Bug 2832 – tiffcrop.c:7953 heap-based buffer overflow in writeCroppedImage

Bug 2832 - tiffcrop.c:7953 heap-based buffer overflow in writeCroppedImage

Summary:

tiffcrop.c:7953 heap-based buffer overflow in writeCroppedImage

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P1 major
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-12-17 04:43 by jontsang
Modified:	2019-10-01 14:21 (History)

Attachments
poc (745 bytes, image/tiff) 2018-12-17 04:43, jontsang	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From jontsang 2018-12-17 04:43:52

Created an attachment (id=881) [details]
poc

on libtiff 4.0.10 (the latest version):

The writeCroppedImage() function has a heap overflow vulnerability when
processing a tiff file containing the "InkNames" tag. 

$ ~/src/tiff-4.0.10/build-asan/bin/tiffcrop poc_writeCroppedImage.tiff out.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
=================================================================
==119140==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000ef91 at pc 0x7fcc0616920b bp 0x7ffd2824a0d0 sp 0x7ffd28249878
READ of size 1 at 0x60200000ef91 thread T0
    #0 0x7fcc0616920a in __interceptor_strlen
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7020a)
    #1 0x4261eb in writeCroppedImage
/root/src/tiff-4.0.10/tools/tiffcrop.c:7953
    #2 0x409e0b in main /root/src/tiff-4.0.10/tools/tiffcrop.c:2396
    #3 0x7fcc056ce82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #4 0x402098 in _start
(/root/src/tiff-4.0.10/build-asan/bin/tiffcrop+0x402098)

0x60200000ef91 is located 0 bytes to the right of 1-byte region
[0x60200000ef90,0x60200000ef91)
allocated by thread T0 here:
    #0 0x7fcc06191602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7fcc05e9ad1f in _TIFFmalloc
/root/src/tiff-4.0.10/libtiff/tif_unix.c:314
    #2 0x7fcc05db2f29 in setByteArray
/root/src/tiff-4.0.10/libtiff/tif_dir.c:52
    #3 0x7fcc05db302f in _TIFFsetNString
/root/src/tiff-4.0.10/libtiff/tif_dir.c:62
    #4 0x7fcc05db8deb in _TIFFVSetField
/root/src/tiff-4.0.10/libtiff/tif_dir.c:468
    #5 0x7fcc05dbc61d in TIFFVSetField
/root/src/tiff-4.0.10/libtiff/tif_dir.c:852
    #6 0x7fcc05dbc043 in TIFFSetField
/root/src/tiff-4.0.10/libtiff/tif_dir.c:796
    #7 0x7fcc05de4cbd in TIFFFetchNormalTag
/root/src/tiff-4.0.10/libtiff/tif_dirread.c:5210
    #8 0x7fcc05ddc916 in TIFFReadDirectory
/root/src/tiff-4.0.10/libtiff/tif_dirread.c:3985
    #9 0x7fcc05e64518 in TIFFClientOpen
/root/src/tiff-4.0.10/libtiff/tif_open.c:464
    #10 0x7fcc05e9aa85 in TIFFFdOpen
/root/src/tiff-4.0.10/libtiff/tif_unix.c:209
    #11 0x7fcc05e9acde in TIFFOpen /root/src/tiff-4.0.10/libtiff/tif_unix.c:248
    #12 0x4095c3 in main /root/src/tiff-4.0.10/tools/tiffcrop.c:2235
    #13 0x7fcc056ce82f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa 02 fa fa fa 05 fa fa fa 00 fa fa fa 02 fa
  0x0c047fff9de0: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fa
=>0x0c047fff9df0: fa fa[01]fa fa fa fd fa fa fa fd fa fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==119140==ABORTING

------- Comment #1 From Thomas Bernard 2019-01-29 05:27:41 -------

isn't it a duplicate of http://bugzilla.maptools.org/show_bug.cgi?id=2835 ?

------- Comment #2 From Even Rouault 2019-10-01 14:21:26 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.