The TIFFFetchNormalTag function in LibTiff 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via crafted TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII tag values.
#0 0x0000ffff8b2ed7c4 in tcache_get (tc_idx=<optimized out>) at ./malloc/malloc.c:3197
#1 __GI___libc_malloc (bytes=bytes@entry=1) at ./malloc/malloc.c:3313
#2 0x0000aaaaadf185ec in _TIFFmalloc (s=s@entry=1) at tif_unix.c:283
#3 0x0000aaaaadf0663c in setByteArray (vpp=0xaaaadfa59c68, vp=0xaaaadfa59be0, nmemb=1, elem_size=<optimized out>) at tif_dir.c:51
#4 0x0000aaaaadf0864c in _TIFFVSetField (tif=0xaaaadfa592a0, tag=57347, ap=...) at tif_dir.c:539
#5 0x0000aaaaadf09604 in TIFFVSetField (tif=0xaaaadfa592a0, tag=57347, ap=...) at tif_dir.c:820
#6 0x0000aaaaadf09710 in TIFFSetField (tif=<optimized out>, tag=<optimized out>) at tif_dir.c:764
...
写中断
#0 __memcpy_generic () at ../sysdeps/aarch64/multiarch/../memcpy.S:123
#1 0x0000aaaaadf0864c in _TIFFVSetField (tif=0xaaaadfa592a0, tag=57347, ap=...) at tif_dir.c:539
#2 0x0000aaaaadf09604 in TIFFVSetField (tif=0xaaaadfa592a0, tag=57347, ap=...) at tif_dir.c:820
#3 0x0000aaaaadf09710 in TIFFSetField (tif=<optimized out>, tag=<optimized out>) at tif_dir.c:764
...