In LibTIFF 4.0.9, there is a NULL pointer dereference in the TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a denial of service attack, as demonstrated by tiffset. References: http://bugzilla.maptools.org/show_bug.cgi?id=2820
Created libtiff tracking bugs for this issue: Affects: fedora-all [bug 1649387] Created mingw-libtiff tracking bugs for this issue: Affects: epel-7 [bug 1649388] Affects: fedora-all [bug 1649389]
This is reproduce-able without ASAN builds as well. valgrind shows Null pointer deref with the following errors: poc0: Failed to allocate memory for to read TIFF directory (0 elements of 12 bytes each). TIFFReadDirectory: Failed to read directory at offset 5356. Running without valgrind yeilds segfault. There is no upstream patch yet.