SEGV /home/lin/libtiff/tools/tiffcrop.c:8799 in reverseSamples16bits
Summary SUMMARY: SEGV /home/lin/libtiff/tools/tiffcrop.c:8799 in reverseSamples16bits
Version
➜ tiffcrop_test git:(master) ✗ ./tiffcrop -v
Library Release: LIBTIFF, Version 4.3.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcrop version: 2.4, last updated: 12-13-2010
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
: Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard NoldeAt branch 27f399af (libtiff version)
Steps to reproduce
git clone git@gitlab.com:libtiff/libtiff.git
cd libtiff/
./autogen.sh
./configure CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address" --disable-shared & make
./tools/tiffcrop -E l -m 1,2,3,4 -Y 1 -Z 0:0,1:1 -e s -F hor ~/poc ./out2(How one can reproduce the issue - this is very important)
Platform
➜ libtiff git:(master) ✗ gcc --version
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
➜ libtiff git:(master) ✗ uname -r
5.4.0-91-generic
➜ libtiff git:(master) ✗ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
(Operating system, architecture, compiler details)
- ASAN
extractContigSamplesShifted16bits: Invalid start column value 2 ignored.
ASAN:DEADLYSIGNAL
=================================================================
==23613==ERROR: AddressSanitizer: SEGV on unknown address 0x6030200000cf (pc 0x56029cae62ca bp 0x7fffa0330480 sp 0x7fffa0330430 T0)
==23613==The signal is caused by a READ memory access.
#0 0x56029cae62c9 in reverseSamples16bits /home/lin/libtiff/tools/tiffcrop.c:8799
#1 0x56029cae77a7 in mirrorImage /home/lin/libtiff/tools/tiffcrop.c:9140
#2 0x56029cae16a1 in processCropSelections /home/lin/libtiff/tools/tiffcrop.c:7607
#3 0x56029cac4681 in main /home/lin/libtiff/tools/tiffcrop.c:2396
#4 0x7fbfe49d3bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#5 0x56029cabb629 in _start (/home/lin/libtiff/tools/tiffcrop+0x28629)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lin/libtiff/tools/tiffcrop.c:8799 in reverseSamples16bits
==23613==ABORTING
- gdb
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./tools/tiffcrop...done.
gdb-peda$ r
Starting program: /home/lin/libtiff/tools/tiffcrop -E l -m 1,2,3,4 -Y 1 -Z 0:0,1:1 -e s -F hor /home/lin/id:000040,sig:06,src:000043,op:arg1,rep:64 ./out2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
extractContigSamplesShifted16bits: Invalid start column value 2 ignored.
Program received signal SIGSEGV, Segmentation fault.
───────────────────────────────────────────────────────────────────────────────────────────────── Registers ──────────────────────────────────────────────────────────────────────────────────────────────────
RAX: 0x6030200000cf --> 0x0
RBX: 0x7fffffff8190 --> 0x7fffffffdff0 --> 0x7ffff7de3b40 (<_dl_fini>: push rbp)
RCX: 0x0
RDX: 0x0
RSI: 0x7
RDI: 0x1
RBP: 0x7fffffff8060 --> 0x7fffffff80c0 --> 0x7fffffff81b0 --> 0x7fffffffe020 --> 0x55555568c890 (<__libc_csu_init>: push r15)
RSP: 0x7fffffff8010 --> 0x602000000110 --> 0xbe
RIP: 0x5555555a72ca (<reverseSamples16bits+414>: movzx eax,BYTE PTR [rax])
R8 : 0x602000000110 --> 0xbe
R9 : 0x50 ('P')
R10: 0x7fffffff7818 --> 0x7fffffff7db0 --> 0x1
R11: 0x7fffffff7818 --> 0x7fffffff7db0 --> 0x1
R12: 0x7fffffff8130 --> 0x41b58ab3
R13: 0xffffffff026 --> 0x0
R14: 0x7fffffff8130 --> 0x41b58ab3
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
──────────────────────────────────────────────────────────────────────────────────────────────────── Code ────────────────────────────────────────────────────────────────────────────────────────────────────
0x5555555a72be <reverseSamples16bits+402>: mov rdi,rax
0x5555555a72c1 <reverseSamples16bits+405>: call 0x55555557c460 <__asan_report_load1@plt>
0x5555555a72c6 <reverseSamples16bits+410>: mov rax,QWORD PTR [rbp-0x8]
=> 0x5555555a72ca <reverseSamples16bits+414>: movzx eax,BYTE PTR [rax]
0x5555555a72cd <reverseSamples16bits+417>: movzx eax,al
0x5555555a72d0 <reverseSamples16bits+420>: shl eax,0x8
0x5555555a72d3 <reverseSamples16bits+423>: mov r8d,eax
0x5555555a72d6 <reverseSamples16bits+426>: mov rax,QWORD PTR [rbp-0x8]
[rax] : 0x6030200000cf --> 0x0
─────────────────────────────────────────────────────────────────────────────────────────────────── Stack ────────────────────────────────────────────────────────────────────────────────────────────────────
0000| 0x7fffffff8010 --> 0x602000000110 --> 0xbe
0008| 0x7fffffff8018 --> 0x6030000000d0 --> 0x11
0016| 0x7fffffff8020 --> 0xffffffffffff8130
0024| 0x7fffffff8028 --> 0x100000004 --> 0x0
0032| 0x7fffffff8030 --> 0x60 ('`')
0040| 0x7fffffff8038 --> 0xff000
0048| 0x7fffffff8040 --> 0x1fffffffffffffff
0056| 0x7fffffff8048 --> 0xfffffff800000000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Legend: code, data, rodata, heap, value
Stopped reason: SIGSEGV
0x00005555555a72ca in reverseSamples16bits (spp=0x1, bps=0x4, width=0xffffffff, ibuff=0x6030000000d0 "\021", obuff=0x602000000110 "\276") at tiffcrop.c:8799
8799 buff1 = (src[0] << 8) | src[1];
poc:poc.zip
Thanks !!
Edited by p870613