Bug 2662 – tiffinfo - Heap out of bounds read in TIFFReadRawData()

Bug 2662 - tiffinfo - Heap out of bounds read in TIFFReadRawData()

Summary:

tiffinfo - Heap out of bounds read in TIFFReadRawData()

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P2 normal
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-01-18 03:33 by Kamil Frankowicz
Modified:	2019-10-01 14:20 (History)

Attachments
POC to trigger heap out of bounds read (tiffinfo) (354 bytes, application/octet-stream) 2017-01-18 03:33, Kamil Frankowicz	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Kamil Frankowicz 2017-01-18 03:33:36

Created an attachment (id=747) [details]
POC to trigger heap out of bounds read (tiffinfo)

Affected:
- libtiff version 4.0.7 (Git HEAD: b9e614cb65cdd473aa480b2c38dec49c7d26e7fe)

To reproduce the problem (pcre2test):
tiffinfo -Dijr libtiff_hoobr_TIFFReadRawData


ASAN:

==6499==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef58
at pc 0x0000004e9962 bp 0x7ffc95ac6730 sp 0x7ffc95ac6728
READ of size 8 at 0x60200000ef58 thread T0
    #0 0x4e9961 in TIFFReadRawData XYZ/libtiff/tools/tiffinfo.c:426:8
    #1 0x4e6bce in tiffinfo XYZ/libtiff/tools/tiffinfo.c:473:4
    #2 0x4e6289 in main XYZ/libtiff/tools/tiffinfo.c:152:6
    #3 0x7f7de4cfe82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #4 0x419c58 in _start (/usr/local/bin/tiffinfo+0x419c58)

0x60200000ef58 is located 0 bytes to the right of 8-byte region
[0x60200000ef50,0x60200000ef58)
allocated by thread T0 here:
    #0 0x4b881e in realloc
/home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:77:3
    #1 0x7f7de5c16713 in _TIFFCheckRealloc XYZ/libtiff/libtiff/tif_aux.c:73:8
    #2 0x7f7de5c16713 in _TIFFCheckMalloc XYZ/libtiff/libtiff/tif_aux.c:88

SUMMARY: AddressSanitizer: heap-buffer-overflow
XYZ/libtiff/tools/tiffinfo.c:426:8 in TIFFReadRawData
Shadow bytes around the buggy address:
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa 00[fa]fa fa fd fa
  0x0c047fff9df0: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6499==ABORTING

------- Comment #1 From Even Rouault 2019-10-01 14:20:15 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.