| Title | LibTIFF v4.7.0 NULL Pointer Dereference |
|---|
| Description | A null pointer dereference vulnerability exists in the fax2ps utility of libtiff through version 4.7.0. When processing a malformed TIFF file, the utility may call memset() on a null output buffer (buf or outbuf) if the TIFFTAG_FAXFILLFUNC mechanism is active, leading to a denial-of-service via application crash.
./tools/fax2ps -p 1 -x 200 -y 200 poc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3486725==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6bc44a4dd0 bp 0x7ffe80f7e910 sp 0x7ffe80f7e0c8 T0)
==3486725==The signal is caused by a WRITE memory access.
==3486725==Hint: address points to the zero page.
#0 0x7f6bc44a4dd0 /build/glibc-FcRMwW/glibc-2.31/string/../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:190
#1 0x49a773 in __asan_memset (/src/sspocgen_workspace/tools/fax2ps+0x49a773)
#2 0x53167b in TIFFReadEncodedStrip /src/libtiff/tif_read.c:557:9
#3 0x4cd894 in printTIF /src/tools/fax2ps.c:281:15
#4 0x4cebeb in fax2ps /src/tools/fax2ps.c:326:13
#5 0x4cf352 in main /src/tools/fax2ps.c:409:17
#6 0x7f6bc433d082 in __libc_start_main /build/glibc-FcRMwW/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41e8cd in _start (/src/sspocgen_workspace/tools/fax2ps+0x41e8cd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-FcRMwW/glibc-2.31/string/../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:190
==3486725==ABORTING |
|---|
| Source | ⚠️ https://gitlab.com/libtiff/libtiff/-/issues/649 |
|---|
| User | arthurx (UID 87796) |
|---|
| Submission | 07/29/2025 06:04 (11 months ago) |
|---|
| Moderation | 07/30/2025 19:47 (2 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 318355 [LibTIFF up to 4.7.0 fax2ps tools/tiff2pdf.c t2p_read_tiff_init null pointer dereference] |
|---|
| Points | 20 |
|---|