Bug 2825 – SEGV at tif_dirwrite.c:1896 and tif_dirwrite.c:1901 in tiffcp

Bug 2825 - SEGV at tif_dirwrite.c:1896 and tif_dirwrite.c:1901 in tiffcp

Summary:

SEGV at tif_dirwrite.c:1896 and tif_dirwrite.c:1901 in tiffcp

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P2 normal
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-11-07 02:19 by Augustus Wang
Modified:	2019-10-01 14:21 (History)

Attachments
testcase (5.23 KB, application/octet-stream) 2018-11-07 02:19, Augustus Wang	Details
testcase (3.76 KB, application/octet-stream) 2018-11-07 20:23, Augustus Wang	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Augustus Wang 2018-11-07 02:19:17

Triggered by tiffcp -i poc /tmp/foo

Version: master (commit: 779e54ca3)

The output information of ASAN is as follows:

$ tiffcp -i poc /tmp/foo

=================================================================
==61990==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7ffff68979e3 bp 0x7fffffffe650 sp 0x7fffffffddd8 T0)
    #0 0x7ffff68979e2  (/lib/x86_64-linux-gnu/libc.so.6+0x16f9e2)
    #1 0x7ffff6ee174e in memcmp
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7774e)
    #2 0x7ffff6c0be0f in _TIFFmemcmp
/home/fuzz/experiment/libtiff/libtiff/tif_unix.c:352
    #3 0x7ffff6b61c31 in TIFFWriteDirectoryTagTransferfunction
/home/fuzz/experiment/libtiff/libtiff/tif_dirwrite.c:1896
    #4 0x7ffff6b5cb35 in TIFFWriteDirectorySec
/home/fuzz/experiment/libtiff/libtiff/tif_dirwrite.c:628
    #5 0x7ffff6b596d9 in TIFFWriteDirectory
/home/fuzz/experiment/libtiff/libtiff/tif_dirwrite.c:182
    #6 0x402de5 in main /home/fuzz/experiment/libtiff/tools/tiffcp.c:301
    #7 0x7ffff674882f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x401b88 in _start
(/home/fuzz/experiment/libtiff/install/bin/tiffcp+0x401b88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==61990==ABORTING


Actual results:

crash

Expected results:

crash

Additional info:

The crash can be reproduced by the attached file.

------- Comment #1 From Augustus Wang 2018-11-07 02:19:42 -------

Created an attachment (id=877) [details]
testcase

------- Comment #2 From Augustus Wang 2018-11-07 20:23:09 -------

Created an attachment (id=878) [details]
testcase

=================================================================
==12521== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f6bbeecf654 sp 0x7ffd143bd310 bp 0x7ffd143bd350 T0)
AddressSanitizer can not provide additional info.
    #0 0x7f6bbeecf653 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0xf653)
    #1 0x7f6bbeb6fd55 in TIFFWriteDirectoryTagTransferfunction
/home/wdw/experiment/libtiff/libtiff/tif_dirwrite.c:1901
    #2 0x7f6bbeb6ab2b in TIFFWriteDirectorySec
/home/wdw/experiment/libtiff/libtiff/tif_dirwrite.c:628
    #3 0x7f6bbeb67747 in TIFFWriteDirectory
/home/wdw/experiment/libtiff/libtiff/tif_dirwrite.c:182
    #4 0x4028b7 in main /home/wdw/experiment/libtiff/tools/tiffcp.c:301
    #5 0x7f6bbe75af44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #6 0x401958 in _start
(/home/wdw/experiment/libtiff/install-asan/bin/tiffcp+0x401958)
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==12521== ABORTING

------- Comment #3 From Thomas Bernard 2019-01-29 05:40:27 -------

duplicate of http://bugzilla.maptools.org/show_bug.cgi?id=2833
see https://gitlab.com/libtiff/libtiff/merge_requests/54

------- Comment #4 From Augustus Wang 2019-01-29 09:32:39 -------

I found the crash  at tif_dirwrite.c:1896 duplicate of
http://bugzilla.maptools.org/show_bug.cgi?id=2820, but the one at
tif_dirwrite.c:1901 may be different.

------- Comment #5 From Thomas Bernard 2019-02-11 17:42:18 -------

does it reproduce with the current "master" ?
ae0bed1fe530a82faf2e9ea1775109dbf301a971

------- Comment #6 From Even Rouault 2019-10-01 14:21:25 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.