| Title | libtiff tiff2ps 4.6.0 && the newest master SEGV |
|---|
| Description | A crafted TIFF file causes tiff2ps to crash with a NULL-pointer dereference (SEGV) in PS_Lvl2page() while converting the image to PostScript Level 2 output.
root@ab022755820a: # ./tiff2ps -2 ~/POC_libtiff_tiff2ps_SEGV
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
/root/POC_libtiff_tiff2ps_SEGV: Warning, Nonstandard tile width 1, convert file.
TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts.
%!PS-Adobe-3.0 EPSF-3.0
%%Creator: tiff2ps
%%Title: /root/POC_libtiff_tiff2ps_SEGV
%%CreationDate: Fri Jul 18 02:09:19 2025
%%DocumentData: Clean7Bit
%%Origin: 0 0
%%BoundingBox: 0 0 70 46
%%LanguageLevel: 2
%%Pages: 1 1
%%EndComments
%%Page: 1 1
gsave
100 dict begin
70.000000 46.000000 scale
% PostScript Level 2 only.
/DeviceGray setcolorspace
0 0 1 1 rectclip
/im_x 0 def
{ % exec
70 { % repeat
/im_stream currentfile /ASCII85Decode filter def
<<
/ImageType 1
/Width 1
/Height 234
/ImageMatrix [ 70 0 0 -46 im_x neg 46 ]
/BitsPerComponent 4
/Interpolate true
/Decode [0 1]
/DataSource im_stream
>> image
im_stream status { im_stream flushfile } if
/im_x im_x 1 add def
} repeat
}
exec
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFFetchStripThing: Incompatible type for "StripByteCounts".
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1083300==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5dda062afc84 bp 0x7ffe86cfa180 sp 0x7ffe86cf9e80 T0)
==1083300==The signal is caused by a READ memory access.
==1083300==Hint: address points to the zero page.
#0 0x5dda062afc84 in PS_Lvl2page program/libtiff/tools/tiff2ps.c:2447:31
#1 0x5dda062aa6e4 in PSpage program/libtiff/tools/tiff2ps.c:2625:31
#2 0x5dda062a5fcd in TIFF2PS program/libtiff/tools/tiff2ps.c
#3 0x5dda062a2efb in main program/libtiff/tools/tiff2ps.c:538:18
#4 0x7ff5c1286d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0x7ff5c1286e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#6 0x5dda061c9b74 in _start (fuzzdir/fuz-tiffcp/tiff2ps+0xc4b74) (BuildId: 45037b602c391fe4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV program/libtiff/tools/tiff2ps.c:2447:31 in PS_Lvl2page
==1083300==ABORTING
|
|---|
| Source | ⚠️ https://gitlab.com/libtiff/libtiff/-/issues/718 |
|---|
| User | rootsec (UID 85929) |
|---|
| Submission | 07/17/2025 20:23 (11 months ago) |
|---|
| Moderation | 08/04/2025 13:55 (18 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 318664 [libtiff 4.6.0 tiff2ps tools/tiff2ps.c PS_Lvl2page null pointer dereference] |
|---|
| Points | 20 |
|---|