Bug 2729 – There is a Integer Overflow in function TIFFVStripSize64() in libtiff.

Bug 2729 - There is a Integer Overflow in function TIFFVStripSize64() in libtiff.

Summary:

There is a Integer Overflow in function TIFFVStripSize64() in libtiff.

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P2 normal
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-08-21 06:27 by owl337
Modified:	2019-10-01 14:20 (History)

Attachments
Triggered by "./tiffset POC9 (317 bytes, application/octet-stream) 2017-08-21 06:27, owl337	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From owl337 2017-08-21 06:27:20

Created an attachment (id=809) [details]
Triggered by "./tiffset POC79

The output information is as follows:

$ ./tiffset POC9
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 267 (0x10b) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1302 (0x516) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag
ignored.
TIFFReadDirectory: Warning, Ignoring ColorMap because BitsPerSample=132>24.
tiffset_cov_compare_fast/coll-br-out/crashes/id:000363,sig:06,src:001609,op:havoc,rep:4:
Failed to allocate memory for for chopped "StripByteCounts" array (3471479316
elements of 8 bytes each).
tiffset_cov_compare_fast/coll-br-out/crashes/id:000363,sig:06,src:001609,op:havoc,rep:4:
Failed to allocate memory for for chopped "StripOffsets" array (3471479316
elements of 8 bytes each).
TIFFVStripSize64: Integer overflow in TIFFVStripSize64.
TIFFReadDirectory: Cannot handle zero strip size.


The gdb debugging information is listed below:
(gdb) set args POC9
(gdb) r
...
Breakpoint 1, _TIFFMultiply64 (tif=0x1850010, first=3471479316,
second=57279408714, 
    where=0x7ffff68f4da0 <TIFFVStripSize64.module> "TIFFVStripSize64") at
tif_aux.c:52
52        uint64 bytes = first * second;
(gdb) bt 
#0  _TIFFMultiply64 (tif=0x1850010, first=132, second=3471479316,
where=0x7ffff68f55a8 "TIFFTileRowSize") at tif_aux.c:52
#1  0x00007ffff689ee3f in TIFFTileRowSize64 (tif=0x1850010) at tif_tile.c:161
#2  0x00007ffff689ff1f in TIFFVTileSize64 (tif=0x1850010, nrows=1) at
tif_tile.c:246
#3  0x00007ffff6694bd8 in ChopUpSingleUncompressedStrip (tif=<optimized out>)
at tif_dirread.c:5675
#4  TIFFReadDirectory (tif=0x1850010) at tif_dirread.c:4186
#5  0x00007ffff680b368 in TIFFClientOpen (name=<optimized out>, mode=<optimized
out>, clientdata=<optimized out>, readproc=<optimized out>, 
    writeproc=<optimized out>, seekproc=<optimized out>, closeproc=<optimized
out>, sizeproc=<optimized out>, mapproc=<optimized out>, 
    unmapproc=<optimized out>) at tif_open.c:466
#6  0x00007ffff68c8d15 in TIFFFdOpen (fd=<optimized out>, name=<optimized out>,
mode=<optimized out>, fd=<optimized out>, 
    name=<optimized out>, mode=<optimized out>) at tif_unix.c:211
#7  TIFFOpen (name=<optimized out>, mode=<optimized out>) at tif_unix.c:250
#8  0x000000000041ea8b in main (argc=2, argv=0x7fffffffe538) at tiffset.c:86

(gdb) n
50    _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char*
where)
(gdb) 
54        if (second && bytes / second != first) {
(gdb) 
55            TIFFErrorExt(tif->tif_clientdata, where, "Integer overflow in
%s", where);
...
Continuing.
TIFFVStripSize64: Integer overflow in TIFFVStripSize64.
TIFFReadDirectory: Cannot handle zero strip size.
[Inferior 1 (process 3571) exited with code 02]


Trigged in _TIFFMultiply64 (tif=0x1850010, first=3471479316,
second=57279408714, 
    where=0x7ffff68f4da0 <TIFFVStripSize64.module> "TIFFVStripSize64") at
tif_aux.c:52
(gdb) list 
50    _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char*
where)
51    {
52        uint64 bytes = first * second;
53    
54        if (second && bytes / second != first) {
55            TIFFErrorExt(tif->tif_clientdata, where, "Integer overflow in
%s", where);
56            bytes = 0;
57        }
58    
59        return bytes;
(gdb) 


[note]: Tiffset sets the value of a TIFF header to a specified value.It will
modify the raw POC file,so you'd better make a backup file every time you are
going to run.

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL.
Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need
more info about the team, the tool or the vulnerability.

------- Comment #1 From owl337 2017-08-22 23:06:17 -------

The integer overflow is caused by malloc failure.

------- Comment #2 From Even Rouault 2017-08-23 07:49:29 -------

What's the issue exactly ? Overflow in uint64 multiplication is defined
behaviour by the C standard, and as far as I can see, libtiff properly uses
that property to handle that situation.

------- Comment #3 From owl337 2017-08-23 08:02:40 -------

(In reply to comment #2)
> What's the issue exactly ? Overflow in uint64 multiplication is defined
> behaviour by the C standard, and as far as I can see, libtiff properly uses
> that property to handle that situation.
the allocate failure information is as follow.

company@ubuntu:~/real/libtiff-cvs/libtiff/install_asan/bin/tiffset_cov_compare_fast$
../tiffset
coll-br-out/crashes/id\:000363\,sig\:06\,src\:001609\,op\:havoc\,rep\:4 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 267 (0x10b) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1302 (0x516) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag
ignored.
TIFFReadDirectory: Warning, Ignoring ColorMap because BitsPerSample=132>24.
==105790==ERROR: AddressSanitizer failed to allocate 0x67754c000 (27771846656)
bytes of LargeMmapAllocator (errno: 12)
==105790==Process memory map follows:
    0x000000400000-0x000000404000   
/home/company/real/libtiff-cvs/libtiff/install_asan/bin/tiffset
    0x000000603000-0x000000604000   
/home/company/real/libtiff-cvs/libtiff/install_asan/bin/tiffset
    0x000000604000-0x000000605000   
/home/company/real/libtiff-cvs/libtiff/install_asan/bin/tiffset
    0x00007fff7000-0x00008fff7000    
    0x00008fff7000-0x02008fff7000    
    0x02008fff7000-0x10007fff8000    
    0x600000000000-0x602000000000    
    0x602000000000-0x602000010000    
    0x602000010000-0x603000000000    
    0x603000000000-0x603000010000    
    0x603000010000-0x604000000000    
    0x604000000000-0x604000010000    
    0x604000010000-0x611000000000    
    0x611000000000-0x611000010000    
    0x611000010000-0x614000000000    
    0x614000000000-0x614000020000    
    0x614000020000-0x616000000000    
    0x616000000000-0x616000020000    
    0x616000020000-0x619000000000    
    0x619000000000-0x619000020000    
    0x619000020000-0x61a000000000    
    0x61a000000000-0x61a000020000    
    0x61a000020000-0x624000000000    
    0x624000000000-0x624000020000    
    0x624000020000-0x640000000000    
    0x640000000000-0x640000003000    
    0x7f2e39f00000-0x7f2e3a000000    
    0x7f2e3a100000-0x7f2e3a200000    
    0x7f2e3a272000-0x7f2e3c5c4000    
    0x7f2e3c5c4000-0x7f2e3c5dd000    /lib/x86_64-linux-gnu/libz.so.1.2.8
    0x7f2e3c5dd000-0x7f2e3c7dc000    /lib/x86_64-linux-gnu/libz.so.1.2.8
    0x7f2e3c7dc000-0x7f2e3c7dd000    /lib/x86_64-linux-gnu/libz.so.1.2.8
    0x7f2e3c7dd000-0x7f2e3c7de000    /lib/x86_64-linux-gnu/libz.so.1.2.8
    0x7f2e3c7de000-0x7f2e3c7f4000    /lib/x86_64-linux-gnu/libgcc_s.so.1
    0x7f2e3c7f4000-0x7f2e3c9f3000    /lib/x86_64-linux-gnu/libgcc_s.so.1
    0x7f2e3c9f3000-0x7f2e3c9f4000    /lib/x86_64-linux-gnu/libgcc_s.so.1
    0x7f2e3c9f4000-0x7f2e3c9f5000    /lib/x86_64-linux-gnu/libgcc_s.so.1
    0x7f2e3c9f5000-0x7f2e3cafc000    /lib/x86_64-linux-gnu/libm-2.21.so
    0x7f2e3cafc000-0x7f2e3ccfb000    /lib/x86_64-linux-gnu/libm-2.21.so
    0x7f2e3ccfb000-0x7f2e3ccfc000    /lib/x86_64-linux-gnu/libm-2.21.so
    0x7f2e3ccfc000-0x7f2e3ccfd000    /lib/x86_64-linux-gnu/libm-2.21.so
    0x7f2e3ccfd000-0x7f2e3cd00000    /lib/x86_64-linux-gnu/libdl-2.21.so
    0x7f2e3cd00000-0x7f2e3ceff000    /lib/x86_64-linux-gnu/libdl-2.21.so
    0x7f2e3ceff000-0x7f2e3cf00000    /lib/x86_64-linux-gnu/libdl-2.21.so
    0x7f2e3cf00000-0x7f2e3cf01000    /lib/x86_64-linux-gnu/libdl-2.21.so
    0x7f2e3cf01000-0x7f2e3cf19000    /lib/x86_64-linux-gnu/libpthread-2.21.so
    0x7f2e3cf19000-0x7f2e3d119000    /lib/x86_64-linux-gnu/libpthread-2.21.so
    0x7f2e3d119000-0x7f2e3d11a000    /lib/x86_64-linux-gnu/libpthread-2.21.so
    0x7f2e3d11a000-0x7f2e3d11b000    /lib/x86_64-linux-gnu/libpthread-2.21.so
    0x7f2e3d11b000-0x7f2e3d11f000    
    0x7f2e3d11f000-0x7f2e3d2df000    /lib/x86_64-linux-gnu/libc-2.21.so
    0x7f2e3d2df000-0x7f2e3d4df000    /lib/x86_64-linux-gnu/libc-2.21.so
    0x7f2e3d4df000-0x7f2e3d4e3000    /lib/x86_64-linux-gnu/libc-2.21.so
    0x7f2e3d4e3000-0x7f2e3d4e5000    /lib/x86_64-linux-gnu/libc-2.21.so
    0x7f2e3d4e5000-0x7f2e3d4e9000    
    0x7f2e3d4e9000-0x7f2e3d5d4000   
/home/company/real/libtiff-cvs/libtiff/install_asan/lib/libtiff.so.5.2.6
    0x7f2e3d5d4000-0x7f2e3d7d3000   
/home/company/real/libtiff-cvs/libtiff/install_asan/lib/libtiff.so.5.2.6
    0x7f2e3d7d3000-0x7f2e3d7d7000   
/home/company/real/libtiff-cvs/libtiff/install_asan/lib/libtiff.so.5.2.6
    0x7f2e3d7d7000-0x7f2e3d7e9000   
/home/company/real/libtiff-cvs/libtiff/install_asan/lib/libtiff.so.5.2.6
    0x7f2e3d7e9000-0x7f2e3d7ea000    
    0x7f2e3d7ea000-0x7f2e3d8e2000    /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
    0x7f2e3d8e2000-0x7f2e3dae1000    /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
    0x7f2e3dae1000-0x7f2e3dae4000    /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
    0x7f2e3dae4000-0x7f2e3dae5000    /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
    0x7f2e3dae5000-0x7f2e3e75a000    
    0x7f2e3e75a000-0x7f2e3e77e000    /lib/x86_64-linux-gnu/ld-2.21.so
    0x7f2e3e92a000-0x7f2e3e965000    
    0x7f2e3e965000-0x7f2e3e97d000    
    0x7f2e3e97d000-0x7f2e3e97e000    /lib/x86_64-linux-gnu/ld-2.21.so
    0x7f2e3e97e000-0x7f2e3e97f000    /lib/x86_64-linux-gnu/ld-2.21.so
    0x7f2e3e97f000-0x7f2e3e980000    
    0x7ffe673d8000-0x7ffe673f9000    [stack]
    0x7ffe673fb000-0x7ffe673fd000    [vvar]
    0x7ffe673fd000-0x7ffe673ff000    [vdso]
    0xffffffffff600000-0xffffffffff601000    [vsyscall]
==105790==End of process memory map.
==105790==AddressSanitizer CHECK failed:
../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:121 "(("unable
to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0x7f2e3d88a9c1  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa09c1)
    #1 0x7f2e3d88f973 in __sanitizer::CheckFailed(char const*, int, char
const*, unsigned long long, unsigned long long)
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa5973)
    #2 0x7f2e3d897981  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xad981)
    #3 0x7f2e3d80d06c  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x2306c)
    #4 0x7f2e3d882cfd in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98cfd)
    #5 0x7f2e3d50a3db in _TIFFCheckRealloc
/home/company/real/libtiff-cvs/libtiff/libtiff/tif_aux.c:73
    #6 0x7f2e3d533847 in ChopUpSingleUncompressedStrip
/home/company/real/libtiff-cvs/libtiff/libtiff/tif_dirread.c:5701
    #7 0x7f2e3d533847 in TIFFReadDirectory
/home/company/real/libtiff-cvs/libtiff/libtiff/tif_dirread.c:4186
    #8 0x7f2e3d576cf5 in TIFFClientOpen
/home/company/real/libtiff-cvs/libtiff/libtiff/tif_open.c:466
    #9 0x7f2e3d59a494 in TIFFFdOpen
/home/company/real/libtiff-cvs/libtiff/libtiff/tif_unix.c:211
    #10 0x7f2e3d59a516 in TIFFOpen
/home/company/real/libtiff-cvs/libtiff/libtiff/tif_unix.c:250
    #11 0x4011b8 in main
/home/company/real/libtiff-cvs/libtiff/tools/tiffset.c:86
    #12 0x7f2e3d13fa3f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #13 0x402548 in _start
(/home/company/real/libtiff-cvs/libtiff/install_asan/bin/tiffset+0x402548)

------- Comment #4 From Even Rouault 2017-08-23 08:10:44 -------

OK, so the issue is not a integer overflow, but a large memory allocation
attempt, right ? Which I'm pretty sure is an already known issue

------- Comment #5 From Even Rouault 2019-10-01 14:20:47 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.