Bug 2734 – heap-buffer-overflow in tiff2ps

Bug 2734 - heap-buffer-overflow in tiff2ps

Summary:

heap-buffer-overflow in tiff2ps

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P1 critical
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-09-19 04:08 by zhaoliang
Modified:	2019-10-01 14:20 (History)

Attachments
POC file that crashing tiff2ps (122.16 KB, image/tiff) 2017-09-19 04:08, zhaoliang	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From zhaoliang 2017-09-19 04:08:48

Created an attachment (id=814) [details]
POC file that crashing tiff2ps

on tiff-4.0.8, command line is
./tiff2ps -3 -z -y -s -r 90 -m -W 1 $POC

and the stacktraces with ASAN

==45012==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x63400002c602 at pc 0x00000040ad87 bp 0x7ffe5f737dd0 sp 0x7ffe5f737dc0
READ of size 1 at 0x63400002c602 thread T0
    #0 0x40ad86 in PS_Lvl2page /root/tiff-4.0.8/tools/tiff2ps.c:2270
    #1 0x40b579 in PSpage /root/tiff-4.0.8/tools/tiff2ps.c:2345
    #2 0x4068b7 in psMaskImage /root/tiff-4.0.8/tools/tiff2ps.c:1237
    #3 0x407f3e in TIFF2PS /root/tiff-4.0.8/tools/tiff2ps.c:1560
    #4 0x403292 in main /root/tiff-4.0.8/tools/tiff2ps.c:479
    #5 0x7fbb500a782f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x4026b8 in _start (/opt/tiff/bin/tiff2ps+0x4026b8)

AddressSanitizer can not describe address in more detail (wild memory access
suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/tiff-4.0.8/tools/tiff2ps.c:2270 PS_Lvl2page
Shadow bytes around the buggy address:
  0x0c687fffd870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c687fffd880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c687fffd890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c687fffd8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c687fffd8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c687fffd8c0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c687fffd8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c687fffd8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c687fffd8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c687fffd900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c687fffd910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==45012==ABORTING

------- Comment #1 From Thomas Bernard 2019-02-11 17:58:16 -------

I'm not reproducing on the "master" (commit ae0bed1f)
I think it has been fixed with 309bfd7f61761eaa2dc93eddb6588227a81c2ca0

------- Comment #2 From Even Rouault 2019-10-01 14:20:47 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.