You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=841) [details] tiff crash Affected version: 4.0.9 Latest version: 4.0.9 I think we should handle cases of missing fourth argument of TIFFGetField. If we invoke the TIFFGetField function with only three arguments like this: TIFFGetField(image, TIFFTAG_ICCPROFILE, &a18); ' Then, _TIFFVGetField function tries to access null pointer came from the missing fourth argument. This behavior leads to Null Pointer Dereference Bug. I attached an example code which triggers this bug using tiffio library. debug information is below: gdb-peda$ r crash2.tiff Starting program: /home1/irteamsu/crash/./fuzz_libtiff crash2.tiff [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x1 RBX: 0x8773 RCX: 0x0 RDX: 0xc44 ('D\x0c') RSI: 0x7fffffffe130 --> 0x7fffffffe2f0 --> 0xc44 ('D\x0c') RDI: 0x3 RBP: 0x782290 --> 0x4d434355440c0000 ('') RSP: 0x7fffffffe0d0 --> 0x0 RIP: 0x406404 (<_TIFFVGetField+8740>: mov QWORD PTR [r12],rbp) R8 : 0x18 R9 : 0x20 (' ') R10: 0x7fffffffe2f0 --> 0xc44 ('D\x0c') R11: 0x7fffffffe138 --> 0x1 R12: 0x1 R13: 0x554300 --> 0xfffdfffd00008773 R14: 0x0 R15: 0x0 EFLAGS: 0x10212 (carry parity ADJUST zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4063f8 <_TIFFVGetField+8728>: mov r12,QWORD PTR [r11] 0x4063fb <_TIFFVGetField+8731>: mov rbp,QWORD PTR [rbp+0x10] 0x4063ff <_TIFFVGetField+8735>: mov eax,0x1 => 0x406404 <_TIFFVGetField+8740>: mov QWORD PTR [r12],rbp 0x406408 <_TIFFVGetField+8744>: jmp 0x405095 <_TIFFVGetField+3765> 0x40640d <_TIFFVGetField+8749>: nop DWORD PTR [rax] 0x406410 <_TIFFVGetField+8752>: cmp ebx,0x145 0x406416 <_TIFFVGetField+8758>: je 0x407380 <_TIFFVGetField+12704> [------------------------------------stack-------------------------------------] 0000| 0x7fffffffe0d0 --> 0x0 0008| 0x7fffffffe0d8 --> 0x780010 --> 0x780448 ("crash2.tiff") 0016| 0x7fffffffe0e0 --> 0x8773 0024| 0x7fffffffe0e8 --> 0x402fd2 (<_start>: xor ebp,ebp) 0032| 0x7fffffffe0f0 --> 0x7fffffffe480 --> 0x2 0040| 0x7fffffffe0f8 --> 0x418064 (<TIFFGetField+612>: lea rsp,[rsp-0x98]) 0048| 0x7fffffffe100 --> 0x0 0056| 0x7fffffffe108 --> 0x3000000020 (' ') [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV _TIFFVGetField (tif=<optimized out>, tag=<optimized out>, ap=<optimized out>) at tif_dir.c:1118 1118 *va_arg(ap, void **) = tv->value; Missing separate debuginfos, use: debuginfo-install glibc-2.17-196.el7_4.2.x86_64 libjpeg-turbo-1.2.90-5.el7.x86_64 xz-libs-5.2.2-1.el7.x86_64 zlib-1.2.7-17.el7.x86_64 gdb-peda$ bt #0 _TIFFVGetField (tif=<optimized out>, tag=<optimized out>, ap=<optimized out>) at tif_dir.c:1118 #1 0x0000000000418064 in TIFFVGetField (ap=0x7fffffffe108, tag=0x8773, tif=0x780010) at tif_dir.c:1236 #2 TIFFGetField (tif=tif@entry=0x780010, tag=tag@entry=0x8773) at tif_dir.c:1220 #3 0x0000000000402de8 in main (argc=<optimized out>, argv=<optimized out>) at ./fuzz_libtiff.c:74 #4 0x00007ffff70a6c05 in __libc_start_main () from /lib64/libc.so.6 #5 0x0000000000402ffb in _start () Found by Kyeongseok Yang & Choongwoo Han, Naver Security Team
can you provide crash2.tiff ?
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.
