Skip to content
GitLab
Closed
Issue created by 4ugustus@waugustusContributor

tiffcrop: heap-buffer-overflow in _TIFFmemset, tif_unix.c:340

Summary

There is a heap buffer overflow in _TIFFmemset in libtiff/tif_unix.c:340. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.

Version

LIBTIFF, Version 4.4.0, commit id 19db1d31 (Sun May 22 11:01:54 2022 +0200)

Steps to reproduce

# CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared

# make -j; make install; make clean

# ./build_asan/bin/tiffcrop -X 1 -Y 2 -R 180 -H 300 -V 300 -i poc /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 4 (0x4) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
...
TIFFFillStrip: Read error on strip 248; got 18446744073707546436 bytes, expected 8128.
: Strip 249: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 249; got 18446744073707538308 bytes, expected 8128.
: Strip 250: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 250; got 18446744073707530180 bytes, expected 8128.
: Strip 251: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 251; got 18446744073707522052 bytes, expected 8128.
: Strip 252: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 252; got 18446744073707513924 bytes, expected 8128.
: Strip 253: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 253; got 18446744073707505796 bytes, expected 8128.
: Strip 254: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 254; got 18446744073707497668 bytes, expected 8128.
: Strip 255: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 255; got 18446744073707489540 bytes, expected 8128.
=================================================================
==31028==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000d032 at pc 0x7f0d920c0bec bp 0x7fff218b1fb0 sp 0x7fff218b1758
WRITE of size 48 at 0x60400000d032 thread T0
    #0 0x7f0d920c0beb in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbeb)
    #1 0x496376 in _TIFFmemset /root/test5/libtiff/libtiff/tif_unix.c:340
    #2 0x42587c in processCropSelections /root/test5/libtiff/tools/tiffcrop.c:7612
    #3 0x40b474 in main /root/test5/libtiff/tools/tiffcrop.c:2415
    #4 0x7f0d909a683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #5 0x403888 in _start (/root/test5/libtiff/build_asan/bin/tiffcrop+0x403888)

0x60400000d032 is located 0 bytes to the right of 34-byte region [0x60400000d010,0x60400000d032)
allocated by thread T0 here:
    #0 0x7f0d920cc602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4962d2 in _TIFFmalloc /root/test5/libtiff/libtiff/tif_unix.c:314
    #2 0x403a21 in limitMalloc /root/test5/libtiff/tools/tiffcrop.c:634
    #3 0x42a190 in rotateImage /root/test5/libtiff/tools/tiffcrop.c:8621
    #4 0x425ffc in processCropSelections /root/test5/libtiff/tools/tiffcrop.c:7671
    #5 0x40b474 in main /root/test5/libtiff/tools/tiffcrop.c:2415
    #6 0x7f0d909a683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memset
Shadow bytes around the buggy address:
  0x0c087fff99b0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff99c0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff99d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff99e0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff99f0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 02 fa
=>0x0c087fff9a00: fa fa 00 00 00 00[02]fa fa fa fd fd fd fd fd fd
  0x0c087fff9a10: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9a20: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9a30: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9a40: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff9a50: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==31028==ABORTING

Platform

# uname -a
Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

poc