Skip to content
GitLab
Closed
Issue created by TIFF Bugzilla to GitLab Issues bot@tiffbugzillatogitlab

[BZ#2852] There is a heap-buffer-overflow in libtiff 4.0.10 in tif_unix.c:346

Submitted by xiaosatianyu at 126 dot com on 2019-04-28 10:08

Link to original bug (#2852)

Description

Created an attachment (id=895)
There is a heap-buffer-overflow in libtiff 4.0.10 in tif_unix.c:346

tiff -i file /dev/null
There is a heap-buffer-overflow in libtiff 4.0.10 in tif_unix.c:346

==25672==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000150 at pc 0x0000004ac057 bp 0x7ffc45c9bb80 sp 0x7ffc45c9b330
READ of size 131072 at 0x603000000150 thread T0
    #0 0x4ac056 in __asan_memcpy /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3
    #1 0x7f4fa0af4e14 in _TIFFmemcpy /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_unix.c:346:2
    #2 0x7f4fa09fa449 in TIFFWriteDirectoryTagColormap /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dirwrite.c:1863:2
    #3 0x7f4fa09f00d1 in TIFFWriteDirectorySec /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dirwrite.c:567:10
    #4 0x7f4fa09edcef in TIFFWriteDirectory /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dirwrite.c:182:9
    #5 0x7f4fa09f55a0 in TIFFRewriteDirectory /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dirwrite.c:222:10
    #6 0x7f4fa0a22406 in TIFFFlush /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_flush.c:81:13
    #7 0x7f4fa098f89b in TIFFCleanup /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_close.c:51:3
    #8 0x7f4fa0990262 in TIFFClose /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_close.c:126:2
    #9 0x4f00c3 in main /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:303:12
    #10 0x7f4f9f0f9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #11 0x41b719 in _start (/home/digger/afl-adapative/env/libtiff/install-asan/bin/tiffcp+0x41b719)

0x603000000150 is located 0 bytes to the right of 32-byte region [0x603000000130,0x603000000150)
allocated by thread T0 here:
    #0 0x4c241c in malloc /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3
    #1 0x7f4fa0af4cfc in _TIFFmalloc /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_unix.c:314:10
    #2 0x7f4fa0996edd in setByteArray /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:52:19
    #3 0x7f4fa0997026 in _TIFFsetShortArray /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:64:7
    #4 0x7f4fa099fa73 in _TIFFVSetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:359:3
    #5 0x7f4fa0a723bd in LogLuvVSetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_luv.c:1673:10
    #6 0x7f4fa09973f6 in TIFFVSetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:852:6
    #7 0x7f4fa099731b in TIFFSetField /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/libtiff/tif_dir.c:796:11
    #8 0x4f3a3e in cpTag /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:506:4
    #9 0x4f1cf7 in tiffcp /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:725:2
    #10 0x4f008d in main /home/digger/afl-adapative/env/libtiff/tiff-4.0.10-afl/tools/tiffcp.c:301:9
    #11 0x7f4f9f0f9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8010: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
=>0x0c067fff8020: fd fd fd fd fa fa 00 00 00 00[fa]fa 00 00 00 00
  0x0c067fff8030: fa fa 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25672==ABORTING

Attachment 895, "There is a heap-buffer-overflow in libtiff 4.0.10 in tif_unix.c:346":
id_000018-sig_11-src_003500+002715-op_splice-rep_2