First Last Prev Next    No search results available
Bug 2707 - There is a memory malloc failure in tif_jbig.c of the libtiff library. A crafted TIFF document can lead to a abort in program.
: There is a memory malloc failure in tif_jbig.c of the libtiff library. A craf...
Status: RESOLVED LATER
: libtiff
default
: unspecified
: All All
: P1 blocker
: ---
Assigned To:
:
:
: migrated_to_gitlab
:
:
  Show dependency treegraph
 
Reported: 2017-06-26 03:28 by
Modified: 2019-10-01 14:20 (History)

Attachments
Triggered by "tiff2pdf POC2" (722 bytes, application/octet-stream)
2017-06-26 03:28, owl337 		Details
Extract of strip content with dd if=poc2 of=poc2_only_jbig_content bs=1 skip=250 count=89 (89 bytes, application/octet-stream)
2017-06-27 10:31, Even Rouault 		Details
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Description From 2017-06-26 03:28:22 
Created an attachment (id=791) [details]
Triggered by  "tiff2pdf POC2"

The asan debug information is below:

$./tiff2pdf $POC  

…..
==15106==WARNING: AddressSanitizer failed to allocate 0x0a880c000000 bytes
==15106==AddressSanitizer's allocator is terminating the process instead of
returning 0
==15106==If you don't like this behavior set allocator_may_return_null=1
==15106==AddressSanitizer CHECK failed:
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0))
!= (0)" (0x0, 0x0)
    #0 0x7f2b684eb9c1  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa09c1)
    #1 0x7f2b684f0973 in __sanitizer::CheckFailed(char const*, int, char
const*, unsigned long long, unsigned long long)
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa5973)
    #2 0x7f2b68468885  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d885)
    #3 0x7f2b684eebf5  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa3bf5)
    #4 0x7f2b6846dfad  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22fad)
    #5 0x7f2b684e3977 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98977)
    #6 0x7f2b66fe92fd  (/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x12fd)
    #7 0x7f2b66feea17 in jbg_dec_in
(/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x6a17)
    #8 0x7f2b681a8916 in JBIGDecode
/home/company/real/tiff-4.0.8/libtiff/tif_jbig.c:79
    #9 0x7f2b681e7815 in TIFFReadEncodedStrip
/home/company/real/tiff-4.0.8/libtiff/tif_read.c:507
    #10 0x40abea in t2p_readwrite_pdf_image
/home/company/real/tiff-4.0.8/tools/tiff2pdf.c:2458
    #11 0x41bee3 in t2p_write_pdf
/home/company/real/tiff-4.0.8/tools/tiff2pdf.c:5558
    #12 0x4021a6 in main /home/company/real/tiff-4.0.8/tools/tiff2pdf.c:808
    #13 0x7f2b67d79a3f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #14 0x402e68 in _start
(/home/company/real/tiff-4.0.8/install_asan/bin/tiff2pdf+0x402e68)




The gdb debug information is below:

Program received signal SIGABRT, Aborted.
0x00007ffff77cd267 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:55
55    ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff77cd267 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff77ceeca in __GI_abort () at abort.c:89
#2  0x00007ffff736930d in ?? () from /usr/lib/x86_64-linux-gnu/libjbig.so.0
#3  0x00007ffff736ea18 in jbg_dec_in () from
/usr/lib/x86_64-linux-gnu/libjbig.so.0
#4  0x00007ffff7b8cc86 in JBIGDecode (tif=0x612c20, buffer=0x6142a0 "",
size=<optimized out>, s=<optimized out>) at tif_jbig.c:79
#5  0x00007ffff7ba43d6 in TIFFReadEncodedStrip (tif=tif@entry=0x612c20,
strip=strip@entry=0, buf=0x6142a0, size=<optimized out>) at tif_read.c:507
#6  0x0000000000405307 in t2p_readwrite_pdf_image (t2p=t2p@entry=0x612010,
input=input@entry=0x612c20, output=output@entry=0x613980) at tiff2pdf.c:2458
#7  0x000000000040c2c2 in t2p_write_pdf (t2p=0x612010, input=0x612c20,
output=0x613980) at tiff2pdf.c:5558
#8  0x0000000000401a70 in main (argc=<optimized out>, argv=<optimized out>) at
tiff2pdf.c:808

Affected version:
<=the Latest version (4.0.8)


Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL.
Please contact ganshuitao@gmail.com  and chaoz@tsinghua.edu.cn if you need more
info about the team, the tool or the vulnerability.
------- Comment #1 From 2017-06-26 10:18:24 ------- 
owl337, it seems to me that this issue is in libjbig itself (excessive memory
allocation in jbg_dec_in(), that isn't properly handled with) and should be
reported to their authors

Adding Lee Howard in CC in case he has still interest in this codec and wants
to comment
------- Comment #2 From 2017-06-26 14:45:38 ------- 
I and many, many HylaFAX users use the JBIG codec support in libtiff repeatedly
every day.

I will email the JBIGKIT author, Markus Kuhn, and see if he wants to
investigate.
------- Comment #3 From 2017-06-26 19:35:56 ------- 
(In reply to comment #1)
> owl337, it seems to me that this issue is in libjbig itself (excessive memory
> allocation in jbg_dec_in(), that isn't properly handled with) and should be
> reported to their authors
> 
> Adding Lee Howard in CC in case he has still interest in this codec and wants
> to comment

ok
------- Comment #4 From 2017-06-27 01:55:57 ------- 
owl337,

Which version of JBIGKIT are you using?  v2.0 or v2.1?
------- Comment #5 From 2017-06-27 04:29:29 ------- 
I'm the author of JBIG-KIT. Could you please confirm that you are in fact using

  https://www.cl.cam.ac.uk/~mgk25/jbigkit/download/jbigkit-2.1.tar.gz

(or anything newer from git)? Otherwise this could very likely be a rediscovery
of CVE-2013-6369, which exists in all releases prior to JBIG-KIT 2.1 released
in 2014-04-08.

Also, which of the two codecs included in JBIG-KIT are you using? jbig.c or
jbig85.c? (I suspect the former, as the latter does not call malloc().)

If you are in fact using JBIG-KIT 2.1 or newer, I'd be interested in
instructions of how I can reproduce the problem, preferably as an example BIE
input file that triggers the problem in the jbgtopbm or jbgtopbm85 demo
decoding tools that come with JBIG-KIT 2.1 or the git master.

https://www.cl.cam.ac.uk/~mgk25/jbigkit/

Thanks,

Markus
------- Comment #6 From 2017-06-27 10:27:54 ------- 
Markus, as far as I'm concerned, I tested on Ubuntu Xenial 16.04 with
libjbig-dev:amd64 2.1-3.1 : https://packages.ubuntu.com/xenial/libjbig-dev
------- Comment #7 From 2017-06-27 10:31:16 ------- 
Created an attachment (id=793) [details]
Extract of strip content with dd if=poc2 of=poc2_only_jbig_content bs=1
skip=250 count=89
------- Comment #8 From 2017-06-27 10:33:15 ------- 
Markus, I've added attachment
http://bugzilla.maptools.org/attachment.cgi?id=793 that is the relevant JBIG
strip content from the poc2 TIFF file

Crashes on jbgtopbm package from Ubuntu 16.04 jbigkit-bin

$ valgrind jbgtopbm poc2_only_jbig_content

==19336== Memcheck, a memory error detector
==19336== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==19336== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==19336== Command: jbgtopbm poc2_only_jbig_content
==19336== 
==19336== 
==19336== Process terminating with default action of signal 6 (SIGABRT)
==19336==    at 0x507D428: raise (raise.c:54)
==19336==    by 0x507F029: abort (abort.c:89)
==19336==    by 0x4E3B30C: ??? (in /usr/lib/x86_64-linux-gnu/libjbig.so.0)
==19336==    by 0x4E40A17: jbg_dec_in (in
/usr/lib/x86_64-linux-gnu/libjbig.so.0)
==19336==    by 0x401140: ??? (in /usr/bin/jbgtopbm)
==19336==    by 0x506882F: (below main) (libc-start.c:291)
------- Comment #9 From 2019-10-01 14:20:35 ------- 
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.
First Last Prev Next    No search results available