[BZ#2808] heap-buffer-overflow in tiff2pdf (CVE-2018-15209)
Submitted by Marsman1996 (lqliuyuwei at outlook dot com) on 2018-08-07 22:19
Description
Created an attachment (id=867)
the poc
on Ubuntu 16.04 32-bit, tiff4.0.9
How to reproduce:
1. compile: CC=clang CXX=clang++ ./configure && make && make install
2. ./tiff2pdf poc1
asan dbg info:
=================================================================
==19781==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb53ff800 at pc 0xb7e5573d bp 0xbfa2bd08 sp 0xbfa2bcfc
WRITE of size 8 at 0xb53ff800 thread T0
#0 0xb7e5573c (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0x3173c)
#1 0xb7ed7f89 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xb3f89)
#2 0xb7ef798b (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd398b)
#3 0x8134534 (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x8134534)
#4 0xb7bd2636 (/lib/i386-linux-gnu/libc.so.6+0x18636)
#5 0x805fb37 (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x805fb37)
0xb53ff800 is located 0 bytes to the right of 12058624-byte region [0xb487f800,0xb53ff800)
allocated by thread T0 here:
#0 0x81041e4 (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x81041e4)
#1 0xb7ef7b53 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd3b53)
#2 0xb7ed7f89 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xb3f89)
#3 0xb7ef798b (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd398b)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0x3173c)
Shadow bytes around the buggy address:
0x36a7feb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36a7fec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36a7fed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36a7fee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36a7fef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36a7ff00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a7ff10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a7ff20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a7ff30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a7ff40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a7ff50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19781==ABORTING
gdb info:
Program received signal SIGSEGV, Segmentation fault. ChopUpSingleUncompressedStrip (tif=) at tif_dirread.c:5723 5723 newcounts[strip] = stripbytes; (gdb) bt #0 ChopUpSingleUncompressedStrip (tif=) at tif_dirread.c:5723 #1 (closed) TIFFReadDirectory (tif=) at tif_dirread.c:4186 #2 (closed) 0xb7fa55e0 in TIFFClientOpen (name=, mode=, clientdata=, readproc=, writeproc=, seekproc=, closeproc=, sizeproc=, mapproc=, unmapproc=) at tif_open.c:466 #3 (closed) 0xb7faedbc in TIFFFdOpen (fd=3, name=, mode=0x805500a "r") at tif_unix.c:211 #4 (closed) TIFFOpen (name=, mode=0x805500a "r") at tif_unix.c:250 #5 0x080496ea in main (argc=, argv=) at tiff2pdf.c:751
Attachment 867, "the poc":
poc1