Bug 2669 – I test tiff2pdf with honggfuzz and find this crash. This vulnerability is due to compression jpeg caused.

Bug 2669 - I test tiff2pdf with honggfuzz and find this crash. This vulnerability is due to compression jpeg caused.

Summary:

I test tiff2pdf with honggfuzz and find this crash. This vulnerability is du...

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P1 enhancement
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-02-23 23:30 by varsleak
Modified:	2019-10-01 14:20 (History)

Attachments
lead to tiff2pdf crash (429 bytes, text/plain) 2017-02-23 23:30, varsleak	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From varsleak 2017-02-23 23:30:04

Created an attachment (id=753) [details]
lead to tiff2pdf crash

➜  tiff2pdf_fuzz git:(master) ✗ ./tiff2pdf -ozx -j
tiff_heap_buffer_overflow.txt
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 252 (0xfc) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6912 (0x1b00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 7168 (0x1c00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 10240 (0x2800) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 10496 (0x2900) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 15872 (0x3e00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 16128 (0x3f00) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and
calculating from imagelength.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 252 (0xfc) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6912 (0x1b00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 7168 (0x1c00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 10240 (0x2800) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 10496 (0x2900) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 15872 (0x3e00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 16128 (0x3f00) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and
calculating from imagelength.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 252 (0xfc) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6912 (0x1b00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 7168 (0x1c00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 10240 (0x2800) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 10496 (0x2900) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 15872 (0x3e00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 16128 (0x3f00) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and
calculating from imagelength.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 252 (0xfc) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6912 (0x1b00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 7168 (0x1c00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 10240 (0x2800) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 10496 (0x2900) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 15872 (0x3e00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 16128 (0x3f00) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and
calculating from imagelength.
=================================================================
==16241==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000ea28 at pc 0x000000419e02 bp 0x7ffe15722110 sp 0x7ffe15722100
READ of size 1 at 0x60200000ea28 thread T0
    #0 0x419e01 in t2p_sample_realize_palette
/home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:3672
    #1 0x4109b4 in t2p_readwrite_pdf_image
/home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:2582
    #2 0x42ce06 in t2p_write_pdf
/home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:5559
    #3 0x4043ee in main
/home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:809
    #4 0x7fea4488082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x402b88 in _start
(/home/varsleak/github/gddeps/libtiff/tools/tiff2pdf_fuzz/tiff2pdf+0x402b88)

0x60200000ea28 is located 8 bytes to the left of 8-byte region
[0x60200000ea30,0x60200000ea38)
allocated by thread T0 here:
    #0 0x7fea4586d961 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x50b403 in _TIFFrealloc
/home/varsleak/github/gddeps/libtiff/libtiff/tif_unix.c:336
    #2 0x42d2c6 in _TIFFCheckRealloc
/home/varsleak/github/gddeps/libtiff/libtiff/tif_aux.c:73
    #3 0x42d394 in _TIFFCheckMalloc
/home/varsleak/github/gddeps/libtiff/libtiff/tif_aux.c:88
    #4 0x45e70f in EstimateStripByteCounts
/home/varsleak/github/gddeps/libtiff/libtiff/tif_dirread.c:4310
    #5 0x45c7d9 in TIFFReadDirectory
/home/varsleak/github/gddeps/libtiff/libtiff/tif_dirread.c:3983
    #6 0x4465bb in TIFFSetDirectory
/home/varsleak/github/gddeps/libtiff/libtiff/tif_dir.c:1620
    #7 0x407718 in t2p_read_tiff_data
/home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:1275
    #8 0x42bc3b in t2p_write_pdf
/home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:5455
    #9 0x4043ee in main
/home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:809
    #10 0x7fea4488082f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:3672
t2p_sample_realize_palette
Shadow bytes around the buggy address:
  0x0c047fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fa
=>0x0c047fff9d40: fa fa 06 fa fa[fa]00 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff9d50: fa fa 04 fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff9d60: fa fa 00 fa fa fa fd fa fa fa 02 fa fa fa fd fa
  0x0c047fff9d70: fa fa 00 07 fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9d80: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff9d90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==16241==ABORTING
[1]    16241 abort      ./tiff2pdf -ozx -j tiff_heap_buffer_overflow.txt

------- Comment #1 From varsleak 2017-02-24 01:16:47 -------

this is cvs version error log:

==2675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ea28
at pc 0x000000419dfa bp 0x7ffe04ffe4e0 sp 0x7ffe04ffe4d0
READ of size 1 at 0x60200000ea28 thread T0
    #0 0x419df9 in t2p_sample_realize_palette
/home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:3671
    #1 0x4109ac in t2p_readwrite_pdf_image
/home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:2581
    #2 0x42cdfe in t2p_write_pdf
/home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:5558
    #3 0x4043e6 in main
/home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:808
    #4 0x7f197aba382f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x402b88 in _start
(/home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf+0x402b88)

0x60200000ea28 is located 8 bytes to the left of 8-byte region
[0x60200000ea30,0x60200000ea38)
allocated by thread T0 here:
    #0 0x7f197bb90961 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x50b3fb in _TIFFrealloc
/home/varsleak/github/gddeps/xxxbb/libtiff/libtiff/tif_unix.c:336
    #2 0x42d2be in _TIFFCheckRealloc
/home/varsleak/github/gddeps/xxxbb/libtiff/libtiff/tif_aux.c:73
    #3 0x42d38c in _TIFFCheckMalloc
/home/varsleak/github/gddeps/xxxbb/libtiff/libtiff/tif_aux.c:88
    #4 0x45e707 in EstimateStripByteCounts
/home/varsleak/github/gddeps/xxxbb/libtiff/libtiff/tif_dirread.c:4310
    #5 0x45c7d1 in TIFFReadDirectory
/home/varsleak/github/gddeps/xxxbb/libtiff/libtiff/tif_dirread.c:3983
    #6 0x4465b3 in TIFFSetDirectory
/home/varsleak/github/gddeps/xxxbb/libtiff/libtiff/tif_dir.c:1620
    #7 0x407710 in t2p_read_tiff_data
/home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:1274
    #8 0x42bc33 in t2p_write_pdf
/home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:5454
    #9 0x4043e6 in main
/home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:808
    #10 0x7f197aba382f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

------- Comment #2 From Even Rouault 2019-10-01 14:20:15 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.