First Last Prev Next    No search results available
Bug 2851 - there is a global-buffer-overflow in libtiff-4.0.10 in libtiff/tif_dir.c:1116
: there is a global-buffer-overflow in libtiff-4.0.10 in libtiff/tif_dir.c:1116
Status: RESOLVED LATER
: libtiff
default
: unspecified
: PC Linux
: P2 enhancement
: ---
Assigned To:
:
:
: migrated_to_gitlab
:
:
  Show dependency treegraph
 
Reported: 2019-04-28 02:39 by
Modified: 2019-10-01 14:21 (History)

Attachments
there is a global-buffer-overflow in libtiff-4.0.10 in libtiff/tif_dir.c:1116 (352 bytes, application/octet-stream)
2019-04-28 02:39, xiaosatianyu@126.com 		Details
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Description From 2019-04-28 02:39:38 
Created an attachment (id=894) [details]
there is a global-buffer-overflow in libtiff-4.0.10 in libtiff/tif_dir.c:1116

tiffcp -i file /dev/null
there is a global-buffer-overflow in libtiff-4.0.10 in libtiff/tif_dir.c:1116


==24551==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000001195240 at pc 0x7f91ea72bc41 bp 0x7ffe1fa62e80 sp 0x7ffe1fa62e78
WRITE of size 4 at 0x000001195240 thread T0
    #0 0x7f91ea72bc40 in _TIFFVGetField
/home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:1116:29
    #1 0x7f91ea712106 in TIFFVGetField
/home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:1237:6
    #2 0x7f91ea711eeb in TIFFGetField
/home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:1221:11
    #3 0x4f1f0a in tiffcp
/home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:747:5
    #4 0x4f008d in main
/home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:301:9
    #5 0x7f91e8e73b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #6 0x41b719 in _start
(/home/digger/afl-adapative/env/libtiff/install-asan/bin/tiffcp+0x41b719)

0x000001195242 is located 0 bytes to the right of global variable 'predictor'
defined in 'tiffcp.c:73:15' (0x1195240) of size 2
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:1116:29
in _TIFFVGetField
Shadow bytes around the buggy address:
  0x00008022a9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008022aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008022aa10: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x00008022aa20: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x00008022aa30: 04 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
=>0x00008022aa40: 02 f9 f9 f9 f9 f9 f9 f9[02]f9 f9 f9 f9 f9 f9 f9
  0x00008022aa50: 04 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
  0x00008022aa60: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x00008022aa70: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x00008022aa80: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x00008022aa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24551==ABORTING
------- Comment #1 From 2019-10-01 14:21:41 ------- 
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.
First Last Prev Next    No search results available