Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    Projects Groups Snippets
  • Sign up now
  • Login
  • Sign in / Register
  • L libtiff
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 144
    • Issues 144
    • List
    • Boards
    • Service Desk
    • Milestones
    • Requirements
  • Merge requests 25
    • Merge requests 25
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • libtiff
  • libtiff
  • Issues
  • #383
Closed
Open
Issue created Feb 17, 2022 by chung yi Lin@daniel810736

AddressSanitizer: Null Pointer Dereference in tif_unix.c:346

Summary

std::memcpy is being called when const void* src is NULL. In this case, it's s=0x0 according to TIFFmemcpy (d=0x85a750, s=0x0, c=0) at tif_unix.c:346. In tif_dirread.c:5094, it calls _TIFFmemcpy(o,data,(uint32_t)dp->tdir_count) without checking the variable data.

(gdb) frame 1
#1  0x0000000000482f8e in TIFFFetchNormalTag (tif=0x859e90, dp=0x85a550, recover=1) at tif_dirread.c:5094
5094							_TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
(gdb) list 5090
5085								o=NULL;
5086							else
5087								o=_TIFFmalloc((uint32_t)dp->tdir_count + 1);
5088							if (o==NULL)
5089							{
5090								if (data!=NULL)
5091									_TIFFfree(data);
5092								return(0);
5093							}
5094							_TIFFmemcpy(o,data,(uint32_t)dp->tdir_count);
(gdb) p data
$1 = (uint8_t *) 0x0

Maybe a check like if(o==NULL || data==NULL)can be added in line 5088?

Version

libtiff 4.3.0 (commit 180882b4)

Steps to reproduce

  1. ./configure CC=clang-12 CXX=clang++-12 CFLAGS="-g -fsanitize=undefined -fsanitize-undefined-trap-on-error -fno-sanitize- recover=all -fno-omit-frame-pointer -Wall -W" --disable-shared compile
  2. gdb tiff2pdf
  3. (gdb) set args POC
  4. (gdb) r

POC

Backtrace

Program received signal SIGILL, Illegal instruction.
0x00000000006130a9 in _TIFFmemcpy (d=0x85a750, s=0x0, c=0) at tif_unix.c:346
346		memcpy(d, s, (size_t) c);
(gdb) bt
#0  0x00000000006130a9 in _TIFFmemcpy (d=0x85a750, s=0x0, c=0) at tif_unix.c:346
#1  0x0000000000482f8e in TIFFFetchNormalTag (tif=0x859e90, dp=0x85a550, recover=1) at tif_dirread.c:5094
#2  0x00000000004798c0 in TIFFReadDirectory (tif=0x859e90) at tif_dirread.c:3996
#3  0x00000000005b78b9 in TIFFClientOpen (name=0x7fffffffe648 "POC", mode=0x625070 "r", clientdata=0x3, readproc=0x612760 <_tiffReadProc>, writeproc=0x6128e0 <_tiffWriteProc>, seekproc=0x612a60 <_tiffSeekProc>, 
    closeproc=0x612b00 <_tiffCloseProc>, sizeproc=0x612b30 <_tiffSizeProc>, mapproc=0x612be0 <_tiffMapProc>, unmapproc=0x612d20 <_tiffUnmapProc>) at tif_open.c:484
#4  0x00000000006126d4 in TIFFFdOpen (fd=3, name=0x7fffffffe648 "POC", mode=0x625070 "r") at tif_unix.c:209
#5  0x0000000000612eeb in TIFFOpen (name=0x7fffffffe648 "POC", mode=0x625070 "r") at tif_unix.c:248
#6  0x00000000004040d9 in main (argc=2, argv=0x7fffffffe388) at tiff2pdf.c:766

Platform

18.04.1-Ubuntu x86_64 GNU/Linux

Assignee
Assign to
Time tracking