Heap Buffer Overflow ( Out of Bounds Heap memory read ) in /tiff-4.3.0/tools/tiffinfo.c:430:8 in TIFFReadRawDataStriped function
Enter the issue description
Summary
There is a out of bounds heap memory read issue in /tiff-4.3.0/tools/tiffinfo.c:430:8 in TIFFReadRawDataStriped function when the library processes the corrupted TIFF image file. This is a security issue can result into info leak from the memory outside allocated buffer.
Version
(libtiff version) libtiff version 4.3.0 downloaded from https://download.osgeo.org/libtiff/tiff-4.3.0.zip
(libtiff version)
libtiff version 4.3.0
Steps to reproduce - (How one can reproduce the issue - this is very important)
Download the libtiff version 4.3.0 from the above site and compile it with gcc with ASAN sanitizer enabled with the following command :
CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address -fno-sanitize-recover=all" CXXFLAGS="-g -fsanitize=address -fno-sanitize-recover=all" LDFLAGS="-fsanitize=address -fno-sanitize-recover=all -lm" ./configure --disable-shared
In the /tiff-4.3.0/tools directory, binaries are compiled : Execute ./tiffinfo binary with the following command.
/tiff-4.3.0/tools# tiffinfo -f lsb2msb -Dcdjrsz poc.tiff --> This will crash the tiffinfo binary
**3920115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000258 at pc 0x00000034dae4 bp 0x7fffffffe150 sp 0x7fffffffe148
READ of size 8 at 0x602000000258 thread T0
0x34dae3 in TIFFReadRawDataStriped /home/targets/tiff-4.3.0/tools/tiffinfo.c:430:8
0x34dae3 in TIFFReadRawData /home/targets/tiff-4.3.0/tools/tiffinfo.c:520:3
0x34bd0e in tiffinfo /home/targets/tiff-4.3.0/tools/tiffinfo.c:535:4
0x34b1cf in main /home/targets/tiff-4.3.0/tools/tiffinfo.c:159:6
0x7ffff7c2d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
0x29d63d in _start (/usr/local/bin/tiffinfo+0x29d63d)**
[image]
Platform
(Operating system, architecture, compiler details)
Ubuntu 20.4 LTS 64 bit compiler used : gcc and g++ compiler with ASAN ( Address Sanitizer enabled ) and compilation command mentioned as above.
Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows