You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=798) [details] poc In LibTIFF 4.0.8, there is a stack-based buffer overflow in the t2p_read_tiff_data function in tools/tiff2pdf.c. Triggered by poc.tiff fuzzer@debian:~/afl/libtiff/libtiff3/tools/.libs$ ./tiff2pdf ../../../poc.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFFAdvanceDirectory: Error fetching directory count. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. %PDF-1.1 %���� 1 0 obj << /Type /Catalog /Pages 3 0 R >> endobj 2 0 obj << /CreationDate (D:20170717132220) /ModDate (D:20170717132220) /Producer (libtiff / tiff2pdf - 20170521) >> endobj 3 0 obj << /Type /Pages /Kids [ 4 0 R ] /Count 1 >> endobj TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. ================================================================= ==69408==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc3ca28830 at pc 0x0000004f0dd9 bp 0x7ffc3ca28790 sp 0x7ffc3ca28788 READ of size 2 at 0x7ffc3ca28830 thread T0 #0 0x4f0dd8 in t2p_read_tiff_data /home/fuzzer/afl/libtiff/libtiff3/tools/tiff2pdf.c:1585:49 #1 0x4e9e8a in t2p_write_pdf /home/fuzzer/afl/libtiff/libtiff3/tools/tiff2pdf.c:5459:3 #2 0x4e8c5d in main /home/fuzzer/afl/libtiff/libtiff3/tools/tiff2pdf.c:808:2 #3 0x7f30f6e36b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287 #4 0x41d1fb in _start (/home/fuzzer/afl/libtiff/libtiff3/tools/.libs/tiff2pdf+0x41d1fb) Address 0x7ffc3ca28830 is located in stack of thread T0 at offset 144 in frame #0 0x4ed36f in t2p_read_tiff_data /home/fuzzer/afl/libtiff/libtiff3/tools/tiff2pdf.c:1258 This frame has 7 object(s): [32, 40) 'r' (line 1261) [64, 72) 'g' (line 1262) [96, 104) 'b' (line 1263) [128, 136) 'a' (line 1264) <== Memory access at offset 144 overflows this variable [160, 162) 'xuint16' (line 1265) [176, 184) 'xuint16p' (line 1266) [208, 216) 'xfloatp' (line 1267) HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fuzzer/afl/libtiff/libtiff3/tools/tiff2pdf.c:1585:49 in t2p_read_tiff_data Shadow bytes around the buggy address: 0x10000793d0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000793d0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000793d0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000793d0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000793d0f0: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 =>0x10000793d100: 00 f2 f2 f2 00 f2[f2]f2 02 f2 00 f2 f2 f2 00 f3 0x10000793d110: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x10000793d120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000793d130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000793d140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000793d150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==69408==ABORTING
I'm not reproducing the buffer overflow with the latest code (from master branch) I think the bug has been fixed.
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.