Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • L libtiff
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 157
    • Issues 157
    • List
    • Boards
    • Service Desk
    • Milestones
    • Requirements
  • Merge requests 20
    • Merge requests 20
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • libtiff
  • libtiff
  • Issues
  • #158
Closed
Open
Issue created Oct 01, 2019 by TIFF Bugzilla to GitLab Issues bot@tiffbugzillatogitlab

[BZ#2851] there is a global-buffer-overflow in libtiff-4.0.10 in libtiff/tif_dir.c:1116

Submitted by xiaosatianyu at 126 dot com on 2019-04-28 02:39

Link to original bug (#2851)

Description

Created an attachment (id=894)
there is a global-buffer-overflow in libtiff-4.0.10 in libtiff/tif_dir.c:1116

tiffcp -i file /dev/null
there is a global-buffer-overflow in libtiff-4.0.10 in libtiff/tif_dir.c:1116


==24551==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001195240 at pc 0x7f91ea72bc41 bp 0x7ffe1fa62e80 sp 0x7ffe1fa62e78
WRITE of size 4 at 0x000001195240 thread T0
    #0 0x7f91ea72bc40 in _TIFFVGetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:1116:29
    #1 0x7f91ea712106 in TIFFVGetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:1237:6
    #2 0x7f91ea711eeb in TIFFGetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:1221:11
    #3 0x4f1f0a in tiffcp /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:747:5
    #4 0x4f008d in main /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:301:9
    #5 0x7f91e8e73b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #6 0x41b719 in _start (/home/digger/afl-adapative/env/libtiff/install-asan/bin/tiffcp+0x41b719)

0x000001195242 is located 0 bytes to the right of global variable 'predictor' defined in 'tiffcp.c:73:15' (0x1195240) of size 2
SUMMARY: AddressSanitizer: global-buffer-overflow /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:1116:29 in _TIFFVGetField
Shadow bytes around the buggy address:
  0x00008022a9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008022aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008022aa10: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x00008022aa20: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x00008022aa30: 04 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
=>0x00008022aa40: 02 f9 f9 f9 f9 f9 f9 f9[02]f9 f9 f9 f9 f9 f9 f9
  0x00008022aa50: 04 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
  0x00008022aa60: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x00008022aa70: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x00008022aa80: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x00008022aa90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24551==ABORTING

Attachment 894, "there is a global-buffer-overflow in libtiff-4.0.10 in libtiff/tif_dir.c:1116":
id_000000-sig_11-src_003033-op_collecting-280-rep_2

Assignee
Assign to
Time tracking