You need to log in before you can comment on or make changes to this bug.
A bug report and a PoC are as in the attachment. The stacktrace: ==17449==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb58006a0 at pc 0x0804d903 bp 0xbfeb5068 sp 0xbfeb5058 READ of size 1 at 0xb58006a0 thread T0 #0 0x804d902 in cpContig2SeparateByRow /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:1091 #1 0x804b31d in tiffcp /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:815 #2 0x804b31d in main /home/lyk/tiff-4.0.7-asan/tools/tiffcp.c:304 #3 0xb6fd0636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #4 0x804c81b (/home/lyk/inscmp/afl-2.33b/test/tiffcp_a+0x804c81b)
Created an attachment (id=742) [details] the bug report and poc
Forgot to say :p, the version is 4.0.7
There is a sister bug (bug 2657) for this one http://bugzilla.maptools.org/show_bug.cgi?id=2657
Fixed per 2017-01-11 Even Rouault <even.rouault at spatialys.com> * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based overflow. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and http://bugzilla.maptools.org/show_bug.cgi?id=2657 less C/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog new revision: 1.1210; previous revision: 1.1209 /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c new revision: 1.61; previous revision: 1.60