Uncontrolled memory allocation in TIFF strip decoding via malformed SamplesPerPixel tag leads to denial of service. (#781) · Issues · libtiff / libtiff

Uncontrolled memory allocation in TIFF strip decoding via malformed SamplesPerPixel tag leads to denial of service.

### Summary A maliciously crafted TIFF file with an invalid \`SamplesPerPixel\` tag value causes libtiff to attempt an extremely large memory allocation (\~16 GB), resulting in denial of service via memory exhaustion. ### Affected Version * **\*\*libtiff version:\*\*** 4.7.1 (current master) * **\*\*Tested:\*\*** January 2026, built from source ### Vulnerability Details | Field | Value | |-------|-------| | Type | Uncontrolled Resource Consumption | | CWE | CWE-400, CWE-789 | | Severity | High | | Attack Vector | Remote (malicious TIFF file) | | Impact | Denial of Service | ### Root Cause The `SamplesPerPixel` TIFF tag (0x0115) is not validated before being used in buffer size calculations. A value of `0xFFF9` (65529) causes allocation of: ``` 500 × 500 × 65529 × 1 = ~16.4 GB (0x3d0754c10 bytes) ``` --- ### Affected Code Path ``` TIFFReadRGBAImageOriented() → tif_getimage.c:643 └── gtStripContig() → tif_getimage.c:1227 └── _TIFFReadEncodedStripAndAllocBuffer() → tif_read.c:615 └── malloc(0x3d0754c10) // CRASH: out of memory ``` ### **Root Cause:** The `SamplesPerPixel` TIFF tag (0x0115) is not validated before being used in buffer size calculations. A value of `0xFFF9` (65529) causes allocation of: \`\`\` 500 × 500 × 65529 × 1 = \~16.4 GB (0x3d0754c10 bytes) \`\`\` ### Affected Code Path ``` TIFFReadRGBAImageOriented() → tif_getimage.c:643 └── gtStripContig() → tif_getimage.c:1227 └── _TIFFReadEncodedStripAndAllocBuffer() → tif_read.c:615 └── malloc(0x3d0754c10) // CRASH: out of memory ``` ### Steps to Reproduce **1. Build libtiff with AddressSanitizer:** ```bash mkdir build && cd build cmake -DCMAKE_C_FLAGS="-fsanitize=address,undefined -g" \ -DCMAKE_CXX_FLAGS="-fsanitize=address,undefined -g" .. make ``` **2. Run with PoC file:** ```bash ./tools/tiffinfo poc_samplesperPixel.tiff # or ./test/fuzz_tiff poc_samplesperPixel.tiff ``` **3. Observe crash:** ``` ==PID==ERROR: AddressSanitizer: out of memory: allocator is trying to allocate 0x3d0754c10 bytes #0 in malloc #1 in _TIFFReadEncodedStripAndAllocBuffer tif_read.c:615 #2 in gtStripContig tif_getimage.c:1227 #3 in TIFFReadRGBAImageOriented tif_getimage.c:643 ``` ### Platform | Component | Version | |-----------|---------| | OS | Ubuntu 24.04.2 LTS (WSL2) | | Kernel | 6.6.87.2-microsoft-standard-WSL2 | | Architecture | x86_64 | | Compiler | Clang 18.1.3 | | libtiff | 4.7.1 | | Sanitizers | ASAN + UBSAN | ### Security Impact | Aspect | Description | |--------|-------------| | Denial of Service | Application crash due to memory exhaustion | | Attack Scenario | Attacker sends crafted TIFF to web service, email client, or document processor | | Exploitability | Low complexity, no authentication required | --- ### Suggested Fix Add validation for `SamplesPerPixel` before memory allocation: **In `tif_dirread.c` - TIFFReadDirectory():** ```c #define TIFF_MAX_SAMPLES_PER_PIXEL 32 if (tif->tif_dir.td_samplesperpixel > TIFF_MAX_SAMPLES_PER_PIXEL) { TIFFErrorExtR(tif, module, "SamplesPerPixel value %u exceeds maximum allowed (%u)", tif->tif_dir.td_samplesperpixel, TIFF_MAX_SAMPLES_PER_PIXEL); return 0; } ``` **Additionally, in `tif_read.c` - add allocation size sanity check:** ```c #define TIFF_MAX_ALLOC_SIZE (256ULL * 1024 * 1024) // 256 MB if ((uint64_t)size > TIFF_MAX_ALLOC_SIZE) { TIFFErrorExtR(tif, module, "Allocation size %lld exceeds safety limit", (long long)size); return 0; } ``` ![1. Platform.png](/uploads/d90cf585bd13a3be176c77a7c1f37069/1._Platform.png) ![2. POC.png](/uploads/65fb509f6ad59e2e1194465089d56720/2._POC.png){width=871 height=474} ![3 error.png](/uploads/13f40666167a3f3103a5f7a454db0898/3_error.png){width=878 height=78}

issue