You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=747) [details] POC to trigger heap out of bounds read (tiffinfo) Affected: - libtiff version 4.0.7 (Git HEAD: b9e614cb65cdd473aa480b2c38dec49c7d26e7fe) To reproduce the problem (pcre2test): tiffinfo -Dijr libtiff_hoobr_TIFFReadRawData ASAN: ==6499==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef58 at pc 0x0000004e9962 bp 0x7ffc95ac6730 sp 0x7ffc95ac6728 READ of size 8 at 0x60200000ef58 thread T0 #0 0x4e9961 in TIFFReadRawData XYZ/libtiff/tools/tiffinfo.c:426:8 #1 0x4e6bce in tiffinfo XYZ/libtiff/tools/tiffinfo.c:473:4 #2 0x4e6289 in main XYZ/libtiff/tools/tiffinfo.c:152:6 #3 0x7f7de4cfe82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #4 0x419c58 in _start (/usr/local/bin/tiffinfo+0x419c58) 0x60200000ef58 is located 0 bytes to the right of 8-byte region [0x60200000ef50,0x60200000ef58) allocated by thread T0 here: #0 0x4b881e in realloc /home/development/llvm/3.9.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:77:3 #1 0x7f7de5c16713 in _TIFFCheckRealloc XYZ/libtiff/libtiff/tif_aux.c:73:8 #2 0x7f7de5c16713 in _TIFFCheckMalloc XYZ/libtiff/libtiff/tif_aux.c:88 SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/libtiff/tools/tiffinfo.c:426:8 in TIFFReadRawData Shadow bytes around the buggy address: 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa 00[fa]fa fa fd fa 0x0c047fff9df0: fa fa 00 fa fa fa 00 fa fa fa fd fa fa fa 00 00 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6499==ABORTING
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.