You need to log in before you can comment on or make changes to this bug.
libtiff 4.0.3 tiff2pdf has a heap-use-after-free in the libtiff/tools/tiff2pdf.c:405:21 Triggered by heap-use-after-free0 ./tiff2pdf heap-use-after-free0 ==9027==ERROR: AddressSanitizer: heap-use-after-free on address 0xb4900310 at pc 0x080b6ab5 bp 0xbfcf5888 sp 0xbfcf5460 READ of size 32 at 0xb4900310 thread T0 #0 0x80b6ab4 in fwrite /home/sdk/libfuzz/llvm/build/../projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1051 #1 0x819a81a in t2p_writeproc /home/sdk/libtiff/tools/tiff2pdf.c:405:21 #2 0x819cf9f in t2pWriteFile /home/sdk/libtiff/tools/tiff2pdf.c:379:10 #3 0x819cf9f in t2p_write_pdf_stream /home/sdk/libtiff/tools/tiff2pdf.c:3985 #4 0x819cf9f in t2p_write_pdf_transfer_stream /home/sdk/libtiff/tools/tiff2pdf.c:5013 #5 0x819cf9f in t2p_write_pdf /home/sdk/libtiff/tools/tiff2pdf.c:5493 #6 0x8198228 in main /home/sdk/libtiff/tools/tiff2pdf.c:808:2 #7 0xb7418af2 in __libc_start_main /build/eglibc-0jBZkF/eglibc-2.19/csu/libc-start.c:287 #8 0x8060592 in _start (/home/sdk/libtiff/tools/.libs/tiff2pdf+0x8060592) 0xb4900310 is located 0 bytes inside of 32-byte region [0xb4900310,0xb4900330) freed by thread T0 here: #0 0x8156204 in __interceptor_free /home/sdk/libfuzz/llvm/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68 #1 0xb76f756a in _TIFFfree (/usr/lib/i386-linux-gnu/libtiff.so.5+0x4356a) previously allocated by thread T0 here: #0 0x81565b5 in malloc /home/sdk/libfuzz/llvm/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88 #1 0xb76f7540 in _TIFFmalloc (/usr/lib/i386-linux-gnu/libtiff.so.5+0x43540) SUMMARY: AddressSanitizer: heap-use-after-free /home/sdk/libfuzz/llvm/build/../projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1051 in fwrite Shadow bytes around the buggy address: 0x36920010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36920020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36920030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36920040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36920050: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd =>0x36920060: fa fa[fd]fd fd fd fa fa fd fd fd fd fa fa fd fd 0x36920070: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x36920080: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x36920090: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x369200a0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x369200b0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==9027==ABORTING
Created an attachment (id=816) [details] ./tiff2pdf heap-use-after-free0
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.