I attempted to fix CVE-2018-7456 issue in tiff, for the version in stretch. My patch is below. But curiously my patch only works if I enable the commented out call to fprintf or use -O0 instead of the default -O2 (-O1 also fails). Otherwise the if condition never gets executed, and it segfaults later on with a null pointer error when trying to access the same pointer.
To me, this seems like some sort of weird compiler optimization error. Does this make sense? This was with the gcc from stretch. I also tried the compiler in sid - with the same source, which gave similar results. Index: tiff-4.0.8/libtiff/tif_print.c =================================================================== --- tiff-4.0.8.orig/libtiff/tif_print.c +++ tiff-4.0.8/libtiff/tif_print.c @@ -540,8 +540,18 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, if (TIFFFieldSet(tif,FIELD_TRANSFERFUNCTION)) { fprintf(fd, " Transfer Function: "); if (flags & TIFFPRINT_CURVES) { - fprintf(fd, "\n"); + uint16 i; n = 1L<<td->td_bitspersample; + for (i = 1; i < td->td_samplesperpixel; i++) { + // fprintf(fd, "%p\n", td->td_transferfunction[i]); + if (NULL == td->td_transferfunction[i]) { + // abort(); + fprintf(fd, "(unexpected end of table)\n"); + n = 0; + break; + } + } + fprintf(fd, "\n"); for (l = 0; l < n; l++) { uint16 i; fprintf(fd, " %2ld: %5u", -- Brian May <b...@debian.org>