Bug 2663 – Write out of bound in tools/tiff2pdf

Bug 2663 - Write out of bound in tools/tiff2pdf

Summary:

Write out of bound in tools/tiff2pdf

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P1 critical
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-01-18 07:34 by Li Yuekang
Modified:	2019-10-01 14:20 (History)

Attachments
The poc and bug report (2.01 KB, application/zip) 2017-01-18 07:35, Li Yuekang	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Li Yuekang 2017-01-18 07:34:05

A bug report together with the PoC are in the attachment.

Here are the stacktraces:

Stacktrace(with ASAN):
==28966==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4001bfc at
pc 0x08061ab2 bp 0xbfde2b18 sp 0xbfde2b08
WRITE of size 4 at 0xb4001bfc thread T0
    #0 0x8061ab1 in t2p_write_pdf
/home/lyk/tiff-4.0.7-asan/tools/tiff2pdf.c:5538
    #1 0x804a474 in main /home/lyk/tiff-4.0.7-asan/tools/tiff2pdf.c:808
    #2 0xb6ff6636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #3 0x804b6d5  (/media/sf_AFL_Dyninst_ADV/tiff/tiff2pdf-asan+0x804b6d5)

0xb4001bfc is located 0 bytes to the right of 76-byte region
[0xb4001bb0,0xb4001bfc)
allocated by thread T0 here:
    #0 0xb729adee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x8060329 in t2p_write_pdf
/home/lyk/tiff-4.0.7-asan/tools/tiff2pdf.c:5415

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/lyk/tiff-4.0.7-asan/tools/tiff2pdf.c:5538 t2p_write_pdf


Stacktrace(with gdb):

Program received signal SIGSEGV, Segmentation fault.
0xb7df9e41 in _int_free (av=0xb7f3e780 <main_arena>, p=<optimized out>,
have_lock=0) at malloc.c:4015
4015    malloc.c: No such file or directory.

#0  0xb7df9e41 in _int_free (av=0xb7f3e780 <main_arena>, p=<optimized out>,
have_lock=0) at malloc.c:4015
        size = 80
        fb = <optimized out>
        nextchunk = 0x805b2a0
        nextsize = 3016
        nextinuse = 0
        prevsize = <optimized out>
        bck = 0x636f6c2f
        fwd = 0x6374652f
        errstr = 0x0
        locked = <optimized out>
        __func__ = "_int_free"
#1  0xb7f83478 in _TIFFfree () from /usr/lib/i386-linux-gnu/libtiff.so.5
No symbol table info available.
#2  0x08049ee8 in t2p_free (t2p=0x805a008) at tiff2pdf.c:969
        i = 0
#3  0x08049ba8 in main (argc=4, argv=0xbffff054) at tiff2pdf.c:824
        outfilename = 0xbffff260 "out.pdf"
        t2p = 0x805a008
        input = 0x805abd0
        output = 0x805b470
        c = -1
        ret = 1

------- Comment #1 From Li Yuekang 2017-01-18 07:35:40 -------

Created an attachment (id=748) [details]
The poc and bug report

The poc and bug report

------- Comment #2 From Even Rouault 2017-07-15 09:37:34 -------

Looks like it might be similar to
http://bugzilla.maptools.org/show_bug.cgi?id=2704 which also involves
TransferFunction

------- Comment #3 From Even Rouault 2019-10-01 14:20:15 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.