Source: http://bugzilla.maptools.org/show_bug.cgi?id=2712 Triggered by "./tiffset POC1" $ ./tiffset POC1 TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered. TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered. poc3: AdobeDeflate compression support is not configured. tiffset: tif_dirwrite.c:2127: int TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *): Assertion `tif->tif_flags&TIFF_BIGTIFF' failed. Aborted The gdb debugging information is listed below: (gdb) set args POC1 (gdb) r ... (gdb) c Continuing. TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered. TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered. poc2: AdobeDeflate compression support is not configured. Breakpoint 2, TIFFWriteDirectoryTagCheckedLong8Array (tif=, ndir=, count=1, value=0x615c20, dir=, tag=) at tif_dirwrite.c:2127 2127 assert(tif->tif_flags&TIFF_BIGTIFF); (gdb) bt #0 0x00007ffff746a428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007ffff746c02a in __GI_abort () at abort.c:89 #2 0x00007ffff7462bd7 in __assert_fail_base (fmt=, assertion=assertion@entry=0x7ffff7baf949 "tif->tif_flags&TIFF_BIGTIFF", file=file@entry=0x7ffff7baf5c0 "tif_dirwrite.c", line=line@entry=2127, function=function@entry=0x7ffff7baf8e2 "int TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *)") at assert.c:92 #3 0x00007ffff7462c82 in __GI___assert_fail (assertion=0x7ffff7baf949 "tif->tif_flags&TIFF_BIGTIFF", file=0x7ffff7baf5c0 "tif_dirwrite.c", line=2127, function=0x7ffff7baf8e2 "int TIFFWriteDirectoryTagCheckedLong8Array(TIFF *, uint32 *, TIFFDirEntry *, uint16, uint32, uint64 *)") at assert.c:101 #4 0x00007ffff7b4e9cb in TIFFWriteDirectoryTagCheckedLong8Array (tif=0x615010, ndir=, count=1, value=0x615c20, dir=, tag=) at tif_dirwrite.c:2127 #5 TIFFWriteDirectoryTagLong8Array (count=1, value=0x615c20, tif=, ndir=, dir=, tag=) at tif_dirwrite.c:1462 #6 TIFFWriteDirectorySec (tif=, isimage=, imagedone=, pdiroff=) at tif_dirwrite.c:746 #7 0x00007ffff7b4f6b5 in TIFFWriteDirectory (tif=0x615010) at tif_dirwrite.c:184 #8 TIFFRewriteDirectory (tif=) at tif_dirwrite.c:360 #9 0x0000000000402bc7 in main (argc=, argv=) at tiffset.c:344 Trigged in line tif_dirwrite.c:2127 at function TIFFWriteDirectoryTagCheckedLong8Array() 2122 static int 2123 TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, uint64* value) 2124 { 2125 assert(count<0x20000000); 2126 assert(sizeof(uint64)==8); 2127 assert(tif->tif_flags&TIFF_BIGTIFF); 2128 if (tif->tif_flags&TIFF_SWAB) 2129 TIFFSwabArrayOfLong8(value,count); 2130 return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count*8,value)); 2131 } [note]: Tiffset sets the value of a TIFF header to a specified value.It will modify the raw POC file,so you'd better make a backup file every time you are going to run. Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42299.zip