You need to log in before you can comment on or make changes to this bug.
Hi, there. There is a heap overflow in tiff2pdf. To reproduce the issue, the compile flag is: CFLAGS="-g -O0 -fsanitize=address,undefined" ./configure; make then, ./tiff2pdf input Here are the details reported by the ASAN: ==28950==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ef10 at pc 0x0000005f7898 bp 0x7ffe06102260 sp 0x7ffe06102250 READ of size 1 at 0x60300000ef10 thread T0 #0 0x5f7897 in _TIFFFax3fillruns /mnt/data/playground/tiff-4.0.10-a/libtiff/tif_fax3.c:439 #1 0x63bb96 in Fax3Decode1D /mnt/data/playground/tiff-4.0.10-a/libtiff/tif_fax3.c:247 #2 0x82bea2 in TIFFReadEncodedStrip /mnt/data/playground/tiff-4.0.10-a/libtiff/tif_read.c:544 #3 0x4459bb in t2p_readwrite_pdf_image /mnt/data/playground/tiff-4.0.10-a/tools/tiff2pdf.c:2584 #4 0x492170 in t2p_write_pdf /mnt/data/playground/tiff-4.0.10-a/tools/tiff2pdf.c:5601 #5 0x409e61 in main /mnt/data/playground/tiff-4.0.10-a/tools/tiff2pdf.c:810 #6 0x7f13a280282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x410538 in _start (/mnt/data/playground/tiff-4.0.10-a/tools/tiff2pdf+0x410538) 0x60300000ef10 is located 0 bytes to the right of 32-byte region [0x60300000eef0,0x60300000ef10) allocated by thread T0 here: #0 0x7f13a37f0602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x445840 in t2p_readwrite_pdf_image /mnt/data/playground/tiff-4.0.10-a/tools/tiff2pdf.c:2571 SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/data/playground/tiff-4.0.10-a/libtiff/tif_fax3.c:439 _TIFFFax3fillruns Shadow bytes around the buggy address: 0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00 =>0x0c067fff9de0: 00 00[fa]fa 00 00 04 fa fa fa 00 00 05 fa fa fa 0x0c067fff9df0: 00 00 04 fa fa fa 00 00 04 fa fa fa 00 00 00 00 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==28950==ABORTING The attachment is the POC input.
Created an attachment (id=896) [details] The Poc input
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.
