You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=867) [details] the poc on Ubuntu 16.04 32-bit, tiff4.0.9 How to reproduce: 1. compile: CC=clang CXX=clang++ ./configure && make && make install 2. ./tiff2pdf poc1 asan dbg info: ================================================================= ==19781==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb53ff800 at pc 0xb7e5573d bp 0xbfa2bd08 sp 0xbfa2bcfc WRITE of size 8 at 0xb53ff800 thread T0 #0 0xb7e5573c (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0x3173c) #1 0xb7ed7f89 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xb3f89) #2 0xb7ef798b (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd398b) #3 0x8134534 (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x8134534) #4 0xb7bd2636 (/lib/i386-linux-gnu/libc.so.6+0x18636) #5 0x805fb37 (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x805fb37) 0xb53ff800 is located 0 bytes to the right of 12058624-byte region [0xb487f800,0xb53ff800) allocated by thread T0 here: #0 0x81041e4 (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x81041e4) #1 0xb7ef7b53 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd3b53) #2 0xb7ed7f89 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xb3f89) #3 0xb7ef798b (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd398b) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0x3173c) Shadow bytes around the buggy address: 0x36a7feb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36a7fec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36a7fed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36a7fee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36a7fef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x36a7ff00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a7ff10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a7ff20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a7ff30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a7ff40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a7ff50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==19781==ABORTING gdb info: Program received signal SIGSEGV, Segmentation fault. ChopUpSingleUncompressedStrip (tif=<optimized out>) at tif_dirread.c:5723 5723 newcounts[strip] = stripbytes; (gdb) bt #0 ChopUpSingleUncompressedStrip (tif=<optimized out>) at tif_dirread.c:5723 #1 TIFFReadDirectory (tif=<optimized out>) at tif_dirread.c:4186 #2 0xb7fa55e0 in TIFFClientOpen (name=<optimized out>, mode=<optimized out>, clientdata=<optimized out>, readproc=<optimized out>, writeproc=<optimized out>, seekproc=<optimized out>, closeproc=<optimized out>, sizeproc=<optimized out>, mapproc=<optimized out>, unmapproc=<optimized out>) at tif_open.c:466 #3 0xb7faedbc in TIFFFdOpen (fd=3, name=<optimized out>, mode=0x805500a "r") at tif_unix.c:211 #4 TIFFOpen (name=<optimized out>, mode=0x805500a "r") at tif_unix.c:250 #5 0x080496ea in main (argc=<optimized out>, argv=<optimized out>) at tiff2pdf.c:751
We use afl-mem, which is based on american fuzzy lop, to discover this problem. Thanks to american fuzzy lop and its author(lcamtuf@coredump.cx)
it was found by Yanhao and Marsman1996
This issue was assigned CVE-2018-15209
It looks like the fix for http://bugzilla.maptools.org/show_bug.cgi?id=2724, https://gitlab.com/libtiff/libtiff/commit/3719385a3fac5cfb20b487619a5f08abbf967cf8 and https://gitlab.com/libtiff/libtiff/commit/7a092f8af2568d61993a8cc2e7a35a998d7d37be as well would adress this issue. Can you confirm or will the issue be adressed separately and the issue only covered given the problematic part is not reached with the pocs?
I can confirm that fix for CVE-2017-11613 does fix the issue for me.
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.