You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=809) [details] Triggered by "./tiffset POC79 The output information is as follows: $ ./tiffset POC9 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 267 (0x10b) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1302 (0x516) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored. TIFFReadDirectory: Warning, Ignoring ColorMap because BitsPerSample=132>24. tiffset_cov_compare_fast/coll-br-out/crashes/id:000363,sig:06,src:001609,op:havoc,rep:4: Failed to allocate memory for for chopped "StripByteCounts" array (3471479316 elements of 8 bytes each). tiffset_cov_compare_fast/coll-br-out/crashes/id:000363,sig:06,src:001609,op:havoc,rep:4: Failed to allocate memory for for chopped "StripOffsets" array (3471479316 elements of 8 bytes each). TIFFVStripSize64: Integer overflow in TIFFVStripSize64. TIFFReadDirectory: Cannot handle zero strip size. The gdb debugging information is listed below: (gdb) set args POC9 (gdb) r ... Breakpoint 1, _TIFFMultiply64 (tif=0x1850010, first=3471479316, second=57279408714, where=0x7ffff68f4da0 <TIFFVStripSize64.module> "TIFFVStripSize64") at tif_aux.c:52 52 uint64 bytes = first * second; (gdb) bt #0 _TIFFMultiply64 (tif=0x1850010, first=132, second=3471479316, where=0x7ffff68f55a8 "TIFFTileRowSize") at tif_aux.c:52 #1 0x00007ffff689ee3f in TIFFTileRowSize64 (tif=0x1850010) at tif_tile.c:161 #2 0x00007ffff689ff1f in TIFFVTileSize64 (tif=0x1850010, nrows=1) at tif_tile.c:246 #3 0x00007ffff6694bd8 in ChopUpSingleUncompressedStrip (tif=<optimized out>) at tif_dirread.c:5675 #4 TIFFReadDirectory (tif=0x1850010) at tif_dirread.c:4186 #5 0x00007ffff680b368 in TIFFClientOpen (name=<optimized out>, mode=<optimized out>, clientdata=<optimized out>, readproc=<optimized out>, writeproc=<optimized out>, seekproc=<optimized out>, closeproc=<optimized out>, sizeproc=<optimized out>, mapproc=<optimized out>, unmapproc=<optimized out>) at tif_open.c:466 #6 0x00007ffff68c8d15 in TIFFFdOpen (fd=<optimized out>, name=<optimized out>, mode=<optimized out>, fd=<optimized out>, name=<optimized out>, mode=<optimized out>) at tif_unix.c:211 #7 TIFFOpen (name=<optimized out>, mode=<optimized out>) at tif_unix.c:250 #8 0x000000000041ea8b in main (argc=2, argv=0x7fffffffe538) at tiffset.c:86 (gdb) n 50 _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where) (gdb) 54 if (second && bytes / second != first) { (gdb) 55 TIFFErrorExt(tif->tif_clientdata, where, "Integer overflow in %s", where); ... Continuing. TIFFVStripSize64: Integer overflow in TIFFVStripSize64. TIFFReadDirectory: Cannot handle zero strip size. [Inferior 1 (process 3571) exited with code 02] Trigged in _TIFFMultiply64 (tif=0x1850010, first=3471479316, second=57279408714, where=0x7ffff68f4da0 <TIFFVStripSize64.module> "TIFFVStripSize64") at tif_aux.c:52 (gdb) list 50 _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where) 51 { 52 uint64 bytes = first * second; 53 54 if (second && bytes / second != first) { 55 TIFFErrorExt(tif->tif_clientdata, where, "Integer overflow in %s", where); 56 bytes = 0; 57 } 58 59 return bytes; (gdb) [note]: Tiffset sets the value of a TIFF header to a specified value.It will modify the raw POC file,so you'd better make a backup file every time you are going to run. Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
The integer overflow is caused by malloc failure.
What's the issue exactly ? Overflow in uint64 multiplication is defined behaviour by the C standard, and as far as I can see, libtiff properly uses that property to handle that situation.
(In reply to comment #2) > What's the issue exactly ? Overflow in uint64 multiplication is defined > behaviour by the C standard, and as far as I can see, libtiff properly uses > that property to handle that situation. the allocate failure information is as follow. company@ubuntu:~/real/libtiff-cvs/libtiff/install_asan/bin/tiffset_cov_compare_fast$ ../tiffset coll-br-out/crashes/id\:000363\,sig\:06\,src\:001609\,op\:havoc\,rep\:4 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 267 (0x10b) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1302 (0x516) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored. TIFFReadDirectory: Warning, Ignoring ColorMap because BitsPerSample=132>24. ==105790==ERROR: AddressSanitizer failed to allocate 0x67754c000 (27771846656) bytes of LargeMmapAllocator (errno: 12) ==105790==Process memory map follows: 0x000000400000-0x000000404000 /home/company/real/libtiff-cvs/libtiff/install_asan/bin/tiffset 0x000000603000-0x000000604000 /home/company/real/libtiff-cvs/libtiff/install_asan/bin/tiffset 0x000000604000-0x000000605000 /home/company/real/libtiff-cvs/libtiff/install_asan/bin/tiffset 0x00007fff7000-0x00008fff7000 0x00008fff7000-0x02008fff7000 0x02008fff7000-0x10007fff8000 0x600000000000-0x602000000000 0x602000000000-0x602000010000 0x602000010000-0x603000000000 0x603000000000-0x603000010000 0x603000010000-0x604000000000 0x604000000000-0x604000010000 0x604000010000-0x611000000000 0x611000000000-0x611000010000 0x611000010000-0x614000000000 0x614000000000-0x614000020000 0x614000020000-0x616000000000 0x616000000000-0x616000020000 0x616000020000-0x619000000000 0x619000000000-0x619000020000 0x619000020000-0x61a000000000 0x61a000000000-0x61a000020000 0x61a000020000-0x624000000000 0x624000000000-0x624000020000 0x624000020000-0x640000000000 0x640000000000-0x640000003000 0x7f2e39f00000-0x7f2e3a000000 0x7f2e3a100000-0x7f2e3a200000 0x7f2e3a272000-0x7f2e3c5c4000 0x7f2e3c5c4000-0x7f2e3c5dd000 /lib/x86_64-linux-gnu/libz.so.1.2.8 0x7f2e3c5dd000-0x7f2e3c7dc000 /lib/x86_64-linux-gnu/libz.so.1.2.8 0x7f2e3c7dc000-0x7f2e3c7dd000 /lib/x86_64-linux-gnu/libz.so.1.2.8 0x7f2e3c7dd000-0x7f2e3c7de000 /lib/x86_64-linux-gnu/libz.so.1.2.8 0x7f2e3c7de000-0x7f2e3c7f4000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f2e3c7f4000-0x7f2e3c9f3000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f2e3c9f3000-0x7f2e3c9f4000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f2e3c9f4000-0x7f2e3c9f5000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f2e3c9f5000-0x7f2e3cafc000 /lib/x86_64-linux-gnu/libm-2.21.so 0x7f2e3cafc000-0x7f2e3ccfb000 /lib/x86_64-linux-gnu/libm-2.21.so 0x7f2e3ccfb000-0x7f2e3ccfc000 /lib/x86_64-linux-gnu/libm-2.21.so 0x7f2e3ccfc000-0x7f2e3ccfd000 /lib/x86_64-linux-gnu/libm-2.21.so 0x7f2e3ccfd000-0x7f2e3cd00000 /lib/x86_64-linux-gnu/libdl-2.21.so 0x7f2e3cd00000-0x7f2e3ceff000 /lib/x86_64-linux-gnu/libdl-2.21.so 0x7f2e3ceff000-0x7f2e3cf00000 /lib/x86_64-linux-gnu/libdl-2.21.so 0x7f2e3cf00000-0x7f2e3cf01000 /lib/x86_64-linux-gnu/libdl-2.21.so 0x7f2e3cf01000-0x7f2e3cf19000 /lib/x86_64-linux-gnu/libpthread-2.21.so 0x7f2e3cf19000-0x7f2e3d119000 /lib/x86_64-linux-gnu/libpthread-2.21.so 0x7f2e3d119000-0x7f2e3d11a000 /lib/x86_64-linux-gnu/libpthread-2.21.so 0x7f2e3d11a000-0x7f2e3d11b000 /lib/x86_64-linux-gnu/libpthread-2.21.so 0x7f2e3d11b000-0x7f2e3d11f000 0x7f2e3d11f000-0x7f2e3d2df000 /lib/x86_64-linux-gnu/libc-2.21.so 0x7f2e3d2df000-0x7f2e3d4df000 /lib/x86_64-linux-gnu/libc-2.21.so 0x7f2e3d4df000-0x7f2e3d4e3000 /lib/x86_64-linux-gnu/libc-2.21.so 0x7f2e3d4e3000-0x7f2e3d4e5000 /lib/x86_64-linux-gnu/libc-2.21.so 0x7f2e3d4e5000-0x7f2e3d4e9000 0x7f2e3d4e9000-0x7f2e3d5d4000 /home/company/real/libtiff-cvs/libtiff/install_asan/lib/libtiff.so.5.2.6 0x7f2e3d5d4000-0x7f2e3d7d3000 /home/company/real/libtiff-cvs/libtiff/install_asan/lib/libtiff.so.5.2.6 0x7f2e3d7d3000-0x7f2e3d7d7000 /home/company/real/libtiff-cvs/libtiff/install_asan/lib/libtiff.so.5.2.6 0x7f2e3d7d7000-0x7f2e3d7e9000 /home/company/real/libtiff-cvs/libtiff/install_asan/lib/libtiff.so.5.2.6 0x7f2e3d7e9000-0x7f2e3d7ea000 0x7f2e3d7ea000-0x7f2e3d8e2000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0 0x7f2e3d8e2000-0x7f2e3dae1000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0 0x7f2e3dae1000-0x7f2e3dae4000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0 0x7f2e3dae4000-0x7f2e3dae5000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0 0x7f2e3dae5000-0x7f2e3e75a000 0x7f2e3e75a000-0x7f2e3e77e000 /lib/x86_64-linux-gnu/ld-2.21.so 0x7f2e3e92a000-0x7f2e3e965000 0x7f2e3e965000-0x7f2e3e97d000 0x7f2e3e97d000-0x7f2e3e97e000 /lib/x86_64-linux-gnu/ld-2.21.so 0x7f2e3e97e000-0x7f2e3e97f000 /lib/x86_64-linux-gnu/ld-2.21.so 0x7f2e3e97f000-0x7f2e3e980000 0x7ffe673d8000-0x7ffe673f9000 [stack] 0x7ffe673fb000-0x7ffe673fd000 [vvar] 0x7ffe673fd000-0x7ffe673ff000 [vdso] 0xffffffffff600000-0xffffffffff601000 [vsyscall] ==105790==End of process memory map. ==105790==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0) #0 0x7f2e3d88a9c1 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa09c1) #1 0x7f2e3d88f973 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa5973) #2 0x7f2e3d897981 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xad981) #3 0x7f2e3d80d06c (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x2306c) #4 0x7f2e3d882cfd in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98cfd) #5 0x7f2e3d50a3db in _TIFFCheckRealloc /home/company/real/libtiff-cvs/libtiff/libtiff/tif_aux.c:73 #6 0x7f2e3d533847 in ChopUpSingleUncompressedStrip /home/company/real/libtiff-cvs/libtiff/libtiff/tif_dirread.c:5701 #7 0x7f2e3d533847 in TIFFReadDirectory /home/company/real/libtiff-cvs/libtiff/libtiff/tif_dirread.c:4186 #8 0x7f2e3d576cf5 in TIFFClientOpen /home/company/real/libtiff-cvs/libtiff/libtiff/tif_open.c:466 #9 0x7f2e3d59a494 in TIFFFdOpen /home/company/real/libtiff-cvs/libtiff/libtiff/tif_unix.c:211 #10 0x7f2e3d59a516 in TIFFOpen /home/company/real/libtiff-cvs/libtiff/libtiff/tif_unix.c:250 #11 0x4011b8 in main /home/company/real/libtiff-cvs/libtiff/tools/tiffset.c:86 #12 0x7f2e3d13fa3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f) #13 0x402548 in _start (/home/company/real/libtiff-cvs/libtiff/install_asan/bin/tiffset+0x402548)
OK, so the issue is not a integer overflow, but a large memory allocation attempt, right ? Which I'm pretty sure is an already known issue
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.