Bug 2758 – tiffinfo: memory malloc failure in TIFFReadRawData (tiffinfo.c)

Bug 2758 - tiffinfo: memory malloc failure in TIFFReadRawData (tiffinfo.c)

Summary:

tiffinfo: memory malloc failure in TIFFReadRawData (tiffinfo.c)

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P1 critical
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-12-06 11:07 by Wei You
Modified:	2019-10-01 14:20 (History)

Attachments
poc to trigger the vulnerability (236 bytes, image/tiff) 2017-12-06 11:07, Wei You	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Wei You 2017-12-06 11:07:45

Created an attachment (id=828) [details]
poc to trigger the vulnerability 

on 4.0.9 (the latest version):
there is a memory malloc failure in the TIFFReadRawData function
(tools/tiffinfo.c), which can be triggered by poc_5.tiff in the
attachment.

tiffinfo -Dijr poc_5.tiff

==22750==WARNING: AddressSanitizer failed to allocate 0x0012003f6d80 bytes
==22750==AddressSanitizer's allocator is terminating the process instead of
returning 0
==22750==If you don't like this behavior set allocator_may_return_null=1
==22750==AddressSanitizer CHECK failed:
../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0))
!= (0)" (0x0, 0x0)
    #0 0x7f65db588631  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
    #1 0x7f65db58d613 in __sanitizer::CheckFailed(char const*, int, char
const*, unsigned long long, unsigned long long)
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa5613)
    #2 0x7f65db505425  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x1d425)
    #3 0x7f65db58b865  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa3865)
    #4 0x7f65db50ab4d  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22b4d)
    #5 0x7f65db50bbf5  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x23bf5)
    #6 0x7f65db58092f in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9892f)
    #7 0x405b7a in TIFFReadRawData
/home/fuzz/libtiff/4.0.9/tools/tiffinfo.c:427
    #8 0x402361 in tiffinfo /home/fuzz/libtiff/4.0.9/tools/tiffinfo.c:473
    #9 0x402361 in main /home/fuzz/libtiff/4.0.9/tools/tiffinfo.c:152
    #10 0x7f65dacfb82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x402728 in _start
(/home/fuzz/libtiff/4.0.9/tools/.libs/lt-tiffinfo+0x402728)

------- Comment #1 From Thomas Bernard 2019-01-29 10:05:29 -------

can you explain why you consider this be a bug ?

------- Comment #2 From Even Rouault 2019-10-01 14:20:50 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.