| Título | LibTIFF v4.7.0 NULL Pointer Dereference |
|---|
| Descrição | A null pointer dereference vulnerability exists in the fax2ps utility of libtiff through version 4.7.0. When processing a malformed TIFF file, the utility may call memset() on a null output buffer (buf or outbuf) if the TIFFTAG_FAXFILLFUNC mechanism is active, leading to a denial-of-service via application crash.
./tools/fax2ps -p 1 -x 200 -y 200 poc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3486725==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6bc44a4dd0 bp 0x7ffe80f7e910 sp 0x7ffe80f7e0c8 T0)
==3486725==The signal is caused by a WRITE memory access.
==3486725==Hint: address points to the zero page.
#0 0x7f6bc44a4dd0 /build/glibc-FcRMwW/glibc-2.31/string/../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:190
#1 0x49a773 in __asan_memset (/src/sspocgen_workspace/tools/fax2ps+0x49a773)
#2 0x53167b in TIFFReadEncodedStrip /src/libtiff/tif_read.c:557:9
#3 0x4cd894 in printTIF /src/tools/fax2ps.c:281:15
#4 0x4cebeb in fax2ps /src/tools/fax2ps.c:326:13
#5 0x4cf352 in main /src/tools/fax2ps.c:409:17
#6 0x7f6bc433d082 in __libc_start_main /build/glibc-FcRMwW/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41e8cd in _start (/src/sspocgen_workspace/tools/fax2ps+0x41e8cd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-FcRMwW/glibc-2.31/string/../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:190
==3486725==ABORTING |
|---|
| Fonte | ⚠️ https://gitlab.com/libtiff/libtiff/-/issues/649 |
|---|
| Utilizador | arthurx (UID 87796) |
|---|
| Submissão | 29/07/2025 06h04 (há 11 meses) |
|---|
| Moderação | 30/07/2025 19h47 (2 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 318355 [LibTIFF até 4.7.0 fax2ps tools/tiff2pdf.c t2p_read_tiff_init Negação de Serviço] |
|---|
| Pontos | 20 |
|---|