Skip to content

tiffcrop: SEGV in _TIFFmemset, tif_unix.c:340

Summary

There is a SEGV in _TIFFmemset in libtiff/tif_unix.c:340. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.

Version

LIBTIFF, Version 4.3.0, commit id 5e180045 (Fri Feb 25 10:38:31 2022 +0000)

Steps to reproduce

# CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared

# make -j; make install; make clean

# ./build_asan/bin/tiffcrop -H 341 poc /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 77 (0x4d) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 501 (0x1f5) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 11345 (0x2c51) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 18761 (0x4949) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1536 (0x600) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65328 (0xff30) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 63231 (0xf6ff) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "NumberOfInks"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "PageName" does not end in null byte.
TIFFAdvanceDirectory: Error fetching directory link.
loadImage: Image lacks Photometric interpretation tag.
Fax4Decode: Warning, Line length mismatch at line 0 of strip 0 (got 133, expected 132).
Fax4Decode: Warning, Premature EOL at line 2 of strip 0 (got 20, expected 132).
MemoryLimitError: allocation of 271321920 bytes is forbidden. Limit is 268435456.
                  use -k option to change limit.
ASAN:DEADLYSIGNAL
=================================================================
==3830458==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1b9e7efe6d bp 0x7fff13c13c00 sp 0x7fff13c13378 T0)
==3830458==The signal is caused by a WRITE memory access.
==3830458==Hint: address points to the zero page.
    #0 0x7f1b9e7efe6c  (/lib/x86_64-linux-gnu/libc.so.6+0x18ee6c)
    #1 0x7f1b9f707cde  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ecde)
    #2 0x5614b85ff803 in _TIFFmemset /root/programs/libtiff/libtiff/tif_unix.c:340
    #3 0x5614b8588197 in createImageSection /root/programs/libtiff/tools/tiffcrop.c:7410
    #4 0x5614b8586c05 in writeImageSections /root/programs/libtiff/tools/tiffcrop.c:7096
    #5 0x5614b856ce78 in main /root/programs/libtiff/tools/tiffcrop.c:2451
    #6 0x7f1b9e682bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #7 0x5614b8563869 in _start (/root/programs/libtiff/build_asan/bin/tiffcrop+0x28869)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18ee6c) 
==3830458==ABORTING

Platform

# uname -a
Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

poc