You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=895) [details] There is a heap-buffer-overflow in libtiff 4.0.10 in tif_unix.c:346 tiff -i file /dev/null There is a heap-buffer-overflow in libtiff 4.0.10 in tif_unix.c:346 ==25672==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000150 at pc 0x0000004ac057 bp 0x7ffc45c9bb80 sp 0x7ffc45c9b330 READ of size 131072 at 0x603000000150 thread T0 #0 0x4ac056 in __asan_memcpy /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3 #1 0x7f4fa0af4e14 in _TIFFmemcpy /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_unix.c:346:2 #2 0x7f4fa09fa449 in TIFFWriteDirectoryTagColormap /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dirwrite.c:1863:2 #3 0x7f4fa09f00d1 in TIFFWriteDirectorySec /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dirwrite.c:567:10 #4 0x7f4fa09edcef in TIFFWriteDirectory /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dirwrite.c:182:9 #5 0x7f4fa09f55a0 in TIFFRewriteDirectory /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dirwrite.c:222:10 #6 0x7f4fa0a22406 in TIFFFlush /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_flush.c:81:13 #7 0x7f4fa098f89b in TIFFCleanup /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_close.c:51:3 #8 0x7f4fa0990262 in TIFFClose /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_close.c:126:2 #9 0x4f00c3 in main /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:303:12 #10 0x7f4f9f0f9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #11 0x41b719 in _start (/home/digger/afl-adapative/env/libtiff/install-asan/bin/tiffcp+0x41b719) 0x603000000150 is located 0 bytes to the right of 32-byte region [0x603000000130,0x603000000150) allocated by thread T0 here: #0 0x4c241c in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3 #1 0x7f4fa0af4cfc in _TIFFmalloc /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_unix.c:314:10 #2 0x7f4fa0996edd in setByteArray /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:52:19 #3 0x7f4fa0997026 in _TIFFsetShortArray /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:64:7 #4 0x7f4fa099fa73 in _TIFFVSetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:359:3 #5 0x7f4fa0a723bd in LogLuvVSetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_luv.c:1673:10 #6 0x7f4fa09973f6 in TIFFVSetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:852:6 #7 0x7f4fa099731b in TIFFSetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:796:11 #8 0x4f3a3e in cpTag /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:506:4 #9 0x4f1cf7 in tiffcp /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:725:2 #10 0x4f008d in main /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:301:9 #11 0x7f4f9f0f9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) SUMMARY: AddressSanitizer: heap-buffer-overflow /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3 in __asan_memcpy Shadow bytes around the buggy address: 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff8000: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c067fff8010: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa =>0x0c067fff8020: fd fd fd fd fa fa 00 00 00 00[fa]fa 00 00 00 00 0x0c067fff8030: fa fa 00 00 00 00 fa fa fa fa fa fa fa fa fa fa 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==25672==ABORTING
tiffcp -i file /dev/null
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.
