You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=791) [details] Triggered by "tiff2pdf POC2" The asan debug information is below: $./tiff2pdf $POC ….. ==15106==WARNING: AddressSanitizer failed to allocate 0x0a880c000000 bytes ==15106==AddressSanitizer's allocator is terminating the process instead of returning 0 ==15106==If you don't like this behavior set allocator_may_return_null=1 ==15106==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0) #0 0x7f2b684eb9c1 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa09c1) #1 0x7f2b684f0973 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa5973) #2 0x7f2b68468885 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d885) #3 0x7f2b684eebf5 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa3bf5) #4 0x7f2b6846dfad (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22fad) #5 0x7f2b684e3977 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98977) #6 0x7f2b66fe92fd (/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x12fd) #7 0x7f2b66feea17 in jbg_dec_in (/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x6a17) #8 0x7f2b681a8916 in JBIGDecode /home/company/real/tiff-4.0.8/libtiff/tif_jbig.c:79 #9 0x7f2b681e7815 in TIFFReadEncodedStrip /home/company/real/tiff-4.0.8/libtiff/tif_read.c:507 #10 0x40abea in t2p_readwrite_pdf_image /home/company/real/tiff-4.0.8/tools/tiff2pdf.c:2458 #11 0x41bee3 in t2p_write_pdf /home/company/real/tiff-4.0.8/tools/tiff2pdf.c:5558 #12 0x4021a6 in main /home/company/real/tiff-4.0.8/tools/tiff2pdf.c:808 #13 0x7f2b67d79a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #14 0x402e68 in _start (/home/company/real/tiff-4.0.8/install_asan/bin/tiff2pdf+0x402e68) The gdb debug information is below: Program received signal SIGABRT, Aborted. 0x00007ffff77cd267 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007ffff77cd267 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 #1 0x00007ffff77ceeca in __GI_abort () at abort.c:89 #2 0x00007ffff736930d in ?? () from /usr/lib/x86_64-linux-gnu/libjbig.so.0 #3 0x00007ffff736ea18 in jbg_dec_in () from /usr/lib/x86_64-linux-gnu/libjbig.so.0 #4 0x00007ffff7b8cc86 in JBIGDecode (tif=0x612c20, buffer=0x6142a0 "", size=<optimized out>, s=<optimized out>) at tif_jbig.c:79 #5 0x00007ffff7ba43d6 in TIFFReadEncodedStrip (tif=tif@entry=0x612c20, strip=strip@entry=0, buf=0x6142a0, size=<optimized out>) at tif_read.c:507 #6 0x0000000000405307 in t2p_readwrite_pdf_image (t2p=t2p@entry=0x612010, input=input@entry=0x612c20, output=output@entry=0x613980) at tiff2pdf.c:2458 #7 0x000000000040c2c2 in t2p_write_pdf (t2p=0x612010, input=0x612c20, output=0x613980) at tiff2pdf.c:5558 #8 0x0000000000401a70 in main (argc=<optimized out>, argv=<optimized out>) at tiff2pdf.c:808 Affected version: <=the Latest version (4.0.8) Credits: This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
owl337, it seems to me that this issue is in libjbig itself (excessive memory allocation in jbg_dec_in(), that isn't properly handled with) and should be reported to their authors Adding Lee Howard in CC in case he has still interest in this codec and wants to comment
I and many, many HylaFAX users use the JBIG codec support in libtiff repeatedly every day. I will email the JBIGKIT author, Markus Kuhn, and see if he wants to investigate.
(In reply to comment #1) > owl337, it seems to me that this issue is in libjbig itself (excessive memory > allocation in jbg_dec_in(), that isn't properly handled with) and should be > reported to their authors > > Adding Lee Howard in CC in case he has still interest in this codec and wants > to comment ok
owl337, Which version of JBIGKIT are you using? v2.0 or v2.1?
I'm the author of JBIG-KIT. Could you please confirm that you are in fact using https://www.cl.cam.ac.uk/~mgk25/jbigkit/download/jbigkit-2.1.tar.gz (or anything newer from git)? Otherwise this could very likely be a rediscovery of CVE-2013-6369, which exists in all releases prior to JBIG-KIT 2.1 released in 2014-04-08. Also, which of the two codecs included in JBIG-KIT are you using? jbig.c or jbig85.c? (I suspect the former, as the latter does not call malloc().) If you are in fact using JBIG-KIT 2.1 or newer, I'd be interested in instructions of how I can reproduce the problem, preferably as an example BIE input file that triggers the problem in the jbgtopbm or jbgtopbm85 demo decoding tools that come with JBIG-KIT 2.1 or the git master. https://www.cl.cam.ac.uk/~mgk25/jbigkit/ Thanks, Markus
Markus, as far as I'm concerned, I tested on Ubuntu Xenial 16.04 with libjbig-dev:amd64 2.1-3.1 : https://packages.ubuntu.com/xenial/libjbig-dev
Created an attachment (id=793) [details] Extract of strip content with dd if=poc2 of=poc2_only_jbig_content bs=1 skip=250 count=89
Markus, I've added attachment http://bugzilla.maptools.org/attachment.cgi?id=793 that is the relevant JBIG strip content from the poc2 TIFF file Crashes on jbgtopbm package from Ubuntu 16.04 jbigkit-bin $ valgrind jbgtopbm poc2_only_jbig_content ==19336== Memcheck, a memory error detector ==19336== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==19336== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==19336== Command: jbgtopbm poc2_only_jbig_content ==19336== ==19336== ==19336== Process terminating with default action of signal 6 (SIGABRT) ==19336== at 0x507D428: raise (raise.c:54) ==19336== by 0x507F029: abort (abort.c:89) ==19336== by 0x4E3B30C: ??? (in /usr/lib/x86_64-linux-gnu/libjbig.so.0) ==19336== by 0x4E40A17: jbg_dec_in (in /usr/lib/x86_64-linux-gnu/libjbig.so.0) ==19336== by 0x401140: ??? (in /usr/bin/jbgtopbm) ==19336== by 0x506882F: (below main) (libc-start.c:291)
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.