You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=881) [details] poc on libtiff 4.0.10 (the latest version): The writeCroppedImage() function has a heap overflow vulnerability when processing a tiff file containing the "InkNames" tag. $ ~/src/tiff-4.0.10/build-asan/bin/tiffcrop poc_writeCroppedImage.tiff out.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. ================================================================= ==119140==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef91 at pc 0x7fcc0616920b bp 0x7ffd2824a0d0 sp 0x7ffd28249878 READ of size 1 at 0x60200000ef91 thread T0 #0 0x7fcc0616920a in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7020a) #1 0x4261eb in writeCroppedImage /root/src/tiff-4.0.10/tools/tiffcrop.c:7953 #2 0x409e0b in main /root/src/tiff-4.0.10/tools/tiffcrop.c:2396 #3 0x7fcc056ce82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #4 0x402098 in _start (/root/src/tiff-4.0.10/build-asan/bin/tiffcrop+0x402098) 0x60200000ef91 is located 0 bytes to the right of 1-byte region [0x60200000ef90,0x60200000ef91) allocated by thread T0 here: #0 0x7fcc06191602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7fcc05e9ad1f in _TIFFmalloc /root/src/tiff-4.0.10/libtiff/tif_unix.c:314 #2 0x7fcc05db2f29 in setByteArray /root/src/tiff-4.0.10/libtiff/tif_dir.c:52 #3 0x7fcc05db302f in _TIFFsetNString /root/src/tiff-4.0.10/libtiff/tif_dir.c:62 #4 0x7fcc05db8deb in _TIFFVSetField /root/src/tiff-4.0.10/libtiff/tif_dir.c:468 #5 0x7fcc05dbc61d in TIFFVSetField /root/src/tiff-4.0.10/libtiff/tif_dir.c:852 #6 0x7fcc05dbc043 in TIFFSetField /root/src/tiff-4.0.10/libtiff/tif_dir.c:796 #7 0x7fcc05de4cbd in TIFFFetchNormalTag /root/src/tiff-4.0.10/libtiff/tif_dirread.c:5210 #8 0x7fcc05ddc916 in TIFFReadDirectory /root/src/tiff-4.0.10/libtiff/tif_dirread.c:3985 #9 0x7fcc05e64518 in TIFFClientOpen /root/src/tiff-4.0.10/libtiff/tif_open.c:464 #10 0x7fcc05e9aa85 in TIFFFdOpen /root/src/tiff-4.0.10/libtiff/tif_unix.c:209 #11 0x7fcc05e9acde in TIFFOpen /root/src/tiff-4.0.10/libtiff/tif_unix.c:248 #12 0x4095c3 in main /root/src/tiff-4.0.10/tools/tiffcrop.c:2235 #13 0x7fcc056ce82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_strlen Shadow bytes around the buggy address: 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa 02 fa fa fa 05 fa fa fa 00 fa fa fa 02 fa 0x0c047fff9de0: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fa =>0x0c047fff9df0: fa fa[01]fa fa fa fd fa fa fa fd fa fa fa 00 00 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==119140==ABORTING
isn't it a duplicate of http://bugzilla.maptools.org/show_bug.cgi?id=2835 ?
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.