You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=779) [details] Crash reproducer Hello libtiff, As part of our fuzzing <https://www.owasp.org/index.php/Fuzzing> efforts at Google, we have identified an issue in version 4.0.7 (and latest from CVS) of libtiff. To reproduce requires compiling the project with the LLVM compiler, taking advantage of the sanitizers that it offers (this issue was discovered using AddressSanitizer <https://github.com/google/sanitizers/wiki/AddressSanitizer>). To reproduce you will need to build your project using that sanitizer, and execute the attached stub code on the reproducer input that we have also provided. This stub code could also serve as a useful template for fuzzing in your project with libFuzzer <http://libfuzzer.info> and/or AFL <http://lcamtuf.coredump.cx/afl/>, which may help you uncover additional issues. Some documentation on how to get started with libFuzzer is here: -Getting Started Documentation <http://llvm.org/docs/LibFuzzer.html#getting-started> -LibFuzzer Tutorial <http://llvm.org/docs/LibFuzzer.html#getting-started> -OSS-Fuzz target example <https://github.com/google/oss-fuzz/blob/a143b9b39a51412d133f846688194d68fe > 4197ba/projects/libchewing/chewing_default_fuzzer.c> The following options / environment variables may be necessary for accurate reproduction of the issue as well: ASAN_OPTIONS="exitcode=1,handle_segv=1,detect_leaks=1,leak_check_at_exit=1,a llocator_may_return_null=1,detect_odr_violation=0" MSAN_OPTIONS=... The sanitizer error that we encountered is here: ==79737==WARNING: AddressSanitizer failed to allocate 0xf00000008002c00 bytes Live Heap Allocations: 63277374 bytes from 3478 allocations; showing top 95% 43158110 byte(s) (68%) in 739 allocation(s) #0 0x4f856b in operator new(unsigned long) #1 0x70fb1a in allocate #2 0x70fb1a in allocate #3 0x70fb1a in _M_allocate #4 0x70fb1a in _M_allocate_and_copy<__gnu_cxx::__normal_iterator<const unsigned char *, std::vector<unsigned char, std::allocator<unsigned char> > > > #5 0x70fb1a in std::vector<unsigned char, std::allocator<unsigned char> >::operator=(std::vector<unsigned char, std::allocator<unsigned char> > const&) #6 0x70f666 in fuzzer::InputCorpus::AddToCorpus(std::vector<unsigned char, std::allocator<unsigned char> > const&, unsigned long, bool) #7 0x7178af in fuzzer::Fuzzer::ShuffleAndMinimize(std::vector<std::vector<unsigned char, std::allocator<unsigned char> >, std::allocator<std::vector<unsigned char, std::allocator<unsigned char> > > >*) #8 0x70e668 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) #9 0x71c812 in main #10 0x7f3d7bb13ce7 in __libc_start_main #11 0x428038 in _start Other relevant info/repro instructions: We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation. Once you have reproduced the issue, we’d appreciate to learn your expected timeline for an update to be released. With any fix, please attribute the report to “Google Autofuzz project”. We are also pleased to inform you that your project is also eligible for inclusion to the OSS-Fuzz project, which can provide additional continuous fuzzing, and encourage you to investigate integration options <https://github.com/google/oss-fuzz/blob/master/docs/new_project_guide.md>. Don’t hesitate to let us know if you have any questions! Google AutoFuzz Team
I can probably reproduce the issue you got with "tiffcp -c none oom-e7a78e9213676e2e6dff6b639ee863882f8210de out.tif" Program received signal SIGINT, Interrupt. __memset_avx2 () at ../sysdeps/x86_64/multiarch/memset-avx2.S:161 161 ../sysdeps/x86_64/multiarch/memset-avx2.S: Aucun fichier ou dossier de ce type. (gdb) bt #0 __memset_avx2 () at ../sysdeps/x86_64/multiarch/memset-avx2.S:161 #1 0x00007ffff7ba5f18 in _TIFFmemset (p=0x7ffdfab01010, v=0, c=8521540848) at ../../libtiff/libtiff/tif_unix.c:342 #2 0x0000000000403aa3 in cpDecodedStrips (in=0x609930, out=0x609010, imagelength=1087, imagewidth=1728, spp=36294) at ../../libtiff/tools/tiffcp.c:986 #3 0x00000000004033b6 in tiffcp (in=0x609930, out=0x609010) at ../../libtiff/tools/tiffcp.c:814 #4 0x0000000000401de0 in main (argc=5, argv=0x7fffffffdd48) at ../../libtiff/tools/tiffcp.c:303 Probably that the new _TIFFReadEncodedStripAndAllocBuffer() symbol, currently internal, could be of help for tiffcp
*** Bug 2698 has been marked as a duplicate of this bug. ***
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.