Summary ------- Null pointer passed as an argument to memcpy in TIFFReadDirectory function in tools/tif_dirread.c:4176:40 resulting into Denial of Service when crafted TIFF image is parsed by library (libtiff version) libtiff version 4.3.0 downloaded from https://download.osgeo.org/libtiff/tiff-4.3.0.zip Steps to reproduce ------------------- tiff 4.3.0.zip downloaded from https://download.osgeo.org/libtiff/tiff-4.3.0.zip compile the library with the AFL compiler wrapper using LLVM instrumentation and with ASAN and UBSAN enabled as shown below: CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-g -fsanitize=address,undefined -fno-sanitize-recover=all" CXXFLAGS="-g -fsanitize=address,undefined -fno-sanitize-recover=all" LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -lm" ./configure --disable-shared OR CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address,undefined -fno-sanitize-recover=all" CXXFLAGS="-g -fsanitize=address,undefined -fno-sanitize-recover=all" LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -lm" ./configure --disable-shared execute the tiffinfo binary with the following options and the crafted TIFF POC image: ./tiffinfo -f lsb2msb -Dcdjrsz crash.tif TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 18770 (0x4952) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "PhotometricInterpretation"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect value for "DateTime"; tag ignored. TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. **tif_dirread.c:4176:40: runtime error: null pointer passed as argument 2, which is declared to never be null /usr/include/string.h:43:28: note: nonnull attribute specified here** **SUMMARY: AddressSanitizer: undefined-behavior tif_dirread.c:4176:40** `memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif>tif_dir.td_extrasamples); _TIFFfree(new_sampleinfo); ` Debugging Information and POC file attached  [crash.zip](/uploads/b789f1156f127ee6edad8829e21a3209/crash.zip) Platform (Operating system, architecture, compiler details) Ubuntu 20.4 LTS 64 bit compiler used : afl-clang-fast and afl-clang-fast++ with ASAN and UBSAN enabled with the compilation command as shown above.