You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=821) [details] poc to trigger the vulnerability on 4.0.9 (the latest version): there is a heap-based buffer overflow in the extractContigSamples24bits function (tools/tiffcrop.c), which can be triggered by poc_0.tiff in the attachment. tiffcrop -i poc_0.tiff /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 7426 (0x1d02) encountered. TIFFReadDirectory: Warning, Unknown field with tag 48639 (0xbdff) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2057 (0x809) encountered. TIFFReadDirectory: Warning, Unknown field with tag 17740 (0x454c) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 7426"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored. _TIFFVSetField: /home/fuzz/poc/libtiff/poc_0.tiff: Bad value 65280 for "ResolutionUnit" tag. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFFAdvanceDirectory: Error fetching directory link. loadImage: Image lacks Photometric interpreation tag. ================================================================= ==32432==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000153 at pc 0x000000529b37 bp 0x7ffff21fcf60 sp 0x7ffff21fcf58 READ of size 1 at 0x602000000153 thread T0 #0 0x529b36 in extractContigSamples24bits /home/fuzz/libtiff/master/tools/tiffcrop.c #1 0x527447 in extractContigSamplesToBuffer /home/fuzz/libtiff/master/tools/tiffcrop.c:3576:19 #2 0x527447 in writeBufferToSeparateStrips /home/fuzz/libtiff/master/tools/tiffcrop.c:1203 #3 0x514b82 in writeCroppedImage /home/fuzz/libtiff/master/tools/tiffcrop.c:7991:11 #4 0x4fff40 in main /home/fuzz/libtiff/master/tools/tiffcrop.c:2393:15 #5 0x7feb698ce82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #6 0x41a678 in _start (/u/u113/you58/libtiff/master/tools/.libs/tiffcrop+0x41a678) 0x602000000153 is located 0 bytes to the right of 3-byte region [0x602000000150,0x602000000153) allocated by thread T0 here: #0 0x4c137c in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3 #1 0x51c994 in rotateImage /home/fuzz/libtiff/master/tools/tiffcrop.c:8410:34 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/libtiff/master/tools/tiffcrop.c in extractContigSamples24bits Shadow bytes around the buggy address: 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa fd fa 0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa =>0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa[03]fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==32432==ABORTING
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.