First Last Prev Next    No search results available
Bug 2718 - LibTiff tiff2pdf Stack Buffer Overflow Vulnerability
: LibTiff tiff2pdf Stack Buffer Overflow Vulnerability
Status: RESOLVED LATER
: libtiff
default
: unspecified
: PC Linux
: P2 major
: ---
Assigned To:
:
:
: migrated_to_gitlab
:
:
  Show dependency treegraph
 
Reported: 2017-07-17 21:14 by
Modified: 2019-10-01 14:20 (History)

Attachments
poc (382 bytes, image/tiff)
2017-07-17 21:14, xiaozhouzhou 		Details
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Description From 2017-07-17 21:14:10 
Created an attachment (id=798) [details]
poc

In LibTIFF 4.0.8, there is a stack-based buffer overflow in the
t2p_read_tiff_data function in tools/tiff2pdf.c.

Triggered by poc.tiff
fuzzer@debian:~/afl/libtiff/libtiff3/tools/.libs$ ./tiff2pdf ../../../poc.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
TIFFAdvanceDirectory: Error fetching directory count.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
%PDF-1.1 
%����
1 0 obj
<< 
/Type /Catalog 
/Pages 3 0 R 
>>
endobj
2 0 obj
<< 
/CreationDate (D:20170717132220)
/ModDate (D:20170717132220)
/Producer (libtiff / tiff2pdf - 20170521)
>> 
endobj
3 0 obj
<< 
/Type /Pages 
/Kids [ 4 0 R ] 
/Count 1 
>> 
endobj
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
=================================================================
==69408==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffc3ca28830 at pc 0x0000004f0dd9 bp 0x7ffc3ca28790 sp 0x7ffc3ca28788
READ of size 2 at 0x7ffc3ca28830 thread T0
    #0 0x4f0dd8 in t2p_read_tiff_data
/home/fuzzer/afl/libtiff/libtiff3/tools/tiff2pdf.c:1585:49
    #1 0x4e9e8a in t2p_write_pdf
/home/fuzzer/afl/libtiff/libtiff3/tools/tiff2pdf.c:5459:3
    #2 0x4e8c5d in main
/home/fuzzer/afl/libtiff/libtiff3/tools/tiff2pdf.c:808:2
    #3 0x7f30f6e36b44 in __libc_start_main
/build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
    #4 0x41d1fb in _start
(/home/fuzzer/afl/libtiff/libtiff3/tools/.libs/tiff2pdf+0x41d1fb)

Address 0x7ffc3ca28830 is located in stack of thread T0 at offset 144 in frame
    #0 0x4ed36f in t2p_read_tiff_data
/home/fuzzer/afl/libtiff/libtiff3/tools/tiff2pdf.c:1258

  This frame has 7 object(s):
    [32, 40) 'r' (line 1261)
    [64, 72) 'g' (line 1262)
    [96, 104) 'b' (line 1263)
    [128, 136) 'a' (line 1264) <== Memory access at offset 144 overflows this
variable
    [160, 162) 'xuint16' (line 1265)
    [176, 184) 'xuint16p' (line 1266)
    [208, 216) 'xfloatp' (line 1267)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/fuzzer/afl/libtiff/libtiff3/tools/tiff2pdf.c:1585:49 in
t2p_read_tiff_data
Shadow bytes around the buggy address:
  0x10000793d0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000793d0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000793d0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000793d0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000793d0f0: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2
=>0x10000793d100: 00 f2 f2 f2 00 f2[f2]f2 02 f2 00 f2 f2 f2 00 f3
  0x10000793d110: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000793d120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000793d130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000793d140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000793d150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==69408==ABORTING
------- Comment #1 From 2019-02-11 18:08:45 ------- 
I'm not reproducing the buffer overflow with the latest code (from master
branch)
I think the bug has been fixed.
------- Comment #2 From 2019-10-01 14:20:46 ------- 
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.
First Last Prev Next    No search results available