Image · C

How to fuzz libtiff

TIFF's flexibility is its attack surface — hundreds of tag/codec combinations rarely all get tested.

TIFF's extensible tag system and support for dozens of compression schemes (LZW, OJPEG, JBIG, etc.) means the combinatorial space is enormous. libtiff has been one of the most CVE-dense C libraries for over a decade; the tag-parsing and codec-dispatch layers reward aggressive fuzzing.

Common bug classes

•Heap buffer overflow in LZW decode strip processing
•Out-of-bounds read in OJPEG compatibility layer
•Integer overflow in strip/tile byte-count arithmetic
•Null pointer dereference in custom directory traversal
•Use-after-free in TIFF field codec cleanup

Recommended setup

Fuzzers

→ AFL++
→ libFuzzer
→ Honggfuzz

Sanitizers

→ ASan
→ UBSan

Harness scaffold

#include <stdint.h>
#include <stddef.h>
#include <stdlib.h>
#include <tiffio.h>

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  /* libtiff needs a seekable source; write to /tmp via in-memory vsi */
  TIFF *tif = TIFFOpenMem(data, size, "r");
  if (!tif) return 0;
  uint32_t w, h;
  TIFFGetField(tif, TIFFTAG_IMAGEWIDTH, &w);
  TIFFGetField(tif, TIFFTAG_IMAGELENGTH, &h);
  if (w > 0 && h > 0 && w <= 4096 && h <= 4096) {
    size_t npix = (size_t)w * h;
    uint32_t *raster = _TIFFmalloc(npix * sizeof(uint32_t));
    if (raster) {
      TIFFReadRGBAImage(tif, w, h, raster, 0);
      _TIFFfree(raster);
    }
  }
  TIFFClose(tif);
  return 0;
}

Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.

Notable CVEs found by fuzzing

→ CVE-2022-2867
→ CVE-2023-0800

Start fuzzing libtiff on Fuzze.rs →

Push the harness above + a Dockerfile. First month 50% off.