You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=872) [details] poc Overview: There is a NULL pointer dereference at function LZWDecode at file tif_lzw.c:462. Steps to Reproduce: $ ./tiff2bw poc /dev/null TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered. Segmentation fault Actual Results: The application crashed. Build Date & Platform Build 2018-10-25 on ubuntu 18.04 Additional Information gdb info: In file: /home/pwd/fuzz/fuzz-libtiff/tiff-4.0.9/libtiff/tif_lzw.c 457 TIFFErrorExt(tif->tif_clientdata, tif->tif_name, 458 "LZWDecode: Corrupted LZW table at scanline %d", 459 tif->tif_row); 460 return (0); 461 } ► 462 *op++ = (char)code; 463 occ--; 464 oldcodep = sp->dec_codetab + code; 465 continue; 466 } 467 codep = sp->dec_codetab + code; pwndbg> p op $2 = 0x0 pwndbg> bt #0 LZWDecode (tif=<optimized out>, op0=<optimized out>, occ0=<optimized out>, s=<optimized out>) at tif_lzw.c:462 #1 0x00007ffff7b8bbb9 in PredictorDecodeRow (tif=0x616260, op0=0x0, occ0=6442453011, s=0) at tif_predict.c:467 #2 0x00007ffff7b9485c in TIFFReadScanline (tif=0x616260, buf=<optimized out>, row=0, sample=0) at tif_read.c:450 #3 0x0000000000402f15 in ?? () #4 0x00007ffff6ee0b97 in __libc_start_main (main=0x401340, argc=3, argv=0x7fffffffdc48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdc38) at ../csu/libc-start.c:310 #5 0x000000000040127a in ?? ()
This issue was assigned CVE-2018-18661.
AFAICT this issue is still present in the curren HEAD as of now (7030e8acbcbfada4e649da53b1b5c72702c61e88). TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered. AddressSanitizer:DEADLYSIGNAL ================================================================= ==4750==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1f7099ffc2 bp 0x7fffa47a4a90 sp 0x7fffa47a49f0 T0) ==4750==The signal is caused by a WRITE memory access. ==4750==Hint: address points to the zero page. #0 0x7f1f7099ffc1 in LZWDecode /build/libtiff/libtiff/tif_lzw.c:462 #1 0x7f1f709d0620 in PredictorDecodeRow /build/libtiff/libtiff/tif_predict.c:465 #2 0x7f1f709da82c in TIFFReadScanline /build/libtiff/libtiff/tif_read.c:455 #3 0x564bff142e7d in main /build/libtiff/tools/tiff2bw.c:258 #4 0x7f1f6fa73b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16) #5 0x564bff1412e9 in _start (/build/libtiff/tools/.libs/tiff2bw+0x32e9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /build/libtiff/libtiff/tif_lzw.c:462 in LZWDecode ==4750==ABORTING
Fixed per https://gitlab.com/libtiff/libtiff/commit/99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f