memory leaks in ../libtiff/tif_unix.c:314
Hi, I find the memory leaks in ../libtiff/tif_unix.c:314, which is similar to CVE-2019-6128 but with the different version.
version: libtiff 4.1.0
POC: POC_15_000004
cmd: ./tiffsplit ./POC
OS: Ubuntu 16.04 LTS
ASAN log:
TIFFReadRawStrip: Read error at scanline 4294967295, strip 0; got 0 bytes, expected 2307545657.
=================================================================
==15584==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1256 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x45304e in _TIFFmalloc ../../libtiff/tif_unix.c:314
#2 0x43db8e in TIFFClientOpen ../../libtiff/tif_open.c:117
#3 0x452dbe in TIFFFdOpen ../../libtiff/tif_unix.c:209
#4 0x45300d in TIFFOpen ../../libtiff/tif_unix.c:248
#5 0x402c10 in main ../../tools/tiffsplit.c:69
#6 0x7ffff5f1482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Direct leak of 1249 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x45304e in _TIFFmalloc ../../libtiff/tif_unix.c:314
#2 0x43db8e in TIFFClientOpen ../../libtiff/tif_open.c:117
#3 0x452dbe in TIFFFdOpen ../../libtiff/tif_unix.c:209
#4 0x45300d in TIFFOpen ../../libtiff/tif_unix.c:248
#5 0x402cf8 in main ../../tools/tiffsplit.c:82
#6 0x7ffff5f1482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Indirect leak of 1224 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6f02961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0x4530c8 in _TIFFrealloc ../../libtiff/tif_unix.c:334
#2 0x453684 in _TIFFCheckRealloc ../../libtiff/tif_aux.c:106
#3 0x453752 in _TIFFCheckMalloc ../../libtiff/tif_aux.c:122
#4 0x419f5a in _TIFFMergeFields ../../libtiff/tif_dirinfo.c:385
#5 0x419adf in _TIFFSetupFields ../../libtiff/tif_dirinfo.c:335
#6 0x416a04 in TIFFDefaultDirectory ../../libtiff/tif_dir.c:1377
#7 0x42ca1f in TIFFReadDirectory ../../libtiff/tif_dirread.c:3628
#8 0x43fbe6 in TIFFClientOpen ../../libtiff/tif_open.c:482
#9 0x452dbe in TIFFFdOpen ../../libtiff/tif_unix.c:209
#10 0x45300d in TIFFOpen ../../libtiff/tif_unix.c:248
#11 0x402c10 in main ../../tools/tiffsplit.c:69
#12 0x7ffff5f1482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Indirect leak of 1224 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6f02961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0x4530c8 in _TIFFrealloc ../../libtiff/tif_unix.c:334
#2 0x453684 in _TIFFCheckRealloc ../../libtiff/tif_aux.c:106
#3 0x453752 in _TIFFCheckMalloc ../../libtiff/tif_aux.c:122
#4 0x419f5a in _TIFFMergeFields ../../libtiff/tif_dirinfo.c:385
#5 0x419adf in _TIFFSetupFields ../../libtiff/tif_dirinfo.c:335
#6 0x416a04 in TIFFDefaultDirectory ../../libtiff/tif_dir.c:1377
#7 0x43ee7c in TIFFClientOpen ../../libtiff/tif_open.c:353
#8 0x452dbe in TIFFFdOpen ../../libtiff/tif_unix.c:209
#9 0x45300d in TIFFOpen ../../libtiff/tif_unix.c:248
#10 0x402cf8 in main ../../tools/tiffsplit.c:82
#11 0x7ffff5f1482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Indirect leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6f02961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0x4530c8 in _TIFFrealloc ../../libtiff/tif_unix.c:334
#2 0x453684 in _TIFFCheckRealloc ../../libtiff/tif_aux.c:106
#3 0x432a24 in TIFFCheckDirOffset ../../libtiff/tif_dirread.c:4658
#4 0x42c689 in TIFFReadDirectory ../../libtiff/tif_dirread.c:3588
#5 0x43fbe6 in TIFFClientOpen ../../libtiff/tif_open.c:482
#6 0x452dbe in TIFFFdOpen ../../libtiff/tif_unix.c:209
#7 0x45300d in TIFFOpen ../../libtiff/tif_unix.c:248
#8 0x402c10 in main ../../tools/tiffsplit.c:69
#9 0x7ffff5f1482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Indirect leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x45304e in _TIFFmalloc ../../libtiff/tif_unix.c:314
#2 0x425cf4 in TIFFReadDirEntryLong8ArrayWithLimit ../../libtiff/tif_dirread.c:2018
#3 0x439594 in TIFFFetchStripThing ../../libtiff/tif_dirread.c:5654
#4 0x42edf7 in TIFFReadDirectory ../../libtiff/tif_dirread.c:4016
#5 0x43fbe6 in TIFFClientOpen ../../libtiff/tif_open.c:482
#6 0x452dbe in TIFFFdOpen ../../libtiff/tif_unix.c:209
#7 0x45300d in TIFFOpen ../../libtiff/tif_unix.c:248
#8 0x402c10 in main ../../tools/tiffsplit.c:69
#9 0x7ffff5f1482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Indirect leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x45304e in _TIFFmalloc ../../libtiff/tif_unix.c:314
#2 0x425cf4 in TIFFReadDirEntryLong8ArrayWithLimit ../../libtiff/tif_dirread.c:2018
#3 0x439594 in TIFFFetchStripThing ../../libtiff/tif_dirread.c:5654
#4 0x42eec7 in TIFFReadDirectory ../../libtiff/tif_dirread.c:4025
#5 0x43fbe6 in TIFFClientOpen ../../libtiff/tif_open.c:482
#6 0x452dbe in TIFFFdOpen ../../libtiff/tif_unix.c:209
#7 0x45300d in TIFFOpen ../../libtiff/tif_unix.c:248
#8 0x402c10 in main ../../tools/tiffsplit.c:69
#9 0x7ffff5f1482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: 5001 byte(s) leaked in 7 allocation(s).
Edited by puppet meteor