First Last Prev Next    No search results available
Bug 2754 - tiff2ps: heap-buffer-overflow in PSDataColorContig (tiff2ps.c)
: tiff2ps: heap-buffer-overflow in PSDataColorContig (tiff2ps.c)
Status: RESOLVED LATER
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
:
:
: migrated_to_gitlab
:
:
  Show dependency treegraph
 
Reported: 2017-12-05 11:52 by
Modified: 2019-10-01 14:20 (History)

Attachments
poc to trigger the vulnerability (244 bytes, image/tiff)
2017-12-05 11:52, Wei You 		Details
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Description From 2017-12-05 11:52:50 
Created an attachment (id=822) [details]
poc to trigger the vulnerability

on 4.0.9 (the latest version):
there is a heap-based buffer overflow in the PSDataColorContig function
(tools/tiff2ps.c), which can be triggered by poc_1.tiff in the attachment.

tiff2ps poc_1.tiff

=================================================================
==11388==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000000f2 at pc 0x0000004fc992 bp 0x7ffc7eaf86a0 sp 0x7ffc7eaf8698
READ of size 1 at 0x6020000000f2 thread T0
    #0 0x4fc991 in PSDataColorContig
/home/fuzz/libtiff/master/tools/tiff2ps.c:2498:17
    #1 0x4f4cd1 in PSpage /home/fuzz/libtiff/master/tools/tiff2ps.c
    #2 0x4f0ed6 in TIFF2PS /home/fuzz/libtiff/master/tools/tiff2ps.c
    #3 0x4eef48 in main /home/fuzz/libtiff/master/tools/tiff2ps.c:479:9
    #4 0x7fa04a9e382f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x41a538 in _start
(/u/u113/you58/libtiff/master/tools/.libs/tiff2ps+0x41a538)

0x6020000000f2 is located 0 bytes to the right of 2-byte region
[0x6020000000f0,0x6020000000f2)
allocated by thread T0 here:
    #0 0x4c123c in malloc
/scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x4fb274 in PSDataColorContig
/home/fuzz/libtiff/master/tools/tiff2ps.c:2454:29

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/fuzz/libtiff/master/tools/tiff2ps.c:2498:17 in PSDataColorContig
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa fd fa
=>0x0c047fff8010: fa fa 00 fa fa fa 00 fa fa fa 00 07 fa fa[02]fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11388==ABORTING
------- Comment #1 From 2019-10-01 14:20:49 ------- 
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.
First Last Prev Next    No search results available