You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=765) [details] testcase on libtiff 4.0.7 The combineSeparateSamples32bits function in tiffcrop.c:4148 allows remote attackers to cause a denial of service (heap buffer overflow) via a crafted file. #tiffcrop $FILE out.tif ================================================================= ==56543==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600000fbda at pc 0x00000041171b bp 0x7ffecd216d00 sp 0x7ffecd216cf8 READ of size 1 at 0x61600000fbda thread T0 #0 0x41171a in combineSeparateSamples32bits /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiffcrop.c:4148 #1 0x4158e6 in readSeparateStripsIntoBuffer /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiffcrop.c:4901 #2 0x41ebcb in loadImage /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiffcrop.c:6175 #3 0x40a743 in main /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiffcrop.c:2345 #4 0x7f0aa160bb34 in __libc_start_main (/lib64/libc.so.6+0x21b34) #5 0x402e28 (/home/haojun/Downloads/testopensourcecode/tiff-4.0.7_build/bin/tiffcrop+0x402e28) 0x61600000fbda is located 0 bytes to the right of 602-byte region [0x61600000f980,0x61600000fbda) allocated by thread T0 here: #0 0x7f0aa23ffbb8 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x486286 in _TIFFmalloc /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:316 #2 0x4150a2 in readSeparateStripsIntoBuffer /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiffcrop.c:4821 #3 0x41ebcb in loadImage /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiffcrop.c:6175 #4 0x40a743 in main /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiffcrop.c:2345 #5 0x7f0aa160bb34 in __libc_start_main (/lib64/libc.so.6+0x21b34) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiffcrop.c:4148 in combineSeparateSamples32bits Shadow bytes around the buggy address: 0x0c2c7fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2c7fff9f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2c7fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2c7fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2c7fff9f70: 00 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa 0x0c2c7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c7fff9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c7fff9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c7fff9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c7fff9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==56543==ABORTING testcase:https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-combineSeparateSamples32bits-tiffcrop-1.tif
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.
