[BZ#2767] A heap-buffer-overflow in libtiff 4.0.8.
Submitted by xiaosatianyu at 126 dot com on 2017-12-27 07:28
Description
Created an attachment (id=835)
poc
There is a heap-buffer-overflow in PackBitsEncode function tif_packbits.c line 88 in libtiff 4.0.8.
=================================================================
==23471==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000980 at pc 0x0000006eedf5 bp 0x7fffa9c16820 sp 0x7fffa9c16818
READ of size 1 at 0x619000000980 thread T0
#0 0x6eedf4 in PackBitsEncode /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/libtiff/tif_packbits.c:88:25
#1 0x61a451 in TIFFWriteScanline /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/libtiff/tif_write.c:173:11
#2 0x530827 in main /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/tools/bmp2tiff.c:775:9
#3 0x7f70dbcbef44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
#4 0x41c8cb in _start (/home/binzhang/Desktop/bmp2tiff/bmp2tiff+0x41c8cb)
0x619000000980 is located 0 bytes to the right of 1024-byte region [0x619000000580,0x619000000980)
allocated by thread T0 here:
#0 0x4f55d6 in __interceptor_malloc /home/xiaosatianyu/workspace/git/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
#1 0x6274b0 in _TIFFmalloc /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/libtiff/tif_unix.c:316:10
#2 0x52e5dd in main /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/tools/bmp2tiff.c:678:34
#3 0x7f70dbcbef44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xiaosatianyu/workspace/git/fuzz/for-new-CVE/benlibtiff/libtiff/libtiff/tif_packbits.c:88:25 in PackBitsEncode
Shadow bytes around the buggy address:
0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8130:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23471==ABORTING
Attachment 835, "poc":
report-1