tiffcrop: heap-buffer-overflow in _TIFFmemcpy, tif_unix.c:346
Summary
There is a heap buffer overflow in _TIFFmemcpy in libtiff/tif_unix.c:346. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.
Version
LIBTIFF, Version 4.3.0, commit id 5e180045 (Fri Feb 25 10:38:31 2022 +0000)
Steps to reproduce
# CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared
# make -j; make install; make clean
# ./build_asan/bin/tiffcrop -H 341 poc /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 9216 (0x2400) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 501 (0x1f5) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
TIFFFetchNormalTag: Warning, ASCII value for tag "InkNames" does not end in null byte. Forcing it to be null.
TIFFSetField: poc_tiffcrop/00003: Invalid InkNames value; expecting 1281 names, found 1.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 501"; tag ignored.
TIFFFetchNormalTag: Warning, Incompatible type for "NumberOfInks"; tag ignored.
TIFFFetchNormalTag: Warning, Incompatible type for "Orientation"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpretation tag.
Fax4Decode: Warning, Line length mismatch at line 0 of strip 0 (got 21, expected 20).
Fax4Decode: Warning, Line length mismatch at line 1 of strip 0 (got 26, expected 20).
Fax4Decode: Warning, Line length mismatch at line 2 of strip 0 (got 26, expected 20).
Fax4Decode: Warning, Line length mismatch at line 3 of strip 0 (got 26, expected 20).
Fax4Decode: Warning, Line length mismatch at line 4 of strip 0 (got 21, expected 20).
Fax4Decode: Warning, Line length mismatch at line 5 of strip 0 (got 913, expected 20).
Fax4Decode: Warning, Line length mismatch at line 6 of strip 0 (got 26, expected 20).
Fax4Decode: Warning, Line length mismatch at line 7 of strip 0 (got 27, expected 20).
Fax4Decode: Warning, Line length mismatch at line 8 of strip 0 (got 49, expected 20).
Fax4Decode: Warning, Line length mismatch at line 10 of strip 0 (got 25, expected 20).
Fax4Decode: Warning, Line length mismatch at line 14 of strip 0 (got 21, expected 20).
Fax4Decode: Bad code word at line 21 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 21 of strip 0 (got 0, expected 20).
=================================================================
==1931320==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f54f2e679e3 at pc 0x7f54f1deb733 bp 0x7fff10604340 sp 0x7fff10603ae8
READ of size 3202 at 0x7f54f2e679e3 thread T0
#0 0x7f54f1deb732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
#1 0x55b80c4a7831 in _TIFFmemcpy /root/programs/libtiff/libtiff/tif_unix.c:346
#2 0x55b80c42d8c5 in extractImageSection /root/programs/libtiff/tools/tiffcrop.c:6854
#3 0x55b80c42ec8f in writeImageSections /root/programs/libtiff/tools/tiffcrop.c:7103
#4 0x55b80c414e78 in main /root/programs/libtiff/tools/tiffcrop.c:2451
#5 0x7f54f0d4bbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#6 0x55b80c40b869 in _start (/root/programs/libtiff/build_asan/bin/tiffcrop+0x28869)
0x7f54f2e679e3 is located 0 bytes to the right of 512483-byte region [0x7f54f2dea800,0x7f54f2e679e3)
allocated by thread T0 here:
#0 0x7f54f1e50b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x55b80c4a775f in _TIFFmalloc /root/programs/libtiff/libtiff/tif_unix.c:314
#2 0x55b80c40ba1d in limitMalloc /root/programs/libtiff/tools/tiffcrop.c:627
#3 0x55b80c42adab in loadImage /root/programs/libtiff/tools/tiffcrop.c:6210
#4 0x55b80c41475e in main /root/programs/libtiff/tools/tiffcrop.c:2374
#5 0x7f54f0d4bbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
Shadow bytes around the buggy address:
0x0feb1e5c4ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb1e5c4ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb1e5c4f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb1e5c4f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feb1e5c4f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0feb1e5c4f30: 00 00 00 00 00 00 00 00 00 00 00 00[03]fa fa fa
0x0feb1e5c4f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb1e5c4f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb1e5c4f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb1e5c4f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0feb1e5c4f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1931320==ABORTINGPlatform
# uname -a
Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux