/tools/tiffcrop.c:3416 - Heap buffer overflow in ExtractContigSamplesShifted24Bits
Summary -(Summarize the bug encountered concisely)
There is a Heap buffer overflow in /tools/tiffcrop.c:3416 in ExtractContigSampleShifted24Bits
Version - (libtiff version)
root@ubuntu:/home/tlibtiff/tools# ./tiffcrop -v
Library Release: LIBTIFF, Version 4.3.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcrop version: 2.4, last updated: 12-13-2010
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
: Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
Steps to reproduce - (How one can reproduce the issue - this is very important)
Clone the latest source from the gitlab repository - git clone https://gitlab.com/libtiff/libtiff.git
cd libtiff
compile the source using the following command :
CC=gcc CXX=g++ CFLAGS="-ggdb -fsanitize=address,undefined -fno-sanitize-recover=all" CXXFLAGS="-ggdb -fsanitize=address,undefined -fno-sanitize-recover=all" LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -lm" ./configure --disable-shared
Reproduce the crash with the following commmand :
/tiffcrop -i -E t -Z 0:0,1:1 -e c -F both poc.tif a.tif
Platform - (Operating system, architecture, compiler details)
gcc --version
gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
uname -r
5.13.0-28-generic
uname -a
Linux ubuntu 5.13.0-28-generic #31~20.04.1-Ubuntu SMP Wed Jan 19 14:08:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
- Address Sanitizer
TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
TIFFAdvanceDirectory: Error fetching directory count.
PredictorSetup: "Predictor" value 65282 not supported.
=================================================================
==21835==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000132 at pc 0x55e9d1bc2b37 bp 0x7fffccb44530 sp 0x7fffccb44520
READ of size 4 at 0x602000000132 thread T0
#0 0x55e9d1bc2b36 in extractContigSamplesShifted24bits /home/targets/libtiff/tools/tiffcrop.c:3416
#1 0x55e9d1bc8b36 in extractCompositeRegions /home/targets/libtiff/tools/tiffcrop.c:6468
#2 0x55e9d1bc8b36 in processCropSelections /home/targets/libtiff/tools/tiffcrop.c:7483
#3 0x55e9d1b9c472 in main /home/targets/libtiff/tools/tiffcrop.c:2396
#4 0x7f2868d190b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#5 0x55e9d1ba54ed in _start (/home/targets/libtiff/tools/tiffcrop+0x324ed)
0x602000000135 is located 0 bytes to the right of 5-byte region [0x602000000130,0x602000000135)
allocated by thread T0 here:
#0 0x7f286915cbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55e9d1bb71c1 in rotateImage /home/targets/libtiff/tools/tiffcrop.c:8479
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/targets/libtiff/tools/tiffcrop.c:3416 in extractContigSamplesShifted24bits
Shadow bytes around the buggy address:
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8010: fa fa fd fa fa fa 00 fa fa fa fd fa fa fa 00 fa
=>0x0c047fff8020: fa fa fd fa fa fa[05]fa fa fa 06 fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==21835==ABORTING
[poc.zip](/uploads/35a857ddd9a4d7ee8d57e7d48f3ccc80/poc.zip)