You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=891) [details] Input file can trigger the bug. We build libtiff with the build options below by clang 4.0.0 and ASAN. - build options: "--enable-cxx=no --disable-old-jpeg --disable-jbig --disable-lzma --disable-webp --disable-jpeg --with-x=no" - libtiff version: the newest git version commit a0e273fdca741b8805e19deeb8019fa42c4e64ba. - run: tiff2ps oom1 we attached 1 input can trigger the bug. asan report: ==1504965==ERROR: AddressSanitizer failed to allocate 0x60e7841000 (416201052160) bytes of LargeMmapAllocator (error code: 12) ==1504965==Process memory map follows: 0x000000400000-0x00000041d000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/tiff2ps 0x00000041d000-0x00000073f000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/tiff2ps 0x00000073f000-0x0000007bf000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/tiff2ps 0x0000007c0000-0x0000007c1000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/tiff2ps 0x0000007c1000-0x0000007dd000 /mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/tiff2ps 0x0000007dd000-0x000001442000 0x00007fff7000-0x00008fff7000 0x00008fff7000-0x02008fff7000 0x02008fff7000-0x10007fff8000 0x600000000000-0x602000000000 0x602000000000-0x602000010000 0x602000010000-0x602e00000000 0x602e00000000-0x602e00010000 0x602e00010000-0x603000000000 0x603000000000-0x603000010000 0x603000010000-0x603e00000000 0x603e00000000-0x603e00010000 0x603e00010000-0x604000000000 0x604000000000-0x604000010000 0x604000010000-0x604e00000000 0x604e00000000-0x604e00010000 0x604e00010000-0x60b000000000 0x60b000000000-0x60b000010000 0x60b000010000-0x60be00000000 0x60be00000000-0x60be00010000 0x60be00010000-0x60e000000000 0x60e000000000-0x60e000010000 0x60e000010000-0x60ee00000000 0x60ee00000000-0x60ee00010000 0x60ee00010000-0x613000000000 0x613000000000-0x613000010000 0x613000010000-0x613e00000000 0x613e00000000-0x613e00010000 0x613e00010000-0x616000000000 0x616000000000-0x616000010000 0x616000010000-0x616e00000000 0x616e00000000-0x616e00010000 0x616e00010000-0x619000000000 0x619000000000-0x619000010000 0x619000010000-0x619e00000000 0x619e00000000-0x619e00010000 0x619e00010000-0x61a000000000 0x61a000000000-0x61a000010000 0x61a000010000-0x61ae00000000 0x61ae00000000-0x61ae00010000 0x61ae00010000-0x61b000000000 0x61b000000000-0x61b000020000 0x61b000020000-0x61be00000000 0x61be00000000-0x61be00010000 0x61be00010000-0x61c000000000 0x61c000000000-0x61c000020000 0x61c000020000-0x61ce00000000 0x61ce00000000-0x61ce00010000 0x61ce00010000-0x61d000000000 0x61d000000000-0x61d000030000 0x61d000030000-0x61de00000000 0x61de00000000-0x61de00010000 0x61de00010000-0x61f000000000 0x61f000000000-0x61f000010000 0x61f000010000-0x61fe00000000 0x61fe00000000-0x61fe00010000 0x61fe00010000-0x621000000000 0x621000000000-0x621000010000 0x621000010000-0x621e00000000 0x621e00000000-0x621e00010000 0x621e00010000-0x623000000000 0x623000000000-0x623000010000 0x623000010000-0x623e00000000 0x623e00000000-0x623e00010000 0x623e00010000-0x624000000000 0x624000000000-0x624000010000 0x624000010000-0x624e00000000 0x624e00000000-0x624e00010000 0x624e00010000-0x62d000000000 0x62d000000000-0x62d000020000 0x62d000020000-0x62de00000000 0x62de00000000-0x62de00010000 0x62de00010000-0x640000000000 0x640000000000-0x640000003000 0x7efdf02e0000-0x7efdf0500000 0x7efdf0600000-0x7efdf0700000 0x7efdf0737000-0x7efdf074b000 0x7efdf074b000-0x7efdf074c000 /mnt/raid/user/chenpeng/FuzzingBench/libtiff/crashes_matryoshka_cmin/id:000053-asan_5 0x7efdf074c000-0x7efdf2ae2000 0x7efdf2ae2000-0x7efdf2b04000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7efdf2b04000-0x7efdf2c4c000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7efdf2c4c000-0x7efdf2c98000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7efdf2c98000-0x7efdf2c99000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7efdf2c99000-0x7efdf2c9d000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7efdf2c9d000-0x7efdf2c9f000 /lib/x86_64-linux-gnu/libc-2.28.so 0x7efdf2c9f000-0x7efdf2ca3000 0x7efdf2ca3000-0x7efdf2ca5000 0x7efdf2ca5000-0x7efdf2ca8000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7efdf2ca8000-0x7efdf2cb9000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7efdf2cb9000-0x7efdf2cbc000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7efdf2cbc000-0x7efdf2cbd000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7efdf2cbd000-0x7efdf2cbe000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7efdf2cbe000-0x7efdf2cbf000 /lib/x86_64-linux-gnu/libgcc_s.so.1 0x7efdf2cbf000-0x7efdf2cc0000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7efdf2cc0000-0x7efdf2cc1000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7efdf2cc1000-0x7efdf2cc2000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7efdf2cc2000-0x7efdf2cc3000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7efdf2cc3000-0x7efdf2cc4000 /lib/x86_64-linux-gnu/libdl-2.28.so 0x7efdf2cc4000-0x7efdf2cc6000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7efdf2cc6000-0x7efdf2cca000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7efdf2cca000-0x7efdf2ccc000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7efdf2ccc000-0x7efdf2ccd000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7efdf2ccd000-0x7efdf2cce000 /lib/x86_64-linux-gnu/librt-2.28.so 0x7efdf2cce000-0x7efdf2cd4000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7efdf2cd4000-0x7efdf2ce3000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7efdf2ce3000-0x7efdf2ce9000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7efdf2ce9000-0x7efdf2cea000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7efdf2cea000-0x7efdf2ceb000 /lib/x86_64-linux-gnu/libpthread-2.28.so 0x7efdf2ceb000-0x7efdf2cef000 0x7efdf2cef000-0x7efdf2cfc000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7efdf2cfc000-0x7efdf2d9b000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7efdf2d9b000-0x7efdf2e70000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7efdf2e70000-0x7efdf2e71000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7efdf2e71000-0x7efdf2e72000 /lib/x86_64-linux-gnu/libm-2.28.so 0x7efdf2e72000-0x7efdf2e8e000 /lib/x86_64-linux-gnu/libz.so.1.2.11 0x7efdf2e8e000-0x7efdf308e000 /lib/x86_64-linux-gnu/libz.so.1.2.11 0x7efdf308e000-0x7efdf308f000 /lib/x86_64-linux-gnu/libz.so.1.2.11 0x7efdf308f000-0x7efdf3090000 /lib/x86_64-linux-gnu/libz.so.1.2.11 0x7efdf3090000-0x7efdf309f000 0x7efdf309f000-0x7efdf30a0000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7efdf30a0000-0x7efdf30be000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7efdf30be000-0x7efdf30c6000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7efdf30c6000-0x7efdf30c7000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7efdf30c7000-0x7efdf30c8000 /lib/x86_64-linux-gnu/ld-2.28.so 0x7efdf30c8000-0x7efdf30c9000 0x7ffec24d7000-0x7ffec24f8000 [stack] 0x7ffec2599000-0x7ffec259c000 [vvar] 0x7ffec259c000-0x7ffec259e000 [vdso] ==1504965==End of process memory map. ==1504965==AddressSanitizer CHECK failed: /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0) #0 0x4cbc3f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_rtl.cc:69:3 #1 0x4df59f in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79:5 #2 0x4d0bae in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:120:3 #3 0x4d95cb in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:132:5 #4 0x421da4 in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_secondary.h:41:9 #5 0x421b58 in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64> >*, unsigned long, unsigned long, bool, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_combined.h:70:24 #6 0x41f00f in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_allocator.cc:407:21 #7 0x4c4340 in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:10 #8 0x58ae8c in _TIFFmalloc /mnt/raid/user/chenpeng/FuzzingBench/libtiff/libtiff/libtiff/tif_unix.c:314:10 #9 0x5079ad in PSDataBW /mnt/raid/user/chenpeng/FuzzingBench/libtiff/libtiff/tools/tiff2ps.c:2627:29 #10 0x4f797c in PSpage /mnt/raid/user/chenpeng/FuzzingBench/libtiff/libtiff/tools/tiff2ps.c:2392:3 #11 0x4f364b in TIFF2PS /mnt/raid/user/chenpeng/FuzzingBench/libtiff/libtiff/tools/tiff2ps.c:1610:10 #12 0x4f1be0 in main /mnt/raid/user/chenpeng/FuzzingBench/libtiff/libtiff/tools/tiff2ps.c:477:9 #13 0x7efdf2b0609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #14 0x41d589 in _start (/mnt/raid/user/chenpeng/FuzzingBench/build/asan/install/bin/tiff2ps+0x41d589)
I don't see the bug here. TIFF Directory at offset 0x62 (98) Image Width: 6015 Image Length: 33784 Compression Scheme: CCITT Group 3 Samples/Pixel: 16385 Planar Configuration: single image plane How can you expect libtiff to process this file without allocating that much memory ?
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.
