tiffcp：The value of imagelength is too large, the program cannot be executed normally

Summary

The value of imagelength is too large by constructing the input, so that the program is stuck in a loop, cannot be executed normally.

Version

Latest Git and 4.5.1

Steps to reproduce

compile normally ./build/bin/tiffcp poc /tmp/foo

Cause

The length value obtained at tiffcp.c:843 is too large, here is 0xe8000020. so that it gets stuck in a loop at tiffcp.c:1157.At the same time, cannot jump out of the loop through goto bad

    for (row = 0; row < imagelength; row++)
    {
        if (TIFFReadScanline(in, buf, row, 0) < 0 && !ignore)
        {
            TIFFError(TIFFFileName(in), "Error, can't read scanline %" PRIu32,
                      row);
            goto bad;
        }
        if (TIFFWriteScanline(out, buf, row, 0) < 0)
        {
            TIFFError(TIFFFileName(out), "Error, can't write scanline %" PRIu32,
                      row);
            goto bad;
        }
    }

Platform

$ uname -a
Linux freec-virtual-machine 5.11.0-49-generic #55-Ubuntu SMP Wed Jan 12 17:36:34 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

poc_loop.zip

Edited Jun 20, 2023 by pipiguai