CVE-2022-0907

An attacker supplies a crafted TIFF file that triggers a memory allocation failure (the allocation of 271,321,920 bytes exceeds the default limit of 268,435,456 bytes) [ref_id=1]. The `createImageSection` function does not check whether the allocation succeeded before passing the result to `_TIFFmemset`, causing a write to address zero and a segmentation fault [ref_id=1]. No authentication or special network access is required; the victim only needs to run `tiffcrop` on the malicious file.

The crash occurs in `_TIFFmemset` at `libtiff/tif_unix.c:340`, called from `createImageSection` in `tools/tiffcrop.c:7410`, which is invoked by `writeImageSections` at `tools/tiffcrop.c:7096` and ultimately from `main` at `tools/tiffcrop.c:2451` [ref_id=1]. The root cause is an unchecked return value that leads to a NULL pointer dereference.

The fix is available in commit `f2b656e2` [ref_id=1]. The patch adds a return-value check after the memory allocation in `createImageSection` so that if the allocation fails, the function returns an error instead of proceeding with a NULL pointer. This prevents the subsequent `_TIFFmemset` call from dereferencing a NULL address, closing the denial-of-service vector.

Build libtiff with AddressSanitizer (`CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --disable-shared`), then run: `./build_asan/bin/tiffcrop -H 341 poc /tmp/foo` where `poc` is the crafted TIFF file [ref_id=1]. The tool will crash with a SEGV in `_TIFFmemset` due to a NULL pointer dereference [ref_id=1].