You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=753) [details] lead to tiff2pdf crash ➜ tiff2pdf_fuzz git:(master) ✗ ./tiff2pdf -ozx -j tiff_heap_buffer_overflow.txt TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 252 (0xfc) encountered. TIFFReadDirectory: Warning, Unknown field with tag 6912 (0x1b00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 7168 (0x1c00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 10240 (0x2800) encountered. TIFFReadDirectory: Warning, Unknown field with tag 10496 (0x2900) encountered. TIFFReadDirectory: Warning, Unknown field with tag 15872 (0x3e00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 16128 (0x3f00) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored. TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 252 (0xfc) encountered. TIFFReadDirectory: Warning, Unknown field with tag 6912 (0x1b00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 7168 (0x1c00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 10240 (0x2800) encountered. TIFFReadDirectory: Warning, Unknown field with tag 10496 (0x2900) encountered. TIFFReadDirectory: Warning, Unknown field with tag 15872 (0x3e00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 16128 (0x3f00) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored. TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 252 (0xfc) encountered. TIFFReadDirectory: Warning, Unknown field with tag 6912 (0x1b00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 7168 (0x1c00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 10240 (0x2800) encountered. TIFFReadDirectory: Warning, Unknown field with tag 10496 (0x2900) encountered. TIFFReadDirectory: Warning, Unknown field with tag 15872 (0x3e00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 16128 (0x3f00) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored. TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 252 (0xfc) encountered. TIFFReadDirectory: Warning, Unknown field with tag 6912 (0x1b00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 7168 (0x1c00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 10240 (0x2800) encountered. TIFFReadDirectory: Warning, Unknown field with tag 10496 (0x2900) encountered. TIFFReadDirectory: Warning, Unknown field with tag 15872 (0x3e00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 16128 (0x3f00) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored. TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength. ================================================================= ==16241==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ea28 at pc 0x000000419e02 bp 0x7ffe15722110 sp 0x7ffe15722100 READ of size 1 at 0x60200000ea28 thread T0 #0 0x419e01 in t2p_sample_realize_palette /home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:3672 #1 0x4109b4 in t2p_readwrite_pdf_image /home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:2582 #2 0x42ce06 in t2p_write_pdf /home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:5559 #3 0x4043ee in main /home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:809 #4 0x7fea4488082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x402b88 in _start (/home/varsleak/github/gddeps/libtiff/tools/tiff2pdf_fuzz/tiff2pdf+0x402b88) 0x60200000ea28 is located 8 bytes to the left of 8-byte region [0x60200000ea30,0x60200000ea38) allocated by thread T0 here: #0 0x7fea4586d961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961) #1 0x50b403 in _TIFFrealloc /home/varsleak/github/gddeps/libtiff/libtiff/tif_unix.c:336 #2 0x42d2c6 in _TIFFCheckRealloc /home/varsleak/github/gddeps/libtiff/libtiff/tif_aux.c:73 #3 0x42d394 in _TIFFCheckMalloc /home/varsleak/github/gddeps/libtiff/libtiff/tif_aux.c:88 #4 0x45e70f in EstimateStripByteCounts /home/varsleak/github/gddeps/libtiff/libtiff/tif_dirread.c:4310 #5 0x45c7d9 in TIFFReadDirectory /home/varsleak/github/gddeps/libtiff/libtiff/tif_dirread.c:3983 #6 0x4465bb in TIFFSetDirectory /home/varsleak/github/gddeps/libtiff/libtiff/tif_dir.c:1620 #7 0x407718 in t2p_read_tiff_data /home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:1275 #8 0x42bc3b in t2p_write_pdf /home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:5455 #9 0x4043ee in main /home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:809 #10 0x7fea4488082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/varsleak/github/gddeps/libtiff/tools/tiff2pdf.c:3672 t2p_sample_realize_palette Shadow bytes around the buggy address: 0x0c047fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fa =>0x0c047fff9d40: fa fa 06 fa fa[fa]00 fa fa fa 04 fa fa fa 04 fa 0x0c047fff9d50: fa fa 04 fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c047fff9d60: fa fa 00 fa fa fa fd fa fa fa 02 fa fa fa fd fa 0x0c047fff9d70: fa fa 00 07 fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff9d80: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c047fff9d90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==16241==ABORTING [1] 16241 abort ./tiff2pdf -ozx -j tiff_heap_buffer_overflow.txt
this is cvs version error log: ==2675==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ea28 at pc 0x000000419dfa bp 0x7ffe04ffe4e0 sp 0x7ffe04ffe4d0 READ of size 1 at 0x60200000ea28 thread T0 #0 0x419df9 in t2p_sample_realize_palette /home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:3671 #1 0x4109ac in t2p_readwrite_pdf_image /home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:2581 #2 0x42cdfe in t2p_write_pdf /home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:5558 #3 0x4043e6 in main /home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:808 #4 0x7f197aba382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x402b88 in _start (/home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf+0x402b88) 0x60200000ea28 is located 8 bytes to the left of 8-byte region [0x60200000ea30,0x60200000ea38) allocated by thread T0 here: #0 0x7f197bb90961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961) #1 0x50b3fb in _TIFFrealloc /home/varsleak/github/gddeps/xxxbb/libtiff/libtiff/tif_unix.c:336 #2 0x42d2be in _TIFFCheckRealloc /home/varsleak/github/gddeps/xxxbb/libtiff/libtiff/tif_aux.c:73 #3 0x42d38c in _TIFFCheckMalloc /home/varsleak/github/gddeps/xxxbb/libtiff/libtiff/tif_aux.c:88 #4 0x45e707 in EstimateStripByteCounts /home/varsleak/github/gddeps/xxxbb/libtiff/libtiff/tif_dirread.c:4310 #5 0x45c7d1 in TIFFReadDirectory /home/varsleak/github/gddeps/xxxbb/libtiff/libtiff/tif_dirread.c:3983 #6 0x4465b3 in TIFFSetDirectory /home/varsleak/github/gddeps/xxxbb/libtiff/libtiff/tif_dir.c:1620 #7 0x407710 in t2p_read_tiff_data /home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:1274 #8 0x42bc33 in t2p_write_pdf /home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:5454 #9 0x4043e6 in main /home/varsleak/github/gddeps/xxxbb/libtiff/tools/tiff2pdf.c:808 #10 0x7f197aba382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.