Potential overflow in tiff2pdf
We found vulnerability in tiff2pdf binary and tiff2pdf is complied with clang enabling ASAN.
Machine Setup
Machine : Ubuntu 16.04.3 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
exiv2 : Version 4.0.10
Command : tiff2pdf -i POC -o /dev/null
ASAN Output
fuzzer@thickfuzzer:~/victim/libtiff-master/tools$ ./tiff2pdf -i POC -o /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 327 (0x147) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59176 (0xe728) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "Tag 59176" does not end in null byte. Forcing it to be null.
TIFFAdvanceDirectory: Error fetching directory count.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 327 (0x147) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59176 (0xe728) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "Tag 59176" does not end in null byte. Forcing it to be null.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 327 (0x147) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59176 (0xe728) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "Tag 59176" does not end in null byte. Forcing it to be null.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 327 (0x147) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59176 (0xe728) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "Tag 59176" does not end in null byte. Forcing it to be null.
==17276==ERROR: AddressSanitizer failed to allocate 0x30c82ea000 (209516929024) bytes of LargeMmapAllocator (error code: 12)
==17276==Process memory map follows:
0x000000400000-0x0000006e6000 /home/fuzzer/victim/libtiff-master/tools/tiff2pdf
0x0000008e6000-0x0000008e7000 /home/fuzzer/victim/libtiff-master/tools/tiff2pdf
0x0000008e7000-0x000000901000 /home/fuzzer/victim/libtiff-master/tools/tiff2pdf
0x000000901000-0x000001584000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x602000000000
0x602000000000-0x602000010000
0x602000010000-0x603000000000
0x603000000000-0x603000010000
0x603000010000-0x604000000000
0x604000000000-0x604000010000
0x604000010000-0x610000000000
0x610000000000-0x610000010000
0x610000010000-0x612000000000
0x612000000000-0x612000010000
0x612000010000-0x615000000000
0x615000000000-0x615000020000
0x615000020000-0x616000000000
0x616000000000-0x616000020000
0x616000020000-0x619000000000
0x619000000000-0x619000020000
0x619000020000-0x61a000000000
0x61a000000000-0x61a000020000
0x61a000020000-0x61d000000000
0x61d000000000-0x61d000020000
0x61d000020000-0x61f000000000
0x61f000000000-0x61f000020000
0x61f000020000-0x621000000000
0x621000000000-0x621000020000
0x621000020000-0x624000000000
0x624000000000-0x624000020000
0x624000020000-0x640000000000
0x640000000000-0x640000003000
0x7fa2c7200000-0x7fa2c7300000
0x7fa2c7400000-0x7fa2c7500000
0x7fa2c751c000-0x7fa2c986e000
0x7fa2c986e000-0x7fa2c9a2e000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7fa2c9a2e000-0x7fa2c9c2e000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7fa2c9c2e000-0x7fa2c9c32000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7fa2c9c32000-0x7fa2c9c34000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7fa2c9c34000-0x7fa2c9c38000
0x7fa2c9c38000-0x7fa2c9c4e000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fa2c9c4e000-0x7fa2c9e4d000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fa2c9e4d000-0x7fa2c9e4e000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fa2c9e4e000-0x7fa2c9e51000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7fa2c9e51000-0x7fa2ca050000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7fa2ca050000-0x7fa2ca051000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7fa2ca051000-0x7fa2ca052000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7fa2ca052000-0x7fa2ca059000 /lib/x86_64-linux-gnu/librt-2.23.so
0x7fa2ca059000-0x7fa2ca258000 /lib/x86_64-linux-gnu/librt-2.23.so
0x7fa2ca258000-0x7fa2ca259000 /lib/x86_64-linux-gnu/librt-2.23.so
0x7fa2ca259000-0x7fa2ca25a000 /lib/x86_64-linux-gnu/librt-2.23.so
0x7fa2ca25a000-0x7fa2ca272000 /lib/x86_64-linux-gnu/libpthread-2.23.so
0x7fa2ca272000-0x7fa2ca471000 /lib/x86_64-linux-gnu/libpthread-2.23.so
0x7fa2ca471000-0x7fa2ca472000 /lib/x86_64-linux-gnu/libpthread-2.23.so
0x7fa2ca472000-0x7fa2ca473000 /lib/x86_64-linux-gnu/libpthread-2.23.so
0x7fa2ca473000-0x7fa2ca477000
0x7fa2ca477000-0x7fa2ca57f000 /lib/x86_64-linux-gnu/libm-2.23.so
0x7fa2ca57f000-0x7fa2ca77e000 /lib/x86_64-linux-gnu/libm-2.23.so
0x7fa2ca77e000-0x7fa2ca77f000 /lib/x86_64-linux-gnu/libm-2.23.so
0x7fa2ca77f000-0x7fa2ca780000 /lib/x86_64-linux-gnu/libm-2.23.so
0x7fa2ca780000-0x7fa2ca799000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7fa2ca799000-0x7fa2ca998000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7fa2ca998000-0x7fa2ca999000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7fa2ca999000-0x7fa2ca99a000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7fa2ca99a000-0x7fa2ca9f1000 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
0x7fa2ca9f1000-0x7fa2cabf1000 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
0x7fa2cabf1000-0x7fa2cabf2000 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
0x7fa2cabf2000-0x7fa2cabf3000 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.0.2
0x7fa2cabf3000-0x7fa2cabfe000 /usr/lib/x86_64-linux-gnu/libjbig.so.0
0x7fa2cabfe000-0x7fa2cadfd000 /usr/lib/x86_64-linux-gnu/libjbig.so.0
0x7fa2cadfd000-0x7fa2cadfe000 /usr/lib/x86_64-linux-gnu/libjbig.so.0
0x7fa2cadfe000-0x7fa2cae01000 /usr/lib/x86_64-linux-gnu/libjbig.so.0
0x7fa2cae01000-0x7fa2cae22000 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
0x7fa2cae22000-0x7fa2cb021000 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
0x7fa2cb021000-0x7fa2cb022000 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
0x7fa2cb022000-0x7fa2cb023000 /lib/x86_64-linux-gnu/liblzma.so.5.0.0
0x7fa2cb023000-0x7fa2cb049000 /lib/x86_64-linux-gnu/ld-2.23.so
0x7fa2cb1dc000-0x7fa2cb1f0000
0x7fa2cb1f0000-0x7fa2cb1f1000 /home/fuzzer/victim/libtiff-master/tools/out/slave3/crashes/id:000011,sig:06,src:002377,time:7543708,op:havoc,rep:4
0x7fa2cb1f1000-0x7fa2cb235000
0x7fa2cb235000-0x7fa2cb248000
0x7fa2cb248000-0x7fa2cb249000 /lib/x86_64-linux-gnu/ld-2.23.so
0x7fa2cb249000-0x7fa2cb24a000 /lib/x86_64-linux-gnu/ld-2.23.so
0x7fa2cb24a000-0x7fa2cb24b000
0x7fff073b4000-0x7fff073d5000 [stack]
0x7fff073db000-0x7fff073dd000 [vvar]
0x7fff073dd000-0x7fff073df000 [vdso]
0xffffffffff600000-0xffffffffff601000 [vsyscall]
==17276==End of process memory map.
==17276==AddressSanitizer CHECK failed: /build/llvm-toolchain-3.8-_PD09B/llvm-toolchain-3.8-3.8/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:183 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
#0 0x4c354d in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/fuzzer/victim/libtiff-master/tools/tiff2pdf+0x4c354d)
#1 0x4ca173 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/fuzzer/victim/libtiff-master/tools/tiff2pdf+0x4ca173)
#2 0x4ca361 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) (/home/fuzzer/victim/libtiff-master/tools/tiff2pdf+0x4ca361)
#3 0x4d32d2 in __sanitizer::MmapOrDie(unsigned long, char const*, bool) (/home/fuzzer/victim/libtiff-master/tools/tiff2pdf+0x4d32d2)
#4 0x41ff5f in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (/home/fuzzer/victim/libtiff-master/tools/tiff2pdf+0x41ff5f)
#5 0x4b9f21 in malloc (/home/fuzzer/victim/libtiff-master/tools/tiff2pdf+0x4b9f21)
#6 0x65fbf9 in _TIFFmalloc /home/fuzzer/victim/libtiff-master/libtiff/tif_unix.c:314:10
#7 0x505d41 in t2p_readwrite_pdf_image /home/fuzzer/victim/libtiff-master/tools/tiff2pdf.c:2497:29
#8 0x4f2029 in t2p_write_pdf /home/fuzzer/victim/libtiff-master/tools/tiff2pdf.c:5623:15
#9 0x4ed38f in main /home/fuzzer/victim/libtiff-master/tools/tiff2pdf.c:810:2
#10 0x7fa2c988e82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#11 0x419e18 in _start (/home/fuzzer/victim/libtiff-master/tools/tiff2pdf+0x419e18)
fuzzer@thickfuzzer:~/victim/libtiff-master/tools$