CVE-2022-0908

An attacker crafts a TIFF file that causes `TIFFFetchNormalTag()` to reach line 5094 with `data` set to NULL while `dp->tdir_count` is zero [ref_id=1]. When `_TIFFmemcpy` is invoked with a null source pointer, the underlying `memcpy()` call triggers undefined behavior, resulting in a null pointer dereference and a crash [ref_id=1]. The attack requires only that the victim open the crafted TIFF file with a libtiff-based tool (e.g., `tiff2pdf`) [ref_id=1].

The bug is in `TIFFFetchNormalTag()` in `tif_dirread.c` at line 5094, where `_TIFFmemcpy(o, data, (uint32_t)dp->tdir_count)` is called without checking whether the `data` pointer is NULL [ref_id=1]. The `_TIFFmemcpy` wrapper at `tif_unix.c:346` passes the null pointer directly to `memcpy()` [ref_id=1].

The issue report suggests adding a check such as `if(o==NULL || data==NULL)` before the `_TIFFmemcpy` call at line 5088 of `tif_dirread.c` [ref_id=1]. No patch is included in the bundle, so the exact committed fix is not shown; however, the remediation would prevent the null pointer from being passed to `memcpy()` by returning early or skipping the copy when `data` is NULL [ref_id=1].

1. Compile libtiff 4.3.0 with AddressSanitizer enabled (e.g., `CC=clang-12 CFLAGS="-g -fsanitize=undefined -fsanitize-undefined-trap-on-error -fno-sanitize-recover=all -fno-omit-frame-pointer -Wall -W" --disable-shared`). 2. Run `gdb tiff2pdf` and set arguments to the crafted POC file: `(gdb) set args POC`. 3. Execute `(gdb) r`; the program will crash with a SIGILL at `_TIFFmemcpy` in `tif_unix.c:346` [ref_id=1].