Skip to content
GitLab
Closed
Issue created by 4ugustus@waugustusContributor

tiffcrop: FPE in computeOutputPixelOffsets, tiffcrop.c:5802

Summary

There is a FPE in computeOutputPixelOffsets in tools/tiffcrop.c:5802. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. Note that this crash is different from #347 (closed).

Version

LIBTIFF, Version 4.3.0, commit id 5e180045 (Fri Feb 25 10:38:31 2022 +0000)

Steps to reproduce

# CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared

# make -j; make install; make clean

./build_asan/bin/tiffcrop -H 341 poc /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 32582 (0x7f46) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8192 (0x2000) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 304 (0x130) encountered.
poc_tiffcrop/00008: Warning, Nonstandard tile length 65290, convert file.
TIFFReadDirectory: Warning, Unknown field with tag 8232 (0x2028) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 9 (0x9) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59395 (0xe803) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "NumberOfInks"; tag ignored.
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 32582" value failed; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 8192"; tag ignored.
TIFFReadDirectory: Warning, Invalid data type for tag StripOffsets.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 304"; tag ignored.
TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpretation tag.
Fax4Decode: Bad code word at line 0 of tile 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 0 of tile 0 (got 0, expected 127).
ASAN:DEADLYSIGNAL
=================================================================
==390948==ERROR: AddressSanitizer: FPE on unknown address 0x5558d237fc30 (pc 0x5558d237fc30 bp 0x7ffc94abb850 sp 0x7ffc94abb7c0 T0)
    #0 0x5558d237fc2f in computeOutputPixelOffsets /root/programs/libtiff/tools/tiffcrop.c:5802
    #1 0x5558d236bd30 in main /root/programs/libtiff/tools/tiffcrop.c:2440
    #2 0x7f26c9bc0bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #3 0x5558d2362869 in _start (/root/programs/libtiff/build_asan/bin/tiffcrop+0x28869)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /root/programs/libtiff/tools/tiffcrop.c:5802 in computeOutputPixelOffsets
==390948==ABORTING

Platform

# uname -a
Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

poc