Bug 2609 – tiffcp: heap-based buffer overflow in cpSeparateBufToContigBuf (tiffcp.c)

Bug 2609 - tiffcp: heap-based buffer overflow in cpSeparateBufToContigBuf (tiffcp.c)

Summary:

tiffcp: heap-based buffer overflow in cpSeparateBufToContigBuf (tiffcp.c)

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P1 critical
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-11-25 09:16 by Agostino Sarubbo
Modified:	2019-10-01 14:20 (History)

Attachments
stacktrace (189.95 KB, text/plain) 2016-11-25 09:16, Agostino Sarubbo	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Agostino Sarubbo 2016-11-25 09:16:08

Created an attachment (id=707) [details]
stacktrace

On 4.0.7:

tiffcp -i $FILE /tmp/foo

AddressSanitizer: heap-buffer-overflow
/tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1209:14 in
cpSeparateBufToContigBuf


Testcase:
https://github.com/asarubbo/poc/blob/master/00079-libtiff-heapoverflow-cpSeparateBufToContigBuf

------- Comment #1 From Even Rouault 2016-12-03 10:48:19 -------

I cannot reproduce, apart from a big memalloc that ASAN doesn't like. Issue
probably fixed by other fixes.

------- Comment #2 From Agostino Sarubbo 2017-03-27 04:18:24 -------

Hi.

I verified that it is reproducible on master right now.

------- Comment #3 From Even Rouault 2019-10-01 14:20:14 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.