That's quite a serious issue as it lets the calling code to read the memory that's been released. Please see the attached TIFF file for reference.
The problem is in PluginTIFF.cpp file in its Load() method. At the very beginning of Load() you call TIFFGetField(tif, TIFFTAG_ICCPROFILE, &iccSize, &iccBuf); and assume that iccBuff will not be changed during the method's lifetime, but unfortunately it will.
The code in question is the call to ReadMetadata(io, handle, tif, dib); down below the method. If you check iccBuf contents before and after the call, you'll notice it changed. Looks like the ICC profile becomes one of the TIFF tags and they get refreshed during the metadata reading so the old buffer released and the new one is allocated.
Then after the ReadMetadata() call you copy that now-released buffer to your own ICC structure. In our case it just fails to load and gives us bad colors in images, but in some other cases this may crash the application or used as an attack vector.
For me another call to TIFFGetField(tif, TIFFTAG_ICCPROFILE, &iccSize, &iccBuf); right after ReadMetadata() solves the problem, but I am not sure if this is the right way to fix that.
It would be nice to get a proper fix from you guys.
