*** Bug 2695 has been marked as a duplicate of this bug. ***
For reference, this has been assigned CVE-2017-9403.
*** Bug 2682 has been marked as a duplicate of this bug. ***