You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=839) [details] dockerfile and testcase Hello libtiff team, As part of our fuzzing efforts at Google, we have identified an issue affecting libtiff (tested with revision * master cda4b06914040aae5302b4da511ea266dad8a104). To reproduce, we are attaching a Dockerfile which compiles the project with LLVM, taking advantage of the sanitizers that it offers. More information about how to use the attached Dockerfile can be found here: https://docs.docker.com/engine/reference/builder/ TL;DR instructions: * `mkdir project` * `cp Dockerfile.libtiff /path/to/project/Dockerfile` * `docker build --no-cache /path/to/project` * `docker run -it image_id_from_docker_build` From another terminal, outside the container: `docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer` (reference: https://docs.docker.com/engine/reference/commandline/cp/) And, back inside the container: `/fuzzing/repro.sh /fuzzing/reproducer` Alternatively, and depending on the bug, you could use gcc, valgrind or other instrumentation tools to aid in the investigation. The sanitizer error that we encountered is here: ``` TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 9 (0x9) encountered. TIFFReadDirectory: Warning, Unknown field with tag 317 (0x13d) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65307 (0xff1b) encountered. TIFFReadDirectory: Warning, Unknown field with tag 33550 (0x830e) encountered. TIFFReadDirectory: Warning, Unknown field with tag 33922 (0x8482) encountered. TIFFReadDirectory: Warning, Unknown field with tag 34735 (0x87af) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 65307"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 33550"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 33922"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 34735"; tag ignored. poc-bf53b58e1514122ab6575f390407f31918ef1013367cf9a382d49d923b53d12b: AdobeDeflate compression support is not configured. ==7==ERROR: AddressSanitizer failed to allocate 0x135ce2000 (5197668352) bytes of LargeMmapAllocator (error code: 12) ==7==Process memory map follows: 0x000000400000-0x000000536000 /fuzzing/libtiff/tools/.libs/tiffinfo 0x000000735000-0x000000736000 /fuzzing/libtiff/tools/.libs/tiffinfo 0x000000736000-0x00000073a000 /fuzzing/libtiff/tools/.libs/tiffinfo 0x00000073a000-0x0000013ac000 0x00007fff7000-0x00008fff7000 0x00008fff7000-0x02008fff7000 0x02008fff7000-0x10007fff8000 0x600000000000-0x602000000000 0x602000000000-0x602000010000 0x602000010000-0x603000000000 0x603000000000-0x603000010000 0x603000010000-0x604000000000 0x604000000000-0x604000010000 0x604000010000-0x606000000000 0x606000000000-0x606000010000 0x606000010000-0x607000000000 0x607000000000-0x607000010000 0x607000010000-0x611000000000 0x611000000000-0x611000010000 0x611000010000-0x615000000000 0x615000000000-0x615000020000 0x615000020000-0x619000000000 0x619000000000-0x619000020000 0x619000020000-0x61a000000000 0x61a000000000-0x61a000020000 0x61a000020000-0x621000000000 0x621000000000-0x621000020000 0x621000020000-0x624000000000 0x624000000000-0x624000020000 0x624000020000-0x640000000000 0x640000000000-0x640000003000 0x7f5730b00000-0x7f5730c00000 0x7f5730d00000-0x7f5730e00000 0x7f5730f00000-0x7f5731000000 0x7f5731100000-0x7f5731200000 0x7f5731285000-0x7f57335d7000 0x7f57335d7000-0x7f573376c000 /lib/x86_64-linux-gnu/libc-2.24.so 0x7f573376c000-0x7f573396c000 /lib/x86_64-linux-gnu/libc-2.24.so 0x7f573396c000-0x7f5733970000 /lib/x86_64-linux-gnu/libc-2.24.so 0x7f5733970000-0x7f5733972000 /lib/x86_64-linux-gnu/libc-2.24.so 0x7f5733972000-0x7f5733976000 0x7f5733976000-0x7f573398c000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f573398c000-0x7f5733b8b000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f5733b8b000-0x7f5733b8c000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f5733b8c000-0x7f5733b8d000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7f5733b8d000-0x7f5733b90000 /lib/x86_64-linux-gnu/libdl-2.24.so 0x7f5733b90000-0x7f5733d8f000 /lib/x86_64-linux-gnu/libdl-2.24.so 0x7f5733d8f000-0x7f5733d90000 /lib/x86_64-linux-gnu/libdl-2.24.so 0x7f5733d90000-0x7f5733d91000 /lib/x86_64-linux-gnu/libdl-2.24.so 0x7f5733d91000-0x7f5733d98000 /lib/x86_64-linux-gnu/librt-2.24.so 0x7f5733d98000-0x7f5733f97000 /lib/x86_64-linux-gnu/librt-2.24.so 0x7f5733f97000-0x7f5733f98000 /lib/x86_64-linux-gnu/librt-2.24.so 0x7f5733f98000-0x7f5733f99000 /lib/x86_64-linux-gnu/librt-2.24.so 0x7f5733f99000-0x7f5733fb1000 /lib/x86_64-linux-gnu/libpthread-2.24.so 0x7f5733fb1000-0x7f57341b0000 /lib/x86_64-linux-gnu/libpthread-2.24.so 0x7f57341b0000-0x7f57341b1000 /lib/x86_64-linux-gnu/libpthread-2.24.so 0x7f57341b1000-0x7f57341b2000 /lib/x86_64-linux-gnu/libpthread-2.24.so 0x7f57341b2000-0x7f57341b6000 0x7f57341b6000-0x7f57342b9000 /lib/x86_64-linux-gnu/libm-2.24.so 0x7f57342b9000-0x7f57344b8000 /lib/x86_64-linux-gnu/libm-2.24.so 0x7f57344b8000-0x7f57344b9000 /lib/x86_64-linux-gnu/libm-2.24.so 0x7f57344b9000-0x7f57344ba000 /lib/x86_64-linux-gnu/libm-2.24.so 0x7f57344ba000-0x7f57345ca000 /fuzzing/libtiff/libtiff/.libs/libtiff.so.5.3.0 0x7f57345ca000-0x7f57347ca000 /fuzzing/libtiff/libtiff/.libs/libtiff.so.5.3.0 0x7f57347ca000-0x7f57347d2000 /fuzzing/libtiff/libtiff/.libs/libtiff.so.5.3.0 0x7f57347d2000-0x7f57347ee000 /fuzzing/libtiff/libtiff/.libs/libtiff.so.5.3.0 0x7f57347ee000-0x7f57347ef000 0x7f57347ef000-0x7f5734812000 /lib/x86_64-linux-gnu/ld-2.24.so 0x7f57348fa000-0x7f573490e000 0x7f573490e000-0x7f573490f000 /workspace/poc-bf53b58e1514122ab6575f390407f31918ef1013367cf9a382d49d923b53d12b 0x7f573490f000-0x7f5734a0d000 0x7f5734a0d000-0x7f5734a12000 0x7f5734a12000-0x7f5734a13000 /lib/x86_64-linux-gnu/ld-2.24.so 0x7f5734a13000-0x7f5734a14000 /lib/x86_64-linux-gnu/ld-2.24.so 0x7f5734a14000-0x7f5734a15000 0x7ffeadcb1000-0x7ffeadcd2000 [stack] 0x7ffeaddaa000-0x7ffeaddad000 [vvar] 0x7ffeaddad000-0x7ffeaddaf000 [vdso] 0xffffffffff600000-0xffffffffff601000 [vsyscall] ==7==End of process memory map. ==7==AddressSanitizer CHECK failed: /build/llvm-toolchain-3.9-Qw1aQB/llvm-toolchain-3.9-3.9.1/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0) #0 0x4d6a1f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/fuzzing/libtiff/tools/.libs/tiffinfo+0x4d6a1f) #1 0x4f0745 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/fuzzing/libtiff/tools/.libs/tiffinfo+0x4f0745) #2 0x4e0622 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) (/fuzzing/libtiff/tools/.libs/tiffinfo+0x4e0622) #3 0x4e9a95 in __sanitizer::MmapOrDie(unsigned long, char const*, bool) (/fuzzing/libtiff/tools/.libs/tiffinfo+0x4e9a95) #4 0x42342f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (/fuzzing/libtiff/tools/.libs/tiffinfo+0x42342f) #5 0x4cbe04 in __interceptor_malloc (/fuzzing/libtiff/tools/.libs/tiffinfo+0x4cbe04) #6 0x5053aa in TIFFReadSeparateTileData /fuzzing/libtiff/tools/tiffinfo.c:335:25 #7 0x5059f9 in TIFFReadData /fuzzing/libtiff/tools/tiffinfo.c:377:4 #8 0x50439d in tiffinfo /fuzzing/libtiff/tools/tiffinfo.c:477:3 #9 0x503e06 in main /fuzzing/libtiff/tools/tiffinfo.c:152:6 #10 0x7f57335f72b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #11 0x41c509 in _start (/fuzzing/libtiff/tools/.libs/tiffinfo+0x41c509) ``` We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation. Once you have reproduced the issue, we'd appreciate to learn your expected timeline for an update to be released. With any fix, please attribute the report to "Google Autofuzz project". We are also pleased to inform you that your project is eligible for inclusion to the OSS-Fuzz project, which can provide additional continuous fuzzing, and encourage you to investigate integration options. Don't hesitate to let us know if you have any questions! Google AutoFuzz Team
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.