Bug 2757 – tiffcrop: memory malloc failure in readSeparateTilesIntoBuffer (tiffcrop.c)

Bug 2757 - tiffcrop: memory malloc failure in readSeparateTilesIntoBuffer (tiffcrop.c)

Summary:

tiffcrop: memory malloc failure in readSeparateTilesIntoBuffer (tiffcrop.c)

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P1 critical
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-12-06 00:14 by Wei You
Modified:	2019-10-01 14:20 (History)

Attachments
poc to trigger the vulnerability (284 bytes, image/tiff) 2017-12-06 00:14, Wei You	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Wei You 2017-12-06 00:14:46

Created an attachment (id=825) [details]
poc to trigger the vulnerability 

on 4.0.9 (the latest version):
there is a memory malloc failure in the readSeparateTilesIntoBuffer
function (tools/tiffcrp.c), which can be triggered by poc_4.tiff in the
attachment.

tiffcrop -i poc_4.tiff /tmp/foo

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 7426 (0x1d02) encountered.
poc_4.tiff: Warning, Nonstandard tile width -2147483644, convert file.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 512 (0x200) encountered.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null
byte in value; value incorrectly truncated during reading due to implementation
limitations.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag
ignored.
_TIFFVSetField: poc_4.tiff: Bad value 515 for "ResolutionUnit" tag.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
TIFFAdvanceDirectory: Error fetching directory count.
==18653==WARNING: AddressSanitizer failed to allocate 0x002000000208 bytes
==18653==AddressSanitizer's allocator is terminating the process instead of
returning 0
==18653==If you don't like this behavior set allocator_may_return_null=1
==18653==AddressSanitizer CHECK failed:
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0))
!= (0)" (0x0, 0x0)
    #0 0x7fb6452f5631  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
    #1 0x7fb6452fa613 in __sanitizer::CheckFailed(char const*, int, char
const*, unsigned long long, unsigned long long)
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa5613)
    #2 0x7fb645272425  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d425)
    #3 0x7fb6452f8865  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa3865)
    #4 0x7fb645277b4d  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22b4d)
    #5 0x7fb6452ed5d2 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x985d2)
    #6 0x432584 in readSeparateTilesIntoBuffer
/home/fuzz/libtiff/4.0.9/tools/tiffcrop.c:994
    #7 0x432584 in loadImage /home/fuzz/libtiff/4.0.9/tools/tiffcrop.c:6204
    #8 0x4038d2 in main /home/fuzz/libtiff/4.0.9/tools/tiffcrop.c:2345
    #9 0x7fb64475f82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #10 0x40d768 in _start
(/home/fuzz/libtiff/4.0.9/tools/.libs/lt-tiffcrop+0x40d768)

------- Comment #1 From Even Rouault 2019-10-01 14:20:49 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.