Re: CVE-2017-16231: PCRE 8.41 match() stack overflow; CVE-2017-16232: LibTIFF 4.0.8 memory leaks

[Bob Friesenhahn <bfriesen () simple dallas tx us>]

On Wed, 1 Nov 2017, ???? wrote:
> > [Suggested description]
> > LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow
> > attackers to cause a denial of service (memory consumption), as demonstrated
> > by tif_open.c, tif_lzw.c, and tif_aux.c
> >
> > ------------------------------------------
> >
> > [Additional Information]
> > /tiff2bw ../../../../libtiff_4.0.8_afl/2bw_output/crashes/poc.tif 222.tif

I am not seeing any memory leak vulnerability.  I do see that tiff2bw 
made no attempt to release any memory at all (not strictly required 
for a utility since memory is released when it quits).  I have 
modified the code in the development CVS version to release memory to 
satisfy memory checkers.

> Use CVE-2017-16232.

This is a memory-based DOS issue within tiff2bw itself (not directly 
inside libtiff).  TIFF files using LZW compression can achieve a very 
high compression ratio so it can be difficult to predict if a file's 
pixel dimensions are bogus or not.  Valid files also pose a DOS 
opportunity.  There are no arbitrary limits imposed within tiff2bw.

Bob
--
Bob Friesenhahn
bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/