You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=741) [details] a report and a poc of this issue Recently, I fuzzed tifftopnm(netpbm 10.47.63) and crashed in put1bitbwtile()(tif-getimage.c:1352) of tiff-4.0.7 I check the bug reports and found a issue in the same file(http://bugzilla.maptools.org/show_bug.cgi?id=2652), but the call stack is different, so I think it is not the same issue. The crash infomation is as follows: Starting program: /home/kirito/Desktop/fuzz/netpbm/test_libtiff407/gdb_test/tifftopnm '/home/kirito/Desktop/fuzz/netpbm/fuzz_0/analysis/crashes_use/000009.tif' TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 64 (0x40) encountered. TIFFReadDirectory: Warning, Unknown field with tag 72 (0x48) encountered. TIFFReadDirectory: Warning, Unknown field with tag 29554 (0x7372) encountered. TIFFReadDirectory: Warning, Unknown field with tag 28751 (0x704f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 25956 (0x6564) encountered. TIFFReadDirectory: Warning, Unknown field with tag 27949 (0x6d2d) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. tifftopnm: writing PBM file P4 32811 73 tifftopnm: WARNING: This TIFF image has an orientation that most TIFF libraries converts incorrectly. Use -byrow to circumvent. TIFFFillStrip: Read error on strip 0; got 624 bytes, expected 8190. [----------------------------------registers-----------------------------------] RAX: 0x49 ('I') RBX: 0x2e4 RCX: 0x48 ('H') RDX: 0x48 ('H') RSI: 0x7ffff69b8070 --> 0x0 RDI: 0x7fffffffaca0 --> 0x621330 --> 0x621768 ("/home/kirito/Desktop/fuzz/netpbm/fuzz_0/analysis/crashes_use/000009.tif") RBP: 0x7fffffffab20 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffb140 --> 0x7fffffffb1d0 --> 0x7fffffffe2f0 (--> ...) RSP: 0x7fffffffab20 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffb140 --> 0x7fffffffb1d0 --> 0x7fffffffe2f0 (--> ...) RIP: 0x7ffff7b83bea (<put1bitbwtile+60>: mov eax,DWORD PTR [rbp-0x3c]) R8 : 0x802b R9 : 0x49 ('I') R10: 0x1 R11: 0x246 R12: 0x0 R13: 0x0 R14: 0x0 R15: 0x0 EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7b83bdf <put1bitbwtile+49>: sar eax,0x3 0x7ffff7b83be2 <put1bitbwtile+52>: mov DWORD PTR [rbp+0x10],eax 0x7ffff7b83be5 <put1bitbwtile+55>: jmp 0x7ffff7b83e45 <put1bitbwtile+663> => 0x7ffff7b83bea <put1bitbwtile+60>: mov eax,DWORD PTR [rbp-0x3c] 0x7ffff7b83bed <put1bitbwtile+63>: mov DWORD PTR [rbp-0x14],eax 0x7ffff7b83bf0 <put1bitbwtile+66>: jmp 0x7ffff7b83d01 <put1bitbwtile+339> 0x7ffff7b83bf5 <put1bitbwtile+71>: mov rax,QWORD PTR [rbp+0x20] 0x7ffff7b83bf9 <put1bitbwtile+75>: lea rdx,[rax+0x1] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffab20 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffb140 --> 0x7fffffffb1d0 --> 0x7fffffffe2f0 (--> ...) 0008| 0x7fffffffab28 --> 0x7ffff7b82aaa (<gtStripContig+962>: add rsp,0x20) 0016| 0x7fffffffab30 --> 0x0 0024| 0x7fffffffab38 --> 0xfffeffaa 0032| 0x7fffffffab40 --> 0x625060 --> 0x0 0040| 0x7fffffffab48 --> 0x7ffff7b829d4 (<gtStripContig+748>: cmp rax,0xffffffffffffffff) 0048| 0x7fffffffab50 --> 0x0 0056| 0x7fffffffab58 --> 0x802b00000049 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Breakpoint 1, put1bitbwtile (img=0x7fffffffaca0, cp=0x7ffff69b8070, x=0x0, y=0x48, w=0x802b, h=0x48, fromskew=0x0, toskew=0xfffeffaa, pp=0x625060 "") at tif_getimage.c:1352 1352 UNROLL8(w, bw = BWmap[*pp++], *cp++ = *bw++); gdb-peda$ p h $30 = 0x48 gdb-peda$ p w $31 = 0x802b gdb-peda$ p cp $32 = (uint32 *) 0x7ffff69b8070 gdb-peda$ p pp $33 = (unsigned char *) 0x625060 "" gdb-peda$ dis gdb-peda$ c Continuing. Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x642000 ('') RBX: 0x2e4 RCX: 0x623070 --> 0xff000000ff000000 RDX: 0x642001 RSI: 0x7ffff69b8070 --> 0xff000000ff000000 RDI: 0x7fffffffaca0 --> 0x621330 --> 0x621768 ("/home/kirito/Desktop/fuzz/netpbm/fuzz_0/analysis/crashes_use/000009.tif") RBP: 0x7fffffffab20 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffb140 --> 0x7fffffffb1d0 --> 0x7fffffffe2f0 (--> ...) RSP: 0x7fffffffab20 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffb140 --> 0x7fffffffb1d0 --> 0x7fffffffe2f0 (--> ...) RIP: 0x7ffff7b83c01 (<put1bitbwtile+83>: movzx eax,BYTE PTR [rax]) R8 : 0x802b R9 : 0x49 ('I') R10: 0x1 R11: 0x246 R12: 0x0 R13: 0x0 R14: 0x0 R15: 0x0 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7b83bf5 <put1bitbwtile+71>: mov rax,QWORD PTR [rbp+0x20] 0x7ffff7b83bf9 <put1bitbwtile+75>: lea rdx,[rax+0x1] 0x7ffff7b83bfd <put1bitbwtile+79>: mov QWORD PTR [rbp+0x20],rdx => 0x7ffff7b83c01 <put1bitbwtile+83>: movzx eax,BYTE PTR [rax] 0x7ffff7b83c04 <put1bitbwtile+86>: movzx eax,al 0x7ffff7b83c07 <put1bitbwtile+89>: lea rdx,[rax*8+0x0] 0x7ffff7b83c0f <put1bitbwtile+97>: mov rax,QWORD PTR [rbp-0x8] 0x7ffff7b83c13 <put1bitbwtile+101>: add rax,rdx [------------------------------------stack-------------------------------------] 0000| 0x7fffffffab20 --> 0x7fffffffac00 --> 0x7fffffffac30 --> 0x7fffffffb140 --> 0x7fffffffb1d0 --> 0x7fffffffe2f0 (--> ...) 0008| 0x7fffffffab28 --> 0x7ffff7b82aaa (<gtStripContig+962>: add rsp,0x20) 0016| 0x7fffffffab30 --> 0x0 0024| 0x7fffffffab38 --> 0xfffeffaa 0032| 0x7fffffffab40 --> 0x642001 0040| 0x7fffffffab48 --> 0x7ffff7b829d4 (<gtStripContig+748>: cmp rax,0xffffffffffffffff) 0048| 0x7fffffffab50 --> 0x0 0056| 0x7fffffffab58 --> 0x802b00000049 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00007ffff7b83c01 in put1bitbwtile (img=0x7fffffffaca0, cp=0x7ffff6654ca0, x=0x0, y=0x48, w=0x802b, h=0x2c, fromskew=0x0, toskew=0xfffeffaa, pp=0x642001 <error: Cannot access memory at address 0x642001>) at tif_getimage.c:1352 1352 UNROLL8(w, bw = BWmap[*pp++], *cp++ = *bw++); gdb-peda$ p h $34 = 0x2c gdb-peda$ p w $35 = 0x802b gdb-peda$ p cp $36 = (uint32 *) 0x7ffff6654ca0 gdb-peda$ p pp $37 = (unsigned char *) 0x642001 <error: Cannot access memory at address 0x642001> gdb-peda$ bt #0 0x00007ffff7b83c01 in put1bitbwtile (img=0x7fffffffaca0, cp=0x7ffff6654ca0, x=0x0, y=0x48, w=0x802b, h=0x2c, fromskew=0x0, toskew=0xfffeffaa, pp=0x642001 <error: Cannot access memory at address 0x642001>) at tif_getimage.c:1352 #1 0x00007ffff7b82aaa in gtStripContig (img=0x7fffffffaca0, raster=0x7ffff60b5010, w=0x802b, h=0x49) at tif_getimage.c:964 #2 0x00007ffff7b8163c in TIFFRGBAImageGet (img=0x7fffffffaca0, raster=0x7ffff60b5010, w=0x802b, h=0x49) at tif_getimage.c:516 #3 0x0000000000404d3b in convertRasterInMemory (pnmOutP=0x7fffffffb270, maxval=0x1, tif=0x621330, photomet=0x1, planarconfig=0x1, bps=0x1, spp=0x1, fillorder=0x1, colormap=0x7fffffffb2c0, verbose=0x0, statusP=0x7fffffffb1b4) at tifftopnm.c:1496 #4 0x0000000000404e74 in convertRaster (pnmOutP=0x7fffffffb270, tifP=0x621330, tiffDir=..., maxval=0x1, fillorder=0x1, colormap=0x7fffffffb2c0, byrow=0x0, flipOk=0x1, noflipOk=0x0, verbose=0x0) at tifftopnm.c:1530 #5 0x000000000040510f in convertImage (tifP=0x621330, alphaFileP=0x0, imageoutFileP=0x7ffff7844620 <_IO_2_1_stdout_>, cmdline=...) at tifftopnm.c:1590 #6 0x00000000004051b1 in convertIt (tifP=0x621330, alphaFile=0x0, imageoutFile=0x7ffff7844620 <_IO_2_1_stdout_>, cmdline=...) at tifftopnm.c:1616 #7 0x0000000000405317 in main (argc=0x2, argv=0x7fffffffe4f8) at tifftopnm.c:1659 #8 0x00007ffff74a0830 in __libc_start_main (main=0x4051de <main>, argc=0x2, argv=0x7fffffffe4f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4e8) at ../csu/libc-start.c:291 #9 0x0000000000401f69 in _start () Attachment is a zip of a report and a poc.
I tested the CVS of libtiff(https://github.com/vadz/libtiff) and the Segmentation Fault is still existed. ################################################## gdb-peda$ run '/home/kirito/Desktop/fuzz/netpbm/fuzz_0/analysis/crashes_use/000009.tif' Starting program: /home/kirito/Desktop/fuzz/netpbm/test_libtiffCVS/tifftopnm '/home/kirito/Desktop/fuzz/netpbm/fuzz_0/analysis/crashes_use/000009.tif' TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 64 (0x40) encountered. TIFFReadDirectory: Warning, Unknown field with tag 72 (0x48) encountered. TIFFReadDirectory: Warning, Unknown field with tag 29554 (0x7372) encountered. TIFFReadDirectory: Warning, Unknown field with tag 28751 (0x704f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 25956 (0x6564) encountered. TIFFReadDirectory: Warning, Unknown field with tag 27949 (0x6d2d) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. tifftopnm: writing PBM file P4 32811 73 tifftopnm: WARNING: This TIFF image has an orientation that most TIFF libraries converts incorrectly. Use -byrow to circumvent. TIFFFillStrip: Read error on strip 0; got 624 bytes, expected 8190. Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x687000 ('') RBX: 0x2e4 RCX: 0x668070 --> 0xff000000ff000000 RDX: 0x687001 RSI: 0x7ffff69ac070 --> 0xff000000ff000000 RDI: 0x7fffffffae60 --> 0x666330 --> 0x666768 ("/home/kirito/Desktop/fuzz/netpbm/fuzz_0/analysis/crashes_use/000009.tif") RBP: 0x7fffffffac30 --> 0x7fffffffad10 --> 0x7fffffffad40 --> 0x248c43 RSP: 0x7fffffffac30 --> 0x7fffffffad10 --> 0x7fffffffad40 --> 0x248c43 RIP: 0x7ffff7b77d63 (<put1bitbwtile+83>: movzx eax,BYTE PTR [rax]) R8 : 0x802b R9 : 0x49 ('I') R10: 0x1 R11: 0x246 R12: 0x49 ('I') R13: 0x802b R14: 0x6 R15: 0x7ffff60a9010 --> 0x0 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7b77d57 <put1bitbwtile+71>: mov rax,QWORD PTR [rbp+0x20] 0x7ffff7b77d5b <put1bitbwtile+75>: lea rdx,[rax+0x1] 0x7ffff7b77d5f <put1bitbwtile+79>: mov QWORD PTR [rbp+0x20],rdx => 0x7ffff7b77d63 <put1bitbwtile+83>: movzx eax,BYTE PTR [rax] 0x7ffff7b77d66 <put1bitbwtile+86>: movzx eax,al 0x7ffff7b77d69 <put1bitbwtile+89>: lea rdx,[rax*8+0x0] 0x7ffff7b77d71 <put1bitbwtile+97>: mov rax,QWORD PTR [rbp-0x8] 0x7ffff7b77d75 <put1bitbwtile+101>: add rax,rdx [------------------------------------stack-------------------------------------] 0000| 0x7fffffffac30 --> 0x7fffffffad10 --> 0x7fffffffad40 --> 0x248c43 0008| 0x7fffffffac38 --> 0x7ffff7b76c0c (<gtStripContig+962>: add rsp,0x20) 0016| 0x7fffffffac40 --> 0x0 0024| 0x7fffffffac48 --> 0xfffeffaa 0032| 0x7fffffffac50 --> 0x687001 0040| 0x7fffffffac58 --> 0x7ffff7b76b36 (<gtStripContig+748>: cmp rax,0xffffffffffffffff) 0048| 0x7fffffffac60 --> 0x0 0056| 0x7fffffffac68 --> 0x802b00000049 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x00007ffff7b77d63 in put1bitbwtile (img=0x7fffffffae60, cp=0x7ffff6648ca0, x=0x0, y=0x48, w=0x802b, h=0x2c, fromskew=0x0, toskew=0xfffeffaa, pp=0x687001 <error: Cannot access memory at address 0x687001>) at tif_getimage.c:1349 1349 UNROLL8(w, bw = BWmap[*pp++], *cp++ = *bw++); gdb-peda$ bt #0 0x00007ffff7b77d63 in put1bitbwtile (img=0x7fffffffae60, cp=0x7ffff6648ca0, x=0x0, y=0x48, w=0x802b, h=0x2c, fromskew=0x0, toskew=0xfffeffaa, pp=0x687001 <error: Cannot access memory at address 0x687001>) at tif_getimage.c:1349 #1 0x00007ffff7b76c0c in gtStripContig (img=0x7fffffffae60, raster=0x7ffff60a9010, w=0x802b, h=0x49) at tif_getimage.c:961 #2 0x00007ffff7b7579e in TIFFRGBAImageGet (img=0x7fffffffae60, raster=0x7ffff60a9010, w=0x802b, h=0x49) at tif_getimage.c:513 #3 0x000000000040f711 in convertRasterInMemory (statusP=<synthetic pointer>, verbose=0x0, colormap=0x7fffffffaef0, fillorder=0x1, spp=0x1, bps=0x1, planarconfig=0x1, photomet=0x1, tif=0x666330, maxval=0x1, pnmOutP=0x7fffffffae10) at tifftopnm.c:1496 #4 convertRaster (verbose=0x0, noflipOk=0x0, flipOk=<optimized out>, byrow=0x0, colormap=0x7fffffffaef0, fillorder=0x1, maxval=0x1, tiffDir=..., tifP=0x666330, pnmOutP=0x7fffffffae10) at tifftopnm.c:1530 #5 convertImage (tifP=tifP@entry=0x666330, alphaFileP=alphaFileP@entry=0x0, imageoutFileP=imageoutFileP@entry=0x7ffff7838620 <_IO_2_1_stdout_>, cmdline=...) at tifftopnm.c:1590 #6 0x000000000040267e in convertIt (cmdline=..., imageoutFile=0x7ffff7838620 <_IO_2_1_stdout_>, alphaFile=0x0, tifP=0x666330) at tifftopnm.c:1616 #7 main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe508) at tifftopnm.c:1659 #8 0x00007ffff7494830 in __libc_start_main (main=0x4020c0 <main>, argc=0x2, argv=0x7fffffffe508, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4f8) at ../csu/libc-start.c:291 #9 0x0000000000402d99 in _start ()
Cannot reproduce on Ubuntu 1604 with netpbm 10.0-15.3 and libtiff 4.0.6-1 or libtiff CVS HEAD (post 4.0.7) I also tried "tiff2rgba 000009.tif out.tif" and it doesn't crash. In your analysis you mention "Tifftopnm calls this API with illegal arguments.". If that's the case, this is a tifftopnm issue. libtiff assumes in a number of places that it is correctly called .
(In reply to comment #2) > Cannot reproduce on Ubuntu 1604 with netpbm 10.0-15.3 and libtiff 4.0.6-1 or > libtiff CVS HEAD (post 4.0.7) > > I also tried "tiff2rgba 000009.tif out.tif" and it doesn't crash. > > In your analysis you mention "Tifftopnm calls this API with illegal > arguments.". If that's the case, this is a tifftopnm issue. libtiff assumes in > a number of places that it is correctly called . My update is in http://bugzilla.maptools.org/show_bug.cgi?id=2654 and please check it :)
Same issue as http://bugzilla.maptools.org/show_bug.cgi?id=2654: tifftopnm assumes that libtiff will do image transposition.
Use CVE-2017-5849 for both 2654 and 2655. http://www.openwall.com/lists/oss-security/2017/02/02/2
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.