tiffcrop: Heap-buffer-overflow in _TIFFmemcpy, tif_unix.c:346
Summary
There is a heap buffer overflow in _TIFFmemcpy in libtiff/tif_unix.c:346. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.
Version
LIBTIFF, Version 4.3.0, commit id b51bb157 (Mon Mar 21 18:03:17 2022 +0100)
Steps to reproduce
# CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared
# make -j; make install; make clean
# ./build_asan/bin/tiffcrop -Z 1:4,3:3 -R 90 -H 300 -i poc2 /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 48 (0x30) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8832 (0x2280) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6400 (0x1900) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 62085 (0xf285) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65484 (0xffcc) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 15626 (0x3d0a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 41 (0x29) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 32382 (0x7e7e) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 6400"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "PhotometricInterpretation"; tag ignored.
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 15626" value failed; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" does not end in null byte.
TIFFFetchNormalTag: Warning, Incorrect count for "YResolution"; tag ignored.
_TIFFVSetField: output_tiffcrop_random_3/default/crashes/id:000011,sig:11,src:003077+001802,time:63066116,execs:50089189,op:splice,rep:8: Null count for "Tag 41" (type 16, writecount -3, passcount 1).
TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpretation tag.
TIFFFillStrip: Read error on strip 0; got 1674 bytes, expected 1142400.
=================================================================
==1192501==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fbc3e7ff683 at pc 0x7fbc434c9733 bp 0x7ffe97ecf8c0 sp 0x7ffe97ecf068
READ of size 326400 at 0x7fbc3e7ff683 thread T0
#0 0x7fbc434c9732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
#1 0x564ba4ef4b49 in _TIFFmemcpy /root/programs/libtiff/libtiff/tif_unix.c:346
#2 0x564ba4e7abbd in extractImageSection /root/programs/libtiff/tools/tiffcrop.c:6860
#3 0x564ba4e7beb3 in writeImageSections /root/programs/libtiff/tools/tiffcrop.c:7093
#4 0x564ba4e620c8 in main /root/programs/libtiff/tools/tiffcrop.c:2451
#5 0x7fbc41ef5c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#6 0x564ba4e58ab9 in _start (/root/programs/libtiff/build_asan/bin/tiffcrop+0x2bab9)
0x7fbc3e7ff683 is located 0 bytes to the right of 1142403-byte region [0x7fbc3e6e8800,0x7fbc3e7ff683)
allocated by thread T0 here:
#0 0x7fbc4352eb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x564ba4ef4a77 in _TIFFmalloc /root/programs/libtiff/libtiff/tif_unix.c:314
#2 0x564ba4e58c6d in limitMalloc /root/programs/libtiff/tools/tiffcrop.c:627
#3 0x564ba4e780b9 in loadImage /root/programs/libtiff/tools/tiffcrop.c:6220
#4 0x564ba4e619ae in main /root/programs/libtiff/tools/tiffcrop.c:2374
#5 0x7fbc41ef5c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
Shadow bytes around the buggy address:
0x0ff807cf7e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff807cf7e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff807cf7ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff807cf7eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff807cf7ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff807cf7ed0:[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff807cf7ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff807cf7ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff807cf7f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff807cf7f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff807cf7f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1192501==ABORTINGPlatform
# uname -a
Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux