Bug 2756 – tiff2pdf: memory malloc failure in t2p_readwrite_pdf_image (tiff2pdf.c)

Bug 2756 - tiff2pdf: memory malloc failure in t2p_readwrite_pdf_image (tiff2pdf.c)

Summary:

tiff2pdf: memory malloc failure in t2p_readwrite_pdf_image (tiff2pdf.c)

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P1 critical
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-12-05 20:27 by Wei You
Modified:	2019-10-01 14:20 (History)

Attachments
poc to trigger the vulnerability (350 bytes, image/tiff) 2017-12-05 20:27, Wei You	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Wei You 2017-12-05 20:27:59

Created an attachment (id=824) [details]
poc to trigger the vulnerability 

on 4.0.9 (the latest version):
there is a memory malloc failure in the t2p_readwrite_pdf_image
function (tools/tiff2pdf.c), which can be triggered by poc_3.tiff in the
attachment.

tiff2pdf poc_3.tiff -o /tmp/foo

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
tiff2pdf: Warning, RGB image poc_3.tiff has 4 samples per pixel, assuming
inverse CMYK.
==17246==WARNING: AddressSanitizer failed to allocate 0x003006a93d25 bytes
==17246==AddressSanitizer's allocator is terminating the process instead of
returning 0
==17246==If you don't like this behavior set allocator_may_return_null=1
==17246==AddressSanitizer CHECK failed:
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0))
!= (0)" (0x0, 0x0)
    #0 0x7f79edcf9631  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
    #1 0x7f79edcfe613 in __sanitizer::CheckFailed(char const*, int, char
const*, unsigned long long, unsigned long long)
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa5613)
    #2 0x7f79edc76425  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d425)
    #3 0x7f79edcfc865  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa3865)
    #4 0x7f79edc7bb4d  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22b4d)
    #5 0x7f79edcf15d2 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2)
    #6 0x41eba6 in t2p_readwrite_pdf_image
/home/fuzz/libtiff/4.0.9/tools/tiff2pdf.c:2450
    #7 0x443355 in t2p_write_pdf /home/fuzz/libtiff/4.0.9/tools/tiff2pdf.c:5567
    #8 0x4026d8 in main /home/fuzz/libtiff/4.0.9/tools/tiff2pdf.c:808
    #9 0x7f79ed46c82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x404818 in _start
(/home/fuzz/libtiff/4.0.9/tools/.libs/lt-tiff2pdf+0x404818)

------- Comment #1 From Even Rouault 2019-10-01 14:20:49 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.