In LibTIFF 4.0.9, there is a NULL pointer dereference in the TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a denial of service attack, as demonstrated by tiffset.
Created libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1649387]
Created mingw-libtiff tracking bugs for this issue:
Affects: epel-7 [bug 1649388]
Affects: fedora-all [bug 1649389]
This is reproduce-able without ASAN builds as well. valgrind shows Null pointer deref with the following errors:
poc0: Failed to allocate memory for to read TIFF directory (0 elements of 12 bytes each).
TIFFReadDirectory: Failed to read directory at offset 5356.
Running without valgrind yeilds segfault.
There is no upstream patch yet.