Skip to content

/tools/tiffcrop.c:8322 - Heap buffer overflow in rotateContigSamples24bits

Summary - (Summarize the bug encountered concisely)

There is a Heap buffer overflow in /tools/tiffcrop.c:8322 in rotateContigSamples24bits function

Version

root@ubuntu:/home/tlibtiff/tools# ./tiffcrop -v
Library Release: LIBTIFF, Version 4.3.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcrop version: 2.4, last updated: 12-13-2010
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
           : Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde

Steps to reproduce - (How one can reproduce the issue - this is very important)

Clone the latest source from the gitlab repository - git clone https://gitlab.com/libtiff/libtiff.git
cd libtiff

compile the source using the following command :  

CC=gcc CXX=g++ CFLAGS="-ggdb -fsanitize=address,undefined -fno-sanitize-recover=all" CXXFLAGS="-ggdb -fsanitize=address,undefined -fno-sanitize-recover=all" LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -lm" ./configure --disable-shared

Reproduce the crash with the following commmand :  

./tiffcrop -i -E l -H 10 -V 10 -S 8:4 -R 270 poc.tif a.tif

Platform - (Operating system, architecture, compiler details)

gcc --version
gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

uname -r
5.13.0-28-generic

uname -a
Linux ubuntu 5.13.0-28-generic #31~20.04.1-Ubuntu SMP Wed Jan 19 14:08:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux


lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.3 LTS
Release:	20.04
Codename:	focal
  • AddressSanitizer logs ( ASAN )

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
TIFFFetchNormalTag: Warning, Incompatible type for "SubIFD"; tag ignored.
TIFFFetchNormalTag: Warning, incorrect count for field "PageNumber", expected 2, got 240.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
PredictorSetup: Horizontal differencing "Predictor" not supported with 1-bit samples.
=================================================================
==3072446==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000111 at pc 0x5645942e9ca1 bp 0x7ffc752e2770 sp 0x7ffc752e2760
READ of size 4 at 0x602000000111 thread T0
    #0 0x5645942e9ca0 in rotateContigSamples24bits /home/targets/libtiff/tools/tiffcrop.c:8322
    #1 0x5645942fa085 in rotateImage /home/targets/libtiff/tools/tiffcrop.c:8675
    #2 0x5645942e202f in createCroppedImage /home/targets/libtiff/tools/tiffcrop.c:7771
    #3 0x5645942e202f in main /home/targets/libtiff/tools/tiffcrop.c:2404
    #4 0x7f6e4b6680b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #5 0x5645942e64ed in _start (/home/targets/libtiff/tools/tiffcrop+0x324ed)

0x602000000114 is located 0 bytes to the right of 4-byte region [0x602000000110,0x602000000114)
allocated by thread T0 here:
    #0 0x7f6e4baabbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x5645942f81c1 in rotateImage /home/targets/libtiff/tools/tiffcrop.c:8479

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/targets/libtiff/tools/tiffcrop.c:8322 in rotateContigSamples24bits
Shadow bytes around the buggy address:
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa 04 fa fa fa fd fa
  0x0c047fff8010: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa fd fa
=>0x0c047fff8020: fa fa[04]fa fa fa 04 fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3072446==ABORTING

```[poc.zip](/uploads/e3c1b7d35fbb9e8f44b48f6f7fbaa0f2/poc.zip)
Edited by Chintan Shah