You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=768) [details] testcase on libtiff 4.0.7 The PSDataColorContig function in tiff2ps.c:2487 allows remote attackers to cause a denial of service (heap buffer overflow) via a crafted file. #tiff2ps $FILE ================================================================= ==88810==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000affe at pc 0x00000040c824 bp 0x7ffc07c5cd00 sp 0x7ffc07c5ccf8 READ of size 1 at 0x60b00000affe thread T0 #0 0x40c823 in PSDataColorContig /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:2487 #1 0x40ba1d in PSpage /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:2347 #2 0x4087ce in TIFF2PS /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:1606 #3 0x40379a in main /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:473 #4 0x7fd0cae8ab34 in __libc_start_main (/lib64/libc.so.6+0x21b34) #5 0x402bd8 (/home/haojun/Downloads/testopensourcecode/tiff-4.0.7_build/bin/tiff2ps+0x402bd8) 0x60b00000affe is located 0 bytes to the right of 110-byte region [0x60b00000af90,0x60b00000affe) allocated by thread T0 here: #0 0x7fd0cbc7ebb8 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x45f0cd in _TIFFmalloc /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:316 #2 0x40bef4 in PSDataColorContig /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:2443 #3 0x40ba1d in PSpage /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:2347 #4 0x4087ce in TIFF2PS /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:1606 #5 0x40379a in main /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:473 #6 0x7fd0cae8ab34 in __libc_start_main (/lib64/libc.so.6+0x21b34) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:2487 in PSDataColorContig Shadow bytes around the buggy address: 0x0c167fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00[06] 0x0c167fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==88810==ABORTING testcase:https://github.com/bestshow/p0cs/blob/master/heap-buffer-overflow-PSDataColorContig-tiff2ps-1.tif
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.
