tiffcp: AddressSanitizer: heap-buffer-overflow /home/lin/libtiff_asan/tools/tiffcp.c:1373:14 in cpContigBufToSeparateBuf
Summary AddressSanitizer: heap-buffer-overflow /home/lin/libtiff_asan/tools/tiffcp.c:1373:14 in cpContigBufToSeparateBuf
Version
➜ tiffcp_test2 ./tiffcp -v
./tiffcp: invalid option -- 'v'
LIBTIFF, Version 4.3.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
At branch 5e180045 (libtiff version)
Steps to reproduce
git clone git@gitlab.com:libtiff/libtiff.git
cd libtiff/
./autogen.sh
./configure CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address" --disable-shared & make
./tiffcp -p separate -s -i ./poc ./out2
(How one can reproduce the issue - this is very important)
Platform
➜ libtiff git:(master) ✗ gcc --version
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
➜ libtiff git:(master) ✗ uname -r
5.4.0-91-generic
➜ libtiff git:(master) ✗ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
(Operating system, architecture, compiler details)
- ASAN
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
./0: Warning, Nonstandard tile width 1, convert file.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag ignored.
TIFFFillTile: 0: Invalid tile byte count, tile 1.
TIFFFillTile: 0: Invalid tile byte count, tile 2.
TIFFFillTile: 0: Invalid tile byte count, tile 3.
TIFFFillTile: 0: Invalid tile byte count, tile 4.
TIFFFillTile: 0: Invalid tile byte count, tile 5.
TIFFFillTile: 0: Invalid tile byte count, tile 6.
TIFFFillTile: 0: Invalid tile byte count, tile 7.
TIFFFillTile: 0: Invalid tile byte count, tile 8.
TIFFFillTile: 0: Invalid tile byte count, tile 9.
TIFFFillTile: 0: Invalid tile byte count, tile 10.
TIFFFillTile: 0: Invalid tile byte count, tile 11.
TIFFFillTile: 0: Invalid tile byte count, tile 12.
TIFFFillTile: 0: Invalid tile byte count, tile 13.
TIFFFillTile: 0: Invalid tile byte count, tile 14.
TIFFFillTile: 0: Invalid tile byte count, tile 15.
=================================================================
==118589==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x615000000280 at pc 0x0000004d075d bp 0x7ffd7939f750 sp 0x7ffd7939f748
READ of size 1 at 0x615000000280 thread T0
#0 0x4d075c in cpContigBufToSeparateBuf /home/lin/libtiff_asan/tools/tiffcp.c:1373:14
#1 0x4d2c97 in writeBufferToSeparateStrips /home/lin/libtiff_asan/tools/tiffcp.c:1683:4
#2 0x4ce9df in cpImage /home/lin/libtiff_asan/tools/tiffcp.c:1420:14
#3 0x4cb940 in cpContigTiles2SeparateStrips /home/lin/libtiff_asan/tools/tiffcp.c:1934:9
#4 0x4c8298 in tiffcp /home/lin/libtiff_asan/tools/tiffcp.c:979:15
#5 0x4c8298 in main /home/lin/libtiff_asan/tools/tiffcp.c:334:9
#6 0x7fc4649980b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41c50d in _start (/home/lin/tiffcp_test2/tiffcp+0x41c50d)
0x615000000280 is located 0 bytes to the right of 512-byte region [0x615000000080,0x615000000280)
allocated by thread T0 here:
#0 0x494c4d in malloc (/home/lin/tiffcp_test2/tiffcp+0x494c4d)
#1 0x565794 in _TIFFmalloc /home/lin/libtiff_asan/libtiff/tif_unix.c:314:10
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lin/libtiff_asan/tools/tiffcp.c:1373:14 in cpContigBufToSeparateBuf
Shadow bytes around the buggy address:
0x0c2a7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff8050:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==118589==ABORTING
- No Asan
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
./0: Warning, Nonstandard tile width 1, convert file.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag ignored.
TIFFFillTile: 0: Invalid tile byte count, tile 1.
TIFFFillTile: 0: Invalid tile byte count, tile 2.
TIFFFillTile: 0: Invalid tile byte count, tile 3.
TIFFFillTile: 0: Invalid tile byte count, tile 4.
TIFFFillTile: 0: Invalid tile byte count, tile 5.
TIFFFillTile: 0: Invalid tile byte count, tile 6.
TIFFFillTile: 0: Invalid tile byte count, tile 7.
TIFFFillTile: 0: Invalid tile byte count, tile 8.
TIFFFillTile: 0: Invalid tile byte count, tile 9.
TIFFFillTile: 0: Invalid tile byte count, tile 10.
TIFFFillTile: 0: Invalid tile byte count, tile 11.
TIFFFillTile: 0: Invalid tile byte count, tile 12.
TIFFFillTile: 0: Invalid tile byte count, tile 13.
TIFFFillTile: 0: Invalid tile byte count, tile 14.
TIFFFillTile: 0: Invalid tile byte count, tile 15.
[1] 118561 segmentation fault (core dumped) ./tiffcp-no-asan -p separate -s -i ./0 ./out2
poc: poc.zip
Thanks !!