Stack-buffer-overflow in _TIFFVGetField
I have two GraphicsMagick oss-fuzz issues (58754 & 58758) open due to this issue. Both were opened on 2023-05-09.
In both cases the stack overflow occurs at _TIFFVGetField libtiff/libtiff/tif_dir.c:1482:46
Version
Libtiff git (latest at this moment, e3e23b1d)
Steps to reproduce
In both cases the problem occurs due to this GraphicsMagick code which has been present for over 20 years:
if ((TIFFGetField(tiff,36867,&count,&text) == 1) && (count) && (text != (const char*) NULL))
CopySizedFieldToAttribute("kodak-36867",count,text);
These oss-fuzz test cases provoke the issue:
clusterfuzz-testcase-minimized-coder_PTIF_fuzzer-5790874811105280.
clusterfuzz-testcase-minimized-coder_BIGTIFF_fuzzer-4549764084269056
Platform
64-bit Linux (as used by oss-fuzz).