tiffcp: Assertion failed in TIFFReadAndRealloc, tif_read.c:99
Summary
There is a reachable assertion-failed crash in _TIFFReadAndRealloc, tif_read.c:99. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. Note that this crash is different from #377 (closed)
Version
573e0252 (Sun Feb 20 14:47:49 2022 +0100)
Steps to reproduce
$ tiffcp poc /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65046 (0xfe16) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 53693 (0xd1bd) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2449 (0x991) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 52970 (0xceea) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFFetchNormalTag: Warning, ASCII value for tag "Model" does not end in null byte.
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFFetchNormalTag: Warning, ASCII value for tag "Tag 65046" does not end in null byte. Forcing it to be null.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
Fax4Decode: Warning, Line length mismatch at line 1 of strip 0 (got 60704, expected 60703).
Fax4Decode: Warning, Line length mismatch at line 3 of strip 0 (got 60704, expected 60703).
Fax4Decode: Bad code word at line 6 of strip 0 (x 6).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 6, expected 60703).
Fax4Decode: Bad code word at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 8, expected 60703).
Fax4Decode: Uncompressed data (not supported) at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
Fax4Decode: Uncompressed data (not supported) at line 6 of strip 0 (x 60700).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 60700, expected 60703).
Fax4Decode: Uncompressed data (not supported) at line 6 of strip 0 (x 60700).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 60700, expected 60703).
Fax4Decode: Warning, Line length mismatch at line 6 of strip 0 (got 60704, expected 60703).
Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 54).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 54, expected 60703).
Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 4 (0x4) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 5 (0x5) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 55941 (0xda85) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 51248 (0xc830) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 31350 (0x7a76) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59310 (0xe7ae) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 436 (0x1b4) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 64790 (0xfd16) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2048 (0x800) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6010 (0x177a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 60138 (0xeaea) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 16384 (0x4000) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59904 (0xea00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8832 (0x2280) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 24655 (0x604f) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 62085 (0xf285) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59152 (0xe710) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 27651 (0x6c03) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 392 (0x188) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 769 (0x301) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 38573 (0x96ad) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 60159 (0xeaff) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6144 (0x1800) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 12076 (0x2f2c) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 5327 (0x14cf) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8289 (0x2061) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 34828 (0x880c) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 31820 (0x7c4c) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 62632 (0xf4a8) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 12006 (0x2ee6) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 50183 (0xc407) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3840 (0xf00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 16 (0x10) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 31365 (0x7a85) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 252 (0xfc) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 30069 (0x7575) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 18763 (0x494b) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3505 (0xdb1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 9 (0x9) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1002 (0x3ea) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 770 (0x302) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59925 (0xea15) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 18761 (0x4949) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 32768 (0x8000) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 58339 (0xe3e3) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 4"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 3"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 5"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect value for "Model"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 436"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16384"; tag ignored.
TIFFReadDirectory: Warning, Ignoring ColorMap because BitsPerSample=48>24.
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 1" value failed; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "DateTime" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 2"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 58339"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
tiffcp: tif_read.c:99: TIFFReadAndRealloc: Assertion `(tif->tif_flags & TIFF_MYBUFFER) != 0' failed.
AbortedPlatform
``` $ uname -a Linux wdw-Precision-Tower-3620 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux # MUST install the libjbig support! $ sudo apt install -y libjbig-dev $ CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --disable-shared $ make -j;make install; make clean ```