You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=805) [details] testcase
Created an attachment (id=806) [details] testcase2
root@ubuntu:/home/hjy/Desktop# tiff2pdf oom-TIFFFetchStripThing TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 41 (0x29) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: Warning, Unknown field with tag 57054 (0xdede) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 41"; tag ignored. ==30762==ERROR: AddressSanitizer failed to allocate 0x50018000 (1342275584) bytes of LargeMmapAllocator: 12 ==30762==Process memory map follows: 0x08048000-0x082bc000 /usr/local/bin/tiff2pdf 0x082bc000-0x082bd000 /usr/local/bin/tiff2pdf 0x082bd000-0x082c7000 /usr/local/bin/tiff2pdf 0x1ffff000-0x24000000 0x24000000-0x28000000 0x28000000-0x40000000 0x64a65000-0xb4d00000 0xb4e00000-0xb4f00000 0xb5000000-0xb5100000 0xb5200000-0xb5300000 0xb5400000-0xb5500000 0xb5600000-0xb5700000 0xb5800000-0xb5900000 0xb5a00000-0xb5b00000 0xb5c00000-0xb5d00000 0xb5d96000-0xb6f2a000 0xb6f2a000-0xb6f45000 /lib/i386-linux-gnu/libgcc_s.so.1 0xb6f45000-0xb6f46000 /lib/i386-linux-gnu/libgcc_s.so.1 0xb6f46000-0xb6f47000 /lib/i386-linux-gnu/libgcc_s.so.1 0xb6f47000-0xb6f48000 0xb6f48000-0xb6f4b000 /lib/i386-linux-gnu/libdl-2.19.so 0xb6f4b000-0xb6f4c000 /lib/i386-linux-gnu/libdl-2.19.so 0xb6f4c000-0xb6f4d000 /lib/i386-linux-gnu/libdl-2.19.so 0xb6f4d000-0xb6f65000 /lib/i386-linux-gnu/libpthread-2.19.so 0xb6f65000-0xb6f66000 /lib/i386-linux-gnu/libpthread-2.19.so 0xb6f66000-0xb6f67000 /lib/i386-linux-gnu/libpthread-2.19.so 0xb6f67000-0xb6f69000 0xb6f69000-0xb7112000 /lib/i386-linux-gnu/libc-2.19.so 0xb7112000-0xb7114000 /lib/i386-linux-gnu/libc-2.19.so 0xb7114000-0xb7115000 /lib/i386-linux-gnu/libc-2.19.so 0xb7115000-0xb7118000 0xb7118000-0xb715c000 /lib/i386-linux-gnu/libm-2.19.so 0xb715c000-0xb715d000 /lib/i386-linux-gnu/libm-2.19.so 0xb715d000-0xb715e000 /lib/i386-linux-gnu/libm-2.19.so 0xb715e000-0xb7176000 /lib/i386-linux-gnu/libz.so.1.2.8 0xb7176000-0xb7177000 /lib/i386-linux-gnu/libz.so.1.2.8 0xb7177000-0xb7178000 /lib/i386-linux-gnu/libz.so.1.2.8 0xb7178000-0xb7179000 0xb7179000-0xb71c2000 /usr/lib/i386-linux-gnu/libjpeg.so.8.0.2 0xb71c2000-0xb71c3000 /usr/lib/i386-linux-gnu/libjpeg.so.8.0.2 0xb71c3000-0xb71c4000 /usr/lib/i386-linux-gnu/libjpeg.so.8.0.2 0xb71c4000-0xb71d4000 0xb71d4000-0xb7273000 /usr/lib/i386-linux-gnu/libasan.so.1.0.0 0xb7273000-0xb7275000 /usr/lib/i386-linux-gnu/libasan.so.1.0.0 0xb7275000-0xb7276000 /usr/lib/i386-linux-gnu/libasan.so.1.0.0 0xb7276000-0xb76ce000 0xb76d6000-0xb76da000 0xb76da000-0xb76db000 /home/hjy/Desktop/oom-TIFFFetchStripThing 0xb76db000-0xb76e5000 0xb76e5000-0xb76e6000 [vdso] 0xb76e6000-0xb7706000 /lib/i386-linux-gnu/ld-2.19.so 0xb7706000-0xb7707000 /lib/i386-linux-gnu/ld-2.19.so 0xb7707000-0xb7708000 /lib/i386-linux-gnu/ld-2.19.so 0xbfd32000-0xbfd53000 [stack] ==30762==End of process memory map. ==30762==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:66 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0) #0 0xb72284c1 (/usr/lib/i386-linux-gnu/libasan.so.1+0x544c1) #1 0xb722c6a9 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/i386-linux-gnu/libasan.so.1+0x586a9) #2 0xb7231e22 (/usr/lib/i386-linux-gnu/libasan.so.1+0x5de22) #3 0xb71ec99b (/usr/lib/i386-linux-gnu/libasan.so.1+0x1899b) #4 0xb7222aa8 in __interceptor_realloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4eaa8) #5 0x80999d2 in _TIFFCheckRealloc /home/hjy/Desktop/tiff-4.0.8/libtiff/tif_aux.c:73 #6 0x80999d2 in _TIFFCheckMalloc /home/hjy/Desktop/tiff-4.0.8/libtiff/tif_aux.c:88 #7 0x80e3a27 in TIFFFetchStripThing /home/hjy/Desktop/tiff-4.0.8/libtiff/tif_dirread.c:5442 #8 0x8106d46 in TIFFReadDirectory /home/hjy/Desktop/tiff-4.0.8/libtiff/tif_dirread.c:3767 #9 0x820f730 in TIFFClientOpen /home/hjy/Desktop/tiff-4.0.8/libtiff/tif_open.c:466 #10 0x8273c01 in TIFFFdOpen /home/hjy/Desktop/tiff-4.0.8/libtiff/tif_unix.c:211 #11 0x8273c01 in TIFFOpen /home/hjy/Desktop/tiff-4.0.8/libtiff/tif_unix.c:250 #12 0x804bd48 in main /home/hjy/Desktop/tiff-4.0.8/tools/tiff2pdf.c:751 #13 0xb6f82a82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82) #14 0x804e9e9 (/usr/local/bin/tiff2pdf+0x804e9e9)
==21725==ERROR: AddressSanitizer failed to allocate 0x78003000 (2013278208) bytes of LargeMmapAllocator: 12 ==21725==Process memory map follows: 0x08048000-0x082bc000 /usr/local/bin/tiff2pdf 0x082bc000-0x082bd000 /usr/local/bin/tiff2pdf 0x082bd000-0x082c7000 /usr/local/bin/tiff2pdf 0x1ffff000-0x24000000 0x24000000-0x28000000 0x28000000-0x40000000 0xb4900000-0xb4a00000 0xb4b00000-0xb4c00000 0xb4d00000-0xb4e00000 0xb4f00000-0xb5000000 0xb5100000-0xb5200000 0xb5300000-0xb5400000 0xb5500000-0xb5600000 0xb5700000-0xb5800000 0xb5900000-0xb5a00000 0xb5b00000-0xb5c00000 0xb5c97000-0xb5e00000 0xb5e1f000-0xb6fd6000 0xb6fd6000-0xb6ff1000 /lib/i386-linux-gnu/libgcc_s.so.1 0xb6ff1000-0xb6ff2000 /lib/i386-linux-gnu/libgcc_s.so.1 0xb6ff2000-0xb6ff3000 /lib/i386-linux-gnu/libgcc_s.so.1 0xb6ff3000-0xb6ff4000 0xb6ff4000-0xb6ff7000 /lib/i386-linux-gnu/libdl-2.19.so 0xb6ff7000-0xb6ff8000 /lib/i386-linux-gnu/libdl-2.19.so 0xb6ff8000-0xb6ff9000 /lib/i386-linux-gnu/libdl-2.19.so 0xb6ff9000-0xb7011000 /lib/i386-linux-gnu/libpthread-2.19.so 0xb7011000-0xb7012000 /lib/i386-linux-gnu/libpthread-2.19.so 0xb7012000-0xb7013000 /lib/i386-linux-gnu/libpthread-2.19.so 0xb7013000-0xb7015000 0xb7015000-0xb71be000 /lib/i386-linux-gnu/libc-2.19.so 0xb71be000-0xb71c0000 /lib/i386-linux-gnu/libc-2.19.so 0xb71c0000-0xb71c1000 /lib/i386-linux-gnu/libc-2.19.so 0xb71c1000-0xb71c4000 0xb71c4000-0xb7208000 /lib/i386-linux-gnu/libm-2.19.so 0xb7208000-0xb7209000 /lib/i386-linux-gnu/libm-2.19.so 0xb7209000-0xb720a000 /lib/i386-linux-gnu/libm-2.19.so 0xb720a000-0xb7222000 /lib/i386-linux-gnu/libz.so.1.2.8 0xb7222000-0xb7223000 /lib/i386-linux-gnu/libz.so.1.2.8 0xb7223000-0xb7224000 /lib/i386-linux-gnu/libz.so.1.2.8 0xb7224000-0xb7225000 0xb7225000-0xb726e000 /usr/lib/i386-linux-gnu/libjpeg.so.8.0.2 0xb726e000-0xb726f000 /usr/lib/i386-linux-gnu/libjpeg.so.8.0.2 0xb726f000-0xb7270000 /usr/lib/i386-linux-gnu/libjpeg.so.8.0.2 0xb7270000-0xb7280000 0xb7280000-0xb731f000 /usr/lib/i386-linux-gnu/libasan.so.1.0.0 0xb731f000-0xb7321000 /usr/lib/i386-linux-gnu/libasan.so.1.0.0 0xb7321000-0xb7322000 /usr/lib/i386-linux-gnu/libasan.so.1.0.0 0xb7322000-0xb777a000 0xb7781000-0xb7786000 0xb7786000-0xb7787000 /home/hjy/Desktop/oom-t2p_readwrite_pdf_image_tile 0xb7787000-0xb7791000 0xb7791000-0xb7792000 [vdso] 0xb7792000-0xb77b2000 /lib/i386-linux-gnu/ld-2.19.so 0xb77b2000-0xb77b3000 /lib/i386-linux-gnu/ld-2.19.so 0xb77b3000-0xb77b4000 /lib/i386-linux-gnu/ld-2.19.so 0xbfe5a000-0xbfe7b000 [stack] ==21725==End of process memory map. ==21725==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:66 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0) #0 0xb72d44c1 (/usr/lib/i386-linux-gnu/libasan.so.1+0x544c1) #1 0xb72d86a9 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/i386-linux-gnu/libasan.so.1+0x586a9) #2 0xb72dde22 (/usr/lib/i386-linux-gnu/libasan.so.1+0x5de22) #3 0xb729899b (/usr/lib/i386-linux-gnu/libasan.so.1+0x1899b) #4 0xb7299488 (/usr/lib/i386-linux-gnu/libasan.so.1+0x19488) #5 0xb72ce84a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e84a) #6 0x804fb8d in t2p_readwrite_pdf_image_tile /home/hjy/Desktop/tiff-4.0.8/tools/tiff2pdf.c:2887 #7 0x809583d in t2p_readwrite_pdf_image_tile /home/hjy/Desktop/tiff-4.0.8/tools/tiff2pdf.c:5576 #8 0x809583d in t2p_write_pdf /home/hjy/Desktop/tiff-4.0.8/tools/tiff2pdf.c:5535 #9 0x804bf02 in main /home/hjy/Desktop/tiff-4.0.8/tools/tiff2pdf.c:808 #10 0xb702ea82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82) #11 0x804e9e9 (/usr/local/bin/tiff2pdf+0x804e9e9)
The OOM with "tiff2pdf oom-TIFFFetchStripThing" is no longer reproducable since 2017-07-15 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_read.c: add protection against excessive memory allocation attempts in TIFFReadDirEntryArray() on short files. Effective for mmap'ed case. And non-mmap'ed case, but restricted to 64bit builds. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2675 Only remaining is with oom-t2p_readwrite_pdf_image_tile
This vulnerability has been assigned for CVE-2017-12944,discovered by zhihua.yao@dbappsecurity.com.cn
*** Bug 2827 has been marked as a duplicate of this bug. ***
The issue with the second testcase is still present in 4.0.10. tiffsplit tool is affected similarly: TIFFGetField(in, TIFFTAG_TILEBYTECOUNTS, &bytecounts); [..] buf = (unsigned char *)_TIFFrealloc(buf, (tmsize_t)bytecounts[t]);
From bug 2675 I know you are not friend of comparing allocated size with the file size, but perhaps a sanitizing function could be used directly in tiff2pdf tool?
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.
