Bug 2753 – tiffcrop: heap-buffer-overflow in extractContigSamples24bits (tiffcrop.c)

Bug 2753 - tiffcrop: heap-buffer-overflow in extractContigSamples24bits (tiffcrop.c)

Summary:

tiffcrop: heap-buffer-overflow in extractContigSamples24bits (tiffcrop.c)

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P1 critical
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-12-05 11:05 by Wei You
Modified:	2019-10-01 14:20 (History)

Attachments
poc to trigger the vulnerability (232 bytes, image/tiff) 2017-12-05 11:05, Wei You	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Wei You 2017-12-05 11:05:39

Created an attachment (id=821) [details]
poc to trigger the vulnerability

on 4.0.9 (the latest version):
there is a heap-based buffer overflow in the extractContigSamples24bits
function (tools/tiffcrop.c), which can be triggered by poc_0.tiff in the
attachment.

tiffcrop -i poc_0.tiff /tmp/foo

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 7426 (0x1d02) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 48639 (0xbdff) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2057 (0x809) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 17740 (0x454c) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 7426"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag
ignored.
_TIFFVSetField: /home/fuzz/poc/libtiff/poc_0.tiff: Bad value 65280 for
"ResolutionUnit" tag.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
TIFFAdvanceDirectory: Error fetching directory link.
loadImage: Image lacks Photometric interpreation tag.
=================================================================
==32432==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000153 at pc 0x000000529b37 bp 0x7ffff21fcf60 sp 0x7ffff21fcf58
READ of size 1 at 0x602000000153 thread T0
    #0 0x529b36 in extractContigSamples24bits
/home/fuzz/libtiff/master/tools/tiffcrop.c
    #1 0x527447 in extractContigSamplesToBuffer
/home/fuzz/libtiff/master/tools/tiffcrop.c:3576:19
    #2 0x527447 in writeBufferToSeparateStrips
/home/fuzz/libtiff/master/tools/tiffcrop.c:1203
    #3 0x514b82 in writeCroppedImage
/home/fuzz/libtiff/master/tools/tiffcrop.c:7991:11
    #4 0x4fff40 in main /home/fuzz/libtiff/master/tools/tiffcrop.c:2393:15
    #5 0x7feb698ce82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x41a678 in _start
(/u/u113/you58/libtiff/master/tools/.libs/tiffcrop+0x41a678)

0x602000000153 is located 0 bytes to the right of 3-byte region
[0x602000000150,0x602000000153)
allocated by thread T0 here:
    #0 0x4c137c in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x51c994 in rotateImage
/home/fuzz/libtiff/master/tools/tiffcrop.c:8410:34

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/fuzz/libtiff/master/tools/tiffcrop.c in extractContigSamples24bits
Shadow bytes around the buggy address:
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa fd fa
  0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa[03]fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32432==ABORTING

------- Comment #1 From Even Rouault 2019-10-01 14:20:49 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.