heap-buffer-overflow /home/lin/libtiff/tools/tiffcrop.c:3351:12 in extractContigSamplesShifted16bits
Summary SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lin/libtiff/tools/tiffcrop.c:3351:12 in extractContigSamplesShifted16bits
Version
➜ tiffcrop_test git:(master) ✗ ./tiffcrop -v
Library Release: LIBTIFF, Version 4.3.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcrop version: 2.4, last updated: 12-13-2010
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
: Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
At branch 27f399af (libtiff version)
Steps to reproduce
git clone git@gitlab.com:libtiff/libtiff.git
cd libtiff/
./autogen.sh
./configure CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address" --disable-shared & make
./tools/tiffcrop -i -U in -z 1,1,1,1 ./poc ./out2
(How one can reproduce the issue - this is very important)
Platform
➜ libtiff git:(master) ✗ gcc --version
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
➜ libtiff git:(master) ✗ uname -r
5.4.0-91-generic
➜ libtiff git:(master) ✗ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
(Operating system, architecture, compiler details)
- ASAN
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2048 (0x800) encountered.
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 3" value failed; tag ignored.
TIFFFetchNormalTag: Warning, Incompatible type for "DocumentName"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "ResolutionUnit"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpretation tag.
TIFFFillStrip: Read error on strip 0; got 316 bytes, expected 952817.
: Strip 1: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 1; got 324 bytes, expected 4263213616.
: Strip 2: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 2; got 324 bytes, expected 4608.
: Strip 3: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 3; got 324 bytes, expected 16777985.
: Strip 4: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 4; got 324 bytes, expected 536870912.
: Strip 5: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 5; got 324 bytes, expected 196608.
: Strip 6: read -1 bytes, strip size 4.
Fax3Decode1D: Warning, Premature EOL at line 0 of strip 6 (got 0, expected 32).
: Strip 7: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 8; got 324 bytes, expected 65539.
: Strip 9: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 9; got 324 bytes, expected 4160946176.
: Strip 10: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 10; got 324 bytes, expected 16973824.
: Strip 11: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 11; got 324 bytes, expected 16777219.
: Strip 12: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 12; got 324 bytes, expected 16777985.
: Strip 13: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 13; got 324 bytes, expected 687865856.
: Strip 14: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 14; got 324 bytes, expected 50331648.
: Strip 15: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 16; got 324 bytes, expected 16253696.
: Strip 17: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 17; got 324 bytes, expected 50397952.
: Strip 18: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 19; got 324 bytes, expected 2048.
: Strip 20: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 20; got 324 bytes, expected 50398720.
: Strip 21: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 21; got 324 bytes, expected 16777985.
: Strip 22: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 22; got 324 bytes, expected 50331648.
: Strip 23: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 23; got 324 bytes, expected 369098752.
: Strip 24: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 24; got 324 bytes, expected 16777985.
: Strip 25: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 25; got 324 bytes, expected 16777216.
: Strip 26: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 26; got 324 bytes, expected 218103808.
: Strip 27: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 27; got 324 bytes, expected 251719169.
: Strip 28: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 28; got 324 bytes, expected 2986344448.
: Strip 29: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 29; got 324 bytes, expected 285212673.
: Strip 30: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 30; got 324 bytes, expected 16778241.
: Strip 31: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 31; got 324 bytes, expected 134217728.
: Strip 32: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 32; got 324 bytes, expected 301989888.
: Strip 33: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 33; got 324 bytes, expected 2687745.
: Strip 34: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 34; got 324 bytes, expected 196608.
: Strip 35: read -1 bytes, strip size 4.
Fax3Decode1D: Warning, Premature EOL at line 0 of strip 35 (got 0, expected 32).
: Strip 36: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 36; got 324 bytes, expected 63491.
: Strip 37: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 37; got 324 bytes, expected 196867.
: Strip 38: read -1 bytes, strip size 4.
Fax3Decode1D: Warning, Premature EOL at line 0 of strip 38 (got 0, expected 32).
: Strip 39: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 39; got 324 bytes, expected 16777224.
: Strip 40: read -1 bytes, strip size 4.
TIFFFillStrip: Read error on strip 40; got 324 bytes, expected 536870912.
ASAN:DEADLYSIGNAL
=================================================================
==25949==ERROR: AddressSanitizer: SEGV on unknown address 0x62d020000379 (pc 0x561b9c95987b bp 0x7ffdc05c17a0 sp 0x7ffdc05c1740 T0)
==25949==The signal is caused by a READ memory access.
#0 0x561b9c95987a in extractContigSamples8bits /home/lin/libtiff/tools/tiffcrop.c:2861
#1 0x561b9c95c69c in extractContigSamplesToTileBuffer /home/lin/libtiff/tools/tiffcrop.c:3688
#2 0x561b9c950b26 in writeBufferToContigTiles /home/lin/libtiff/tools/tiffcrop.c:1314
#3 0x561b9c976815 in writeCroppedImage /home/lin/libtiff/tools/tiffcrop.c:8017
#4 0x561b9c970ae7 in writeSelections /home/lin/libtiff/tools/tiffcrop.c:6949
#5 0x561b9c957818 in main /home/lin/libtiff/tools/tiffcrop.c:2414
#6 0x7f032de1abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#7 0x561b9c94e629 in _start (/home/lin/libtiff/tools/tiffcrop+0x28629)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lin/libtiff/tools/tiffcrop.c:2861 in extractContigSamples8bits
==25949==ABORTING
➜ libtiff git:(master) ✗ ./tools/tiffcrop -i -w 10 -U cm -z 10,10,10,10 ~/id:000571,sig:06,src:002616,op:arg1,rep:2 ./out2
TIFFOpen: /home/lin/id:000571,sig:06,src:002616,op:arg1,rep:2: No such file or directory.
➜ libtiff git:(master) ✗ ./tools/tiffcrop -i -U in -z 1,1,1,1 ~/id:000425,sig:06,src:002567+002846,op:splice,rep:8 ./out2
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 127 (0x7f) encountered.
/home/lin/id:000425,sig:06,src:002567+002846,op:splice,rep:8: Warning, Nonstandard tile length 65293, convert file.
TIFFReadDirectory: Warning, Unknown field with tag 25152 (0x6240) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
OJPEGSetupDecode: Warning, Deprecated and troublesome old-style JPEG compression mode, please convert to new-style JPEG compression and notify vendor of writing software.
=================================================================
==26302==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000091 at pc 0x55ab2fa25228 bp 0x7ffd4cb856d0 sp 0x7ffd4cb856c0
WRITE of size 1 at 0x602000000091 thread T0
#0 0x55ab2fa25227 in extractContigSamplesShifted16bits /home/lin/libtiff/tools/tiffcrop.c:3351
#1 0x55ab2fa39323 in extractCompositeRegions /home/lin/libtiff/tools/tiffcrop.c:6433
#2 0x55ab2fa3d368 in processCropSelections /home/lin/libtiff/tools/tiffcrop.c:7458
#3 0x55ab2fa21681 in main /home/lin/libtiff/tools/tiffcrop.c:2396
#4 0x7f25f5ac9bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#5 0x55ab2fa18629 in _start (/home/lin/libtiff/tools/tiffcrop+0x28629)
0x602000000091 is located 0 bytes to the right of 1-byte region [0x602000000090,0x602000000091)
allocated by thread T0 here:
#0 0x7f25f6bceb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x55ab2fab40b3 in _TIFFmalloc /home/lin/libtiff/libtiff/tif_unix.c:314
#2 0x55ab2fa187dd in limitMalloc /home/lin/libtiff/tools/tiffcrop.c:627
#3 0x55ab2fa3d0c7 in processCropSelections /home/lin/libtiff/tools/tiffcrop.c:7430
#4 0x55ab2fa21681 in main /home/lin/libtiff/tools/tiffcrop.c:2396
#5 0x7f25f5ac9bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lin/libtiff/tools/tiffcrop.c:3351 in extractContigSamplesShifted16bits
Shadow bytes around the buggy address:
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 00 fa fa fd fd fa fa fd fa fa fa 00 fa
=>0x0c047fff8010: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26302==ABORTING
poc: poc.zip
Thanks !!