You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=893) [details] Poc to trigger bug Triggered by "./tiff2pdf $POC -o /dev/null" (Tested in Ubuntu 16.04) There is a heap out-of-bounds read in tiff2pdf. ASAN output: TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. ./t2p_crash: Warning, Nonstandard tile width 1, convert file. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. ./t2p_crash: Warning, Nonstandard tile width 1, convert file. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. ./t2p_crash: Warning, Nonstandard tile width 1, convert file. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. ./t2p_crash: Warning, Nonstandard tile width 1, convert file. ================================================================= ==55369==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000ff at pc 0x00000049e5ec bp 0x7fff07306760 sp 0x7fff07305f10 READ of size 18 at 0x6020000000ff thread T0 #0 0x49e5eb in fwrite (/home/seclab/libtiff/libtiff-build/tools/.libs/lt-tiff2pdf+0x49e5eb) #1 0x513f73 in t2p_writeproc (/home/seclab/libtiff/libtiff-build/tools/.libs/lt-tiff2pdf+0x513f73) #2 0x7fe7dd61edf8 in TIFFAppendToStrip (/home/seclab/libtiff/libtiff-build/libtiff/.libs/libtiff.so.5+0x165df8) #3 0x7fe7dd61de71 in TIFFWriteEncodedStrip (/home/seclab/libtiff/libtiff-build/libtiff/.libs/libtiff.so.5+0x164e71) #4 0x531874 in t2p_readwrite_pdf_image_tile (/home/seclab/libtiff/libtiff-build/tools/.libs/lt-tiff2pdf+0x531874) #5 0x516ce4 in t2p_write_pdf (/home/seclab/libtiff/libtiff-build/tools/.libs/lt-tiff2pdf+0x516ce4) #6 0x513197 in main (/home/seclab/libtiff/libtiff-build/tools/.libs/lt-tiff2pdf+0x513197) #7 0x7fe7dc18b82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 #8 0x41a688 in _start (/home/seclab/libtiff/libtiff-build/tools/.libs/lt-tiff2pdf+0x41a688) Credits: Mingi Cho, Seoyoung Kim, and Taekyoung Kwon of the Information Security Lab, Yonsei University.
I don't reproduce with the master (commit e3d738277b5c7ec23c33294435d1bbbd152f77b8 ) Have you tested again latest sources ? this bug has very probably been already fixed ! TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. poc/bug2849.tif: Warning, Nonstandard tile width 1, convert file. tiffcp: poc/bug2849.tif: Can't copy/convert subsampled image.
It still crashes on my machine. Did you compile source code with ASAN option? It seems to be only working when it is compiled with ASAN option. I used clang5 and compiled using "-fsanitize=address -fno-omit-frame-pointer" options.
building with clang -g -ggdb -O0 -fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer but indeed I reproduce $ tools/tiff2pdf -o /dev/null poc/bug2849.tif TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. poc/bug2849.tif: Warning, Nonstandard tile width 1, convert file. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. poc/bug2849.tif: Warning, Nonstandard tile width 1, convert file. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. poc/bug2849.tif: Warning, Nonstandard tile width 1, convert file. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. poc/bug2849.tif: Warning, Nonstandard tile width 1, convert file. ================================================================= ==5227==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000df at pc 0x00000043b909 bp 0x7fffffffa130 sp 0x7fffffff98d0 READ of size 18 at 0x6020000000df thread T16777215 #0 0x43b908 (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x43b908) #1 0x80257b676 (/lib/libc.so.7+0x15c676) #2 0x80257b473 (/lib/libc.so.7+0x15c473) #3 0x43e855 (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x43e855) #4 0x49c976 in t2p_writeproc /home/nanard/code/git/libtiff/tools/tiff2pdf.c:407 #5 0x8aed3e in TIFFAppendToStrip /home/nanard/code/git/libtiff/libtiff/tif_write.c:771 #6 0x8ac0fd in TIFFWriteEncodedStrip /home/nanard/code/git/libtiff/libtiff/tif_write.c:271 #7 0x505454 in t2p_readwrite_pdf_image_tile /home/nanard/code/git/libtiff/tools/tiff2pdf.c:3240 #8 0x4a46af in t2p_write_pdf /home/nanard/code/git/libtiff/tools/tiff2pdf.c:5593 #9 0x49acfb in main /home/nanard/code/git/libtiff/tools/tiff2pdf.c:810 #10 0x414894 (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x414894) #11 0x800b7ffff (<unknown module>) 0x6020000000df is located 0 bytes to the right of 15-byte region [0x6020000000d0,0x6020000000df) ==5227==AddressSanitizer CHECK failed: /usr/src/contrib/compiler-rt/lib/asan/asan_descriptions.cc:177 "((id)) != (0)" (0x0, 0x0) #0 0x42ee56 (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x42ee56) #1 0x41eca7 (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x41eca7) #2 0x483074 (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x483074) #3 0x481cb5 (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x481cb5) #4 0x434d86 (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x434d86) #5 0x434532 (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x434532) #6 0x43b927 (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x43b927) #7 0x80257b676 (/lib/libc.so.7+0x15c676) #8 0x80257b473 (/lib/libc.so.7+0x15c473) #9 0x43e855 (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x43e855) #10 0x49c976 in t2p_writeproc /home/nanard/code/git/libtiff/tools/tiff2pdf.c:407 #11 0x8aed3e in TIFFAppendToStrip /home/nanard/code/git/libtiff/libtiff/tif_write.c:771 #12 0x8ac0fd in TIFFWriteEncodedStrip /home/nanard/code/git/libtiff/libtiff/tif_write.c:271 #13 0x505454 in t2p_readwrite_pdf_image_tile /home/nanard/code/git/libtiff/tools/tiff2pdf.c:3240 #14 0x4a46af in t2p_write_pdf /home/nanard/code/git/libtiff/tools/tiff2pdf.c:5593 #15 0x49acfb in main /home/nanard/code/git/libtiff/tools/tiff2pdf.c:810 #16 0x414894 (/home/nanard/code/git/libtiff/tools/tiff2pdf+0x414894) #17 0x800b7ffff (<unknown module>)
I think there is an issue in t2p_read_tiff_size_tile() (tiff2pdf.c:2089) The POC is using YCbCr and width=1 which make the calculation fails. That is tricky to have the Cb/Cr subsampling work right with a image of width 1 :(
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.