CVE-2022-1622

An attacker supplies a crafted TIFF file that, when processed by `tiffcp` (or any tool using `LZWDecode`), causes the LZW decoder to attempt reading from a code not yet in the table [ref_id=1]. This results in a read from a NULL or near-NULL pointer (address 0x00000000000b), leading to a segmentation fault [ref_id=1]. The attack requires no authentication; the victim only needs to open the malicious file with a libtiff-based utility [ref_id=1].

The out-of-bounds read occurs in the `LZWDecode` function in `libtiff/tif_lzw.c` at lines 619 and 624 [ref_id=1]. The crash is triggered when `tiffcp` calls `TIFFReadScanline`, which invokes `LZWDecode` on a crafted TIFF file [ref_id=1].

The fix [patch_id=b4e79bfa] adds a `read_error` flag to the LZW decoder state structure, initializes it to zero in `LZWPreDecode`, and checks it at the start of `LZWDecode` — if a prior read error occurred, the function immediately returns 0 [ref_id=2]. The flag is set to 1 in the `error_code` path (where "Using code not yet in table" is reported) [ref_id=2]. This prevents any subsequent attempt to read from the same strip or tile after an error, avoiding the out-of-bounds access that caused the SEGV [ref_id=2].

Use the provided PoC files (poc1, poc2) from the issue tracker [ref_id=1]. Build libtiff with AddressSanitizer enabled (`CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --disable-shared; make; make install`). Run `./build_asan/bin/tiffcp -i poc1 /tmp/foo` or `./build_asan/bin/tiffcp -i poc2 /tmp/foo` to reproduce the SEGV in `LZWDecode` at lines 619 or 624 [ref_id=1].