Hi Brian,
> I attempted to fix CVE-2018-7456 issue in tiff, for the version in
> stretch. My patch is below. But curiously my patch only works if I
> enable the commented out call to fprintf or use -O0 instead of the
> default -O2 (-O1 also fails). Otherwise the if condition never gets
> executed, and it segfaults later on with a null pointer error when
> trying to access the same pointer.
>
> To me, this seems like some sort of weird compiler optimization
> error. Does this make sense?
We already had this kind of nasty optimization-triggered bugs in the
past[0], it was quite long to fix but very interesting in the end. :)
Just to avoid duplicate work: I'll take a look at it this afternoon.
Cheers,
Hugo
[0] https://lists.debian.org/debian-lts/2017/03/msg00213.html
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
Attachment:
signature.asc
Description: PGP signature