You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=822) [details] poc to trigger the vulnerability on 4.0.9 (the latest version): there is a heap-based buffer overflow in the PSDataColorContig function (tools/tiff2ps.c), which can be triggered by poc_1.tiff in the attachment. tiff2ps poc_1.tiff ================================================================= ==11388==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000f2 at pc 0x0000004fc992 bp 0x7ffc7eaf86a0 sp 0x7ffc7eaf8698 READ of size 1 at 0x6020000000f2 thread T0 #0 0x4fc991 in PSDataColorContig /home/fuzz/libtiff/master/tools/tiff2ps.c:2498:17 #1 0x4f4cd1 in PSpage /home/fuzz/libtiff/master/tools/tiff2ps.c #2 0x4f0ed6 in TIFF2PS /home/fuzz/libtiff/master/tools/tiff2ps.c #3 0x4eef48 in main /home/fuzz/libtiff/master/tools/tiff2ps.c:479:9 #4 0x7fa04a9e382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x41a538 in _start (/u/u113/you58/libtiff/master/tools/.libs/tiff2ps+0x41a538) 0x6020000000f2 is located 0 bytes to the right of 2-byte region [0x6020000000f0,0x6020000000f2) allocated by thread T0 here: #0 0x4c123c in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3 #1 0x4fb274 in PSDataColorContig /home/fuzz/libtiff/master/tools/tiff2ps.c:2454:29 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/libtiff/master/tools/tiff2ps.c:2498:17 in PSDataColorContig Shadow bytes around the buggy address: 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa fd fa =>0x0c047fff8010: fa fa 00 fa fa fa 00 fa fa fa 00 07 fa fa[02]fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==11388==ABORTING
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.