Headline
CVE-2022-0562: AddressSanitizer: undefined-behavior tif_dirread.c:4176:40 in TIFFReadDirectory function (#362) · Issues · libtiff / libtiff
Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory() in tif_dirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of Service via crafted TIFF file. For users that compile libtiff from sources, a fix is available with commit 561599c.
Summary
Null pointer passed as an argument to memcpy in TIFFReadDirectory function in tools/tif_dirread.c:4176:40 resulting into Denial of Service when crafted TIFF image is parsed by library
(libtiff version) libtiff version 4.3.0 downloaded from https://download.osgeo.org/libtiff/tiff-4.3.0.zip
Steps to reproduce
tiff 4.3.0.zip downloaded from https://download.osgeo.org/libtiff/tiff-4.3.0.zip
compile the library with the AFL compiler wrapper using LLVM instrumentation and with ASAN and UBSAN enabled as shown below:
CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-g -fsanitize=address,undefined -fno-sanitize-recover=all" CXXFLAGS="-g -fsanitize=address,undefined -fno-sanitize-recover=all" LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -lm" ./configure --disable-shared
OR
CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address,undefined -fno-sanitize-recover=all" CXXFLAGS="-g -fsanitize=address,undefined -fno-sanitize-recover=all" LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -lm" ./configure --disable-shared
execute the tiffinfo binary with the following options and the crafted TIFF POC image: ./tiffinfo -f lsb2msb -Dcdjrsz crash.tif
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 18770 (0x4952) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "PhotometricInterpretation"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect value for "DateTime"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn’t match
SamplesPerPixel. Defining non-color channels as ExtraSamples…
tif_dirread.c:4176:40: runtime error: null pointer passed as argument 2, which is declared to never be null /usr/include/string.h:43:28: note: nonnull attribute specified here
SUMMARY: AddressSanitizer: undefined-behavior tif_dirread.c:4176:40
memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif>tif_dir.td_extrasamples); _TIFFfree(new_sampleinfo);
Debugging Information and POC file attached 
crash.zip
Platform
(Operating system, architecture, compiler details) Ubuntu 20.4 LTS 64 bit compiler used : afl-clang-fast and afl-clang-fast++ with ASAN and UBSAN enabled with the compilation command as shown above.