Bug 2809 – heap-buffer-overflow in tiff2pdf (CVE-2018-16335)

Bug 2809 - heap-buffer-overflow in tiff2pdf (CVE-2018-16335)

Summary:

heap-buffer-overflow in tiff2pdf (CVE-2018-16335)

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P3 normal
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-08-07 22:41 by Marsman1996
Modified:	2019-10-01 14:21 (History)

Attachments
the poc (3.15 KB, application/octet-stream) 2018-08-07 22:41, Marsman1996	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Marsman1996 2018-08-07 22:41:29

Created an attachment (id=868) [details]
the poc

on Ubuntu 16.04 32-bit, tiff4.0.9

How to reproduce:
  1. compile: CC=clang CXX=clang++ ./configure && make && make install
  2. ./tiff2pdf poc2

asan info:
=================================================================
==6699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb65006b7 at
pc 0xb7ee1751 bp 0xbfdf0368 sp 0xbfdf035c
WRITE of size 8 at 0xb65006b7 thread T0
    #0 0xb7ee1750  (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0x31750)
    #1 0xb7f63f89  (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xb3f89)
    #2 0xb7f8398b  (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd398b)
    #3 0x8134534  (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x8134534)
    #4 0xb7c5e636  (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #5 0x805fb37  (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x805fb37)

0xb65006b7 is located 6 bytes to the right of 1-byte region
[0xb65006b0,0xb65006b1)
allocated by thread T0 here:
    #0 0x81041e4  (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x81041e4)
    #1 0xb7f83b53  (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd3b53)
    #2 0xb7f63f89  (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xb3f89)
    #3 0xb7f8398b  (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd398b)

SUMMARY: AddressSanitizer: heap-buffer-overflow
(/home/ubuntu/tiff_asan/lib/libtiff.so.5+0x31750) 
Shadow bytes around the buggy address:
  0x36ca0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36ca0090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36ca00a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36ca00b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36ca00c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36ca00d0: fa fa 01 fa fa fa[01]fa fa fa 00 fa fa fa fd fa
  0x36ca00e0: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa
  0x36ca00f0: fa fa 00 fa fa fa fd fa fa fa fd fd fa fa 00 00
  0x36ca0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36ca0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36ca0120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6699==ABORTING

gdb info:
Program received signal SIGSEGV, Segmentation fault.
0xb7f81302 in ChopUpSingleUncompressedStrip (tif=<optimized out>) at
tif_dirread.c:5724
5724            newoffsets[strip] = stripbytes ? offset : 0;
(gdb) bt
#0  0xb7f81302 in ChopUpSingleUncompressedStrip (tif=<optimized out>)
    at tif_dirread.c:5724
#1  TIFFReadDirectory (tif=<optimized out>) at tif_dirread.c:4186
#2  0xb7fa55e0 in TIFFClientOpen (name=<optimized out>, mode=<optimized out>, 
    clientdata=<optimized out>, readproc=<optimized out>, writeproc=<optimized
out>, 
    seekproc=<optimized out>, closeproc=<optimized out>, sizeproc=<optimized
out>, 
    mapproc=<optimized out>, unmapproc=<optimized out>) at tif_open.c:466
#3  0xb7faedbc in TIFFFdOpen (fd=3, name=<optimized out>, mode=0x805500a "r")
    at tif_unix.c:211
#4  TIFFOpen (name=<optimized out>, mode=0x805500a "r") at tif_unix.c:250
#5  0x080496ea in main (argc=<optimized out>, argv=<optimized out>) at
tiff2pdf.c:751

------- Comment #1 From Salvatore Bonaccorso 2018-09-02 04:18:00 -------

This issue was assigned CVE-2018-16335

------- Comment #2 From Salvatore Bonaccorso 2018-09-02 04:19:45 -------

It looks like the fix for http://bugzilla.maptools.org/show_bug.cgi?id=2724, 
https://gitlab.com/libtiff/libtiff/commit/3719385a3fac5cfb20b487619a5f08abbf967cf8
and
https://gitlab.com/libtiff/libtiff/commit/7a092f8af2568d61993a8cc2e7a35a998d7d37be
as well would adress this issue.

Can you confirm or will the issue be adressed separately and the issue only
covered given the problematic part is not reached with the pocs?

------- Comment #3 From Petr Gajdos 2018-10-19 03:04:03 -------

I can confirm that fix for CVE-2017-11613 does fix the issue for me.

------- Comment #4 From Even Rouault 2019-10-01 14:21:14 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.