Skip to content
GitLab
    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore
  • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
  • Sign in
  • Get free trial
  • libtiff
  • libtiff
  • Issues
  • #362

AddressSanitizer: undefined-behavior tif_dirread.c:4176:40 in TIFFReadDirectory function

Summary

Null pointer passed as an argument to memcpy in TIFFReadDirectory function in tools/tif_dirread.c:4176:40 resulting into Denial of Service when crafted TIFF image is parsed by library

(libtiff version) libtiff version 4.3.0 downloaded from https://download.osgeo.org/libtiff/tiff-4.3.0.zip

Steps to reproduce

tiff 4.3.0.zip downloaded from https://download.osgeo.org/libtiff/tiff-4.3.0.zip

compile the library with the AFL compiler wrapper using LLVM instrumentation and with ASAN and UBSAN enabled as shown below:

CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-g -fsanitize=address,undefined -fno-sanitize-recover=all" CXXFLAGS="-g -fsanitize=address,undefined -fno-sanitize-recover=all" LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -lm" ./configure --disable-shared

OR

CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address,undefined -fno-sanitize-recover=all" CXXFLAGS="-g -fsanitize=address,undefined -fno-sanitize-recover=all" LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -lm" ./configure --disable-shared

execute the tiffinfo binary with the following options and the crafted TIFF POC image: ./tiffinfo -f lsb2msb -Dcdjrsz crash.tif

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.

TIFFReadDirectory: Warning, Unknown field with tag 18770 (0x4952) encountered.

TIFFFetchNormalTag: Warning, Incorrect count for "PhotometricInterpretation"; tag ignored.

TIFFFetchNormalTag: Warning, Incorrect value for "DateTime"; tag ignored.

TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match

SamplesPerPixel. Defining non-color channels as ExtraSamples..

tif_dirread.c:4176:40: runtime error: null pointer passed as argument 2, which is declared to never be null /usr/include/string.h:43:28: note: nonnull attribute specified here

SUMMARY: AddressSanitizer: undefined-behavior tif_dirread.c:4176:40

memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16_t)); _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif>tif_dir.td_extrasamples); _TIFFfree(new_sampleinfo);

Debugging Information and POC file attached debugging_information crash.zip

Platform

(Operating system, architecture, compiler details) Ubuntu 20.4 LTS 64 bit compiler used : afl-clang-fast and afl-clang-fast++ with ASAN and UBSAN enabled with the compilation command as shown above.

Edited Feb 04, 2022 by Chintan Shah
Assignee
Assign to
Time tracking