Bug 2849 – A heap out-of-bounds read in tiff2pdf (fwrite)

Bug 2849 - A heap out-of-bounds read in tiff2pdf (fwrite)

Summary:

A heap out-of-bounds read in tiff2pdf (fwrite)

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC All

Importance:	P2 enhancement
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-03-21 13:15 by Mingi Cho
Modified:	2019-10-01 14:21 (History)

Attachments
Poc to trigger bug (38.08 KB, application/octet-stream) 2019-03-21 13:15, Mingi Cho	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Mingi Cho 2019-03-21 13:15:15

Created an attachment (id=893) [details]
Poc to trigger bug

Triggered by "./tiff2pdf $POC -o /dev/null" (Tested in Ubuntu 16.04)

There is a heap out-of-bounds read in tiff2pdf.


ASAN output:

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
./t2p_crash: Warning, Nonstandard tile width 1, convert file.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
./t2p_crash: Warning, Nonstandard tile width 1, convert file.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
./t2p_crash: Warning, Nonstandard tile width 1, convert file.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
./t2p_crash: Warning, Nonstandard tile width 1, convert file.
=================================================================
==55369==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000000ff at pc 0x00000049e5ec bp 0x7fff07306760 sp 0x7fff07305f10
READ of size 18 at 0x6020000000ff thread T0
    #0 0x49e5eb in fwrite
(/home/seclab/libtiff/libtiff-build/tools/.libs/lt-tiff2pdf+0x49e5eb)
    #1 0x513f73 in t2p_writeproc
(/home/seclab/libtiff/libtiff-build/tools/.libs/lt-tiff2pdf+0x513f73)
    #2 0x7fe7dd61edf8 in TIFFAppendToStrip
(/home/seclab/libtiff/libtiff-build/libtiff/.libs/libtiff.so.5+0x165df8)
    #3 0x7fe7dd61de71 in TIFFWriteEncodedStrip
(/home/seclab/libtiff/libtiff-build/libtiff/.libs/libtiff.so.5+0x164e71)
    #4 0x531874 in t2p_readwrite_pdf_image_tile
(/home/seclab/libtiff/libtiff-build/tools/.libs/lt-tiff2pdf+0x531874)
    #5 0x516ce4 in t2p_write_pdf
(/home/seclab/libtiff/libtiff-build/tools/.libs/lt-tiff2pdf+0x516ce4)
    #6 0x513197 in main
(/home/seclab/libtiff/libtiff-build/tools/.libs/lt-tiff2pdf+0x513197)
    #7 0x7fe7dc18b82f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #8 0x41a688 in _start
(/home/seclab/libtiff/libtiff-build/tools/.libs/lt-tiff2pdf+0x41a688)


Credits:

Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab,
Yonsei University.

------- Comment #1 From Thomas Bernard 2019-03-22 06:31:10 -------

I don't reproduce with the master (commit
e3d738277b5c7ec23c33294435d1bbbd152f77b8 )
Have you tested again latest sources ?

this bug has very probably been already fixed !

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
poc/bug2849.tif: Warning, Nonstandard tile width 1, convert file.
tiffcp: poc/bug2849.tif: Can't copy/convert subsampled image.

------- Comment #2 From Mingi Cho 2019-03-22 13:04:06 -------

It still crashes on my machine.

Did you compile source code with ASAN option?

It seems to be only working when it is compiled with ASAN option.

I used clang5 and compiled using "-fsanitize=address -fno-omit-frame-pointer"
options.

------- Comment #3 From Thomas Bernard 2019-03-22 14:26:03 -------

building with
clang -g -ggdb -O0 -fsanitize=address -fsanitize=undefined
-fno-omit-frame-pointer

but indeed I reproduce

$ tools/tiff2pdf -o /dev/null poc/bug2849.tif 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
poc/bug2849.tif: Warning, Nonstandard tile width 1, convert file.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
poc/bug2849.tif: Warning, Nonstandard tile width 1, convert file.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
poc/bug2849.tif: Warning, Nonstandard tile width 1, convert file.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
poc/bug2849.tif: Warning, Nonstandard tile width 1, convert file.
=================================================================
==5227==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000df
at pc 0x00000043b909 bp 0x7fffffffa130 sp 0x7fffffff98d0
READ of size 18 at 0x6020000000df thread T16777215
    #0 0x43b908  (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x43b908)
    #1 0x80257b676  (/lib/libc.so.7+0x15c676)
    #2 0x80257b473  (/lib/libc.so.7+0x15c473)
    #3 0x43e855  (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x43e855)
    #4 0x49c976 in t2p_writeproc
/home/nanard/code/git/libtiff/tools/tiff2pdf.c:407
    #5 0x8aed3e in TIFFAppendToStrip
/home/nanard/code/git/libtiff/libtiff/tif_write.c:771
    #6 0x8ac0fd in TIFFWriteEncodedStrip
/home/nanard/code/git/libtiff/libtiff/tif_write.c:271
    #7 0x505454 in t2p_readwrite_pdf_image_tile
/home/nanard/code/git/libtiff/tools/tiff2pdf.c:3240
    #8 0x4a46af in t2p_write_pdf
/home/nanard/code/git/libtiff/tools/tiff2pdf.c:5593
    #9 0x49acfb in main /home/nanard/code/git/libtiff/tools/tiff2pdf.c:810
    #10 0x414894  (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x414894)
    #11 0x800b7ffff  (<unknown module>)

0x6020000000df is located 0 bytes to the right of 15-byte region
[0x6020000000d0,0x6020000000df)
==5227==AddressSanitizer CHECK failed:
/usr/src/contrib/compiler-rt/lib/asan/asan_descriptions.cc:177 "((id)) != (0)"
(0x0, 0x0)
    #0 0x42ee56  (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x42ee56)
    #1 0x41eca7  (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x41eca7)
    #2 0x483074  (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x483074)
    #3 0x481cb5  (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x481cb5)
    #4 0x434d86  (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x434d86)
    #5 0x434532  (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x434532)
    #6 0x43b927  (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x43b927)
    #7 0x80257b676  (/lib/libc.so.7+0x15c676)
    #8 0x80257b473  (/lib/libc.so.7+0x15c473)
    #9 0x43e855  (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x43e855)
    #10 0x49c976 in t2p_writeproc
/home/nanard/code/git/libtiff/tools/tiff2pdf.c:407
    #11 0x8aed3e in TIFFAppendToStrip
/home/nanard/code/git/libtiff/libtiff/tif_write.c:771
    #12 0x8ac0fd in TIFFWriteEncodedStrip
/home/nanard/code/git/libtiff/libtiff/tif_write.c:271
    #13 0x505454 in t2p_readwrite_pdf_image_tile
/home/nanard/code/git/libtiff/tools/tiff2pdf.c:3240
    #14 0x4a46af in t2p_write_pdf
/home/nanard/code/git/libtiff/tools/tiff2pdf.c:5593
    #15 0x49acfb in main /home/nanard/code/git/libtiff/tools/tiff2pdf.c:810
    #16 0x414894  (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x414894)
    #17 0x800b7ffff  (<unknown module>)

------- Comment #4 From Thomas Bernard 2019-03-24 17:32:12 -------

I think there is an issue in t2p_read_tiff_size_tile() (tiff2pdf.c:2089)
The POC is using YCbCr and width=1 which make the calculation fails.
That is tricky to have the Cb/Cr subsampling work right with a image of width 1
:(

------- Comment #5 From Even Rouault 2019-10-01 14:21:40 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.