AddressSanitizer: Null Pointer Dereference in tif_unix.c:346
Summary
std::memcpy
is being called when const void* src
is NULL. In this case, it's s=0x0 according to TIFFmemcpy (d=0x85a750, s=0x0, c=0)
at tif_unix.c:346
. In tif_dirread.c:5094
, it calls _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count)
without checking the variable data
.
(gdb) frame 1
#1 0x0000000000482f8e in TIFFFetchNormalTag (tif=0x859e90, dp=0x85a550, recover=1) at tif_dirread.c:5094
5094 _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
(gdb) list 5090
5085 o=NULL;
5086 else
5087 o=_TIFFmalloc((uint32_t)dp->tdir_count + 1);
5088 if (o==NULL)
5089 {
5090 if (data!=NULL)
5091 _TIFFfree(data);
5092 return(0);
5093 }
5094 _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
(gdb) p data
$1 = (uint8_t *) 0x0
Maybe a check like if(o==NULL || data==NULL)
can be added in line 5088?
Version
libtiff 4.3.0 (commit 180882b4)
Steps to reproduce
-
./configure CC=clang-12 CXX=clang++-12 CFLAGS="-g -fsanitize=undefined -fsanitize-undefined-trap-on-error -fno-sanitize- recover=all -fno-omit-frame-pointer -Wall -W" --disable-shared
compile gdb tiff2pdf
(gdb) set args POC
(gdb) r
Backtrace
Program received signal SIGILL, Illegal instruction.
0x00000000006130a9 in _TIFFmemcpy (d=0x85a750, s=0x0, c=0) at tif_unix.c:346
346 memcpy(d, s, (size_t) c);
(gdb) bt
#0 0x00000000006130a9 in _TIFFmemcpy (d=0x85a750, s=0x0, c=0) at tif_unix.c:346
#1 0x0000000000482f8e in TIFFFetchNormalTag (tif=0x859e90, dp=0x85a550, recover=1) at tif_dirread.c:5094
#2 0x00000000004798c0 in TIFFReadDirectory (tif=0x859e90) at tif_dirread.c:3996
#3 0x00000000005b78b9 in TIFFClientOpen (name=0x7fffffffe648 "POC", mode=0x625070 "r", clientdata=0x3, readproc=0x612760 <_tiffReadProc>, writeproc=0x6128e0 <_tiffWriteProc>, seekproc=0x612a60 <_tiffSeekProc>,
closeproc=0x612b00 <_tiffCloseProc>, sizeproc=0x612b30 <_tiffSizeProc>, mapproc=0x612be0 <_tiffMapProc>, unmapproc=0x612d20 <_tiffUnmapProc>) at tif_open.c:484
#4 0x00000000006126d4 in TIFFFdOpen (fd=3, name=0x7fffffffe648 "POC", mode=0x625070 "r") at tif_unix.c:209
#5 0x0000000000612eeb in TIFFOpen (name=0x7fffffffe648 "POC", mode=0x625070 "r") at tif_unix.c:248
#6 0x00000000004040d9 in main (argc=2, argv=0x7fffffffe388) at tiff2pdf.c:766
Platform
18.04.1-Ubuntu x86_64 GNU/Linux