SEGV at /libtiff/tif_luv.c:961 in uv_encode()
Summary
An SIGSEGV caused when using tiffcrop.
Version
$ ./tools/tiffcrop -v
Library Release: LIBTIFF, Version 4.5.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
: Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
$ git log --oneline -1
c861f25c (HEAD -> master, origin/master, origin/HEAD) Merge branch 'tiffcrop_dont_reuse_input_buffer_fix_527' into 'master'
Steps to reproduce
make
git clone https://gitlab.com/libtiff/libtiff.git
cd libtiff
./autogen.sh
./configure
make
run
$ ./tools/tiffcrop -B poc temp
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3120 (0xc30) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 3120 (Tag 3120) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFAdvanceDirectory: Error fetching directory count.
fish: Job 1, './tools/tiffcrop -B poc temp' terminated by signal SIGSEGV (Address boundary error)
Platform
$ uname -a
Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ gcc --version
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
ASAN report
./tools/tiffcrop -B poc temp
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3120 (0xc30) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 3120 (Tag 3120) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFAdvanceDirectory: Error fetching directory count.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1381705==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1876003420 (pc 0x7f1c75f78cb0 bp 0x7ffc95fdf630 sp 0x7ffc95fdf600 T0)
==1381705==The signal is caused by a READ memory access.
#0 0x7f1c75f78caf in uv_encode /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:961
#1 0x7f1c75f797b2 in LogLuv24fromXYZ /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:1057
#2 0x7f1c75f79f58 in Luv24fromXYZ /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:1120
#3 0x7f1c75f76522 in LogLuvEncode24 /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:569
#4 0x7f1c75f775c7 in LogLuvEncodeStrip /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:722
#5 0x7f1c75fcb6bb in TIFFWriteEncodedStrip /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_write.c:308
#6 0x563fd6857160 in writeBufferToContigStrips /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:1317
#7 0x563fd688022e in writeCroppedImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:9197
#8 0x563fd685f4d5 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:2834
#9 0x7f1c75a96082 in __libc_start_main ../csu/libc-start.c:308
#10 0x563fd6855b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/.libs/tiffcrop+0x9b6d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:961 in uv_encode
==1381705==ABORTING