PixarLogSetupDecode allows excessive heap allocation via unbounded TIFF image dimensions

Summary

A specially crafted malformed .tiff file can cause libtiff to allocate an extremely large amount of heap memory in the PixarLog decoding path (PixarLogSetupDecode in tif_pixarlog.c). This happens when corrupted or exaggerated TIFF metadata (like very large ImageWidth and ImageLength values, along with missing or fallback strip information) is used directly in buffer size calculations.

During decoding setup, libtiff multiplies these geometry values to compute an internal temporary buffer size (tbuf_size). Because there are not strong enough sanity limits on these values before the multiplication, the result can grow to tens of gigabytes (around ~65–70GB in testing). This value is then passed directly into _TIFFmallocExt, which leads to allocator failure and a crash under AddressSanitizer.

The result is a reliable denial-of-service via memory exhaustion when processing untrusted TIFF files.

Version

libtiff 4.7.1 (latest commit on main branch at time of testing)

Vulnerability Type

  • CWE-789: Uncontrolled Memory Allocation
  • CWE-400: Uncontrolled Resource Consumption

Steps to reproduce

  1. git clone https://github.com/libsdl-org/libtiff.git
  2. Compile libtiff with AFL++ version 4 using afl-clang-fast with ASAN and UBSAN sanitization
    1. export CC=afl-clang-fast
      export CXX=afl-clang-fast++
      export CFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer"
      export CXXFLAGS="-O1 -g -fsanitize=address,undefined -fno-omit-frame-pointer"
    2. ./configure --disable-shared --enable-static
    3. make -j $nproc
  3. Compile attached harness (harness-debug.c) using afl-clang-fast with ASAN and UBSAN sanitization:
    1. afl-clang-fast -O1 -fsanitize=address,undefined -fno-omit-frame-pointer -I ../tiff-4.7.1/libtiff harness.c -o harness-debug ../tiff-4.7.1/libtiff/.libs/libtiff.a -lz -ljpeg
  4. Run the command: ./harness-debug crash_file.tiff

Harness and crash file are attached.

GDB Output

image.png

and here

image.png

Platform

  • OS: Ubuntu v22.04
  • Architecture: x86_64
  • Compiler Details: afl-cc++4.00c / clang version 13.0.1-2ubuntu2.2

artifacts.tar.xz