You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=835) [details] poc There is a heap-buffer-overflow in PackBitsEncode function tif_packbits.c line 88 in libtiff 4.0.8. ================================================================= ==23471==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000980 at pc 0x0000006eedf5 bp 0x7fffa9c16820 sp 0x7fffa9c16818 READ of size 1 at 0x619000000980 thread T0 #0 0x6eedf4 in PackBitsEncode /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/libtiff/tif_packbits.c:88:25 #1 0x61a451 in TIFFWriteScanline /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/libtiff/tif_write.c:173:11 #2 0x530827 in main /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/tools/bmp2tiff.c:775:9 #3 0x7f70dbcbef44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287 #4 0x41c8cb in _start (/home/binzhang/Desktop/bmp2tiff/bmp2tiff+0x41c8cb) 0x619000000980 is located 0 bytes to the right of 1024-byte region [0x619000000580,0x619000000980) allocated by thread T0 here: #0 0x4f55d6 in __interceptor_malloc /home/xiaosatianyu/workspace/git/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88 #1 0x6274b0 in _TIFFmalloc /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/libtiff/tif_unix.c:316:10 #2 0x52e5dd in main /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/tools/bmp2tiff.c:678:34 #3 0x7f70dbcbef44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/libtiff/tif_packbits.c:88:25 in PackBitsEncode Shadow bytes around the buggy address: 0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff8130:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==23471==ABORTING
Hello xiaosatianyu@126.com, could you please attach a real testcase and command to run? Otherwise I would consider this bug as invalid.
(In reply to comment #1) > Hello xiaosatianyu@126.com, could you please attach a real testcase and command > to run? Otherwise I would consider this bug as invalid. Sorry, I rearrange my git repositories and move the poc to a new path. Currently, the new path of the poc is https://github.com/xiaosatianyu/for-cve/blob/master/collect_poc/libtiff4.0.8/bmp2tiff/cve-2017-17942/cve-2017-17942-poc
Just from the backtrace, it seems similar to bug 2562.
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.
