CVE-2022-3599

An attacker crafts a TIFF file with a malformed `InkNames` tag whose ASCII value does not end in a null byte, as shown by the warning "ASCII value for tag 'InkNames' does not end in null byte. Forcing it to be null." [ref_id=2]. When `tiffcrop` reads this file (e.g., `tiffcrop -H 341 poc /tmp/foo`), the forced null-termination can produce a buffer whose actual allocated size is smaller than the string length the code expects, leading to a heap-buffer-overflow read of size 1 at `writeSingleSection` [ref_id=2]. The attack requires no authentication and is delivered via a crafted TIFF file opened by the victim.

The out-of-bounds read occurs in `writeSingleSection` at `tools/tiffcrop.c:7345` [ref_id=2]. The heap-buffer-overflow is triggered when `tiffcrop` processes a crafted TIFF file whose `InkNames` tag contains data that does not end with a null byte, causing the ASCII value to be forced null-terminated by `TIFFFetchNormalTag` [ref_id=2]. The allocation trace shows the buffer was allocated via `_TIFFsetNString` in `_TIFFVSetField` (tif_dir.c:485) [ref_id=2].

The fix (commit e8131125) [ref_id=1] replaces the old `checkInkNamesString` function with a new `countInkNamesString` function that safely counts null-separated ink names within the buffer bounds. It also adds proper validation when setting `TIFFTAG_INKNAMES` and `TIFFTAG_NUMBEROFINKS`, ensuring `NumberOfInks` is derived from the actual count of ink names in the string rather than trusting a potentially mismatched value. Additionally, `FIELD_NUMBEROFINKS` is promoted from `FIELD_CUSTOM` to a proper well-known field, and the `_TIFFVGetField` handler for `NumberOfInks` now returns `td->td_numberofinks` directly instead of truncating from custom values [ref_id=1].

Build libtiff with AddressSanitizer: `CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared && make -j && make install`. Then run: `./build_asan/bin/tiffcrop -H 341 poc /tmp/foo` using the attached PoC file [ref_id=2]. The tool will output various TIFF warnings and then crash with an AddressSanitizer heap-buffer-overflow at `writeSingleSection` [ref_id=2].