Undefined behavior and crash in libtiff tif_getimage.c

Summary

A malformed .tiff file can cause libtiff to hit undefined behavior in the RGBA conversion code (tif_getimage.c, specifically put16bitbwtile). In my testing, a .tiff file with inconsistent metadata (such as an unsupported compression value and invalid directory data) leads to a misaligned uint16_t read, which triggers a crash when the library is built with UBSan. As a result, applications that use libtiff to process untrusted TIFF files could be forced to crash with a specially crafted input file.

Version: 4.7.1

Steps to reproduce

1. Download libtiff version 4.7.1
2. Compile libtiff with AFL++ version 4 using afl-clang-fast with ASAN and UBSAN sanitization
   1. export CC=afl-clang-fast
      export CXX=afl-clang-fast++
      export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer"
      export CXXFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer"
   2. ./configure --disable-shared --enable-static
   3. make -j $nproc
3. Compile attached harness (harness-debug.c) using afl-clang-fast with ASAN and UBSAN sanitization:
   1. afl-clang-fast -O1 -fsanitize=address,undefined -fno-omit-frame-pointer -I ../tiff-4.7.1/libtiff harness.c -o harness-debug ../tiff-4.7.1/libtiff/.libs/libtiff.a -lz -ljpeg
4. Run the command: ./harness-debug crash_file.tiff

Platform

• OS: Ubuntu v22.04
• Architecture: x86_64
• Compiler Details: afl-cc++4.00c / clang version 13.0.1-2ubuntu2.2

Notes

• Attached images are from gdb output and output from my test harness.
• harness source code and crash file are in attached zip file

attachments.zip