tiffcrop: heap-buffer-overflow in _TIFFmemset, tif_unix.c:340
Summary
There is a heap buffer overflow in _TIFFmemset in libtiff/tif_unix.c:340. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.
Version
LIBTIFF, Version 4.4.0, commit id 19db1d31 (Sun May 22 11:01:54 2022 +0200)
Steps to reproduce
# CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared
# make -j; make install; make clean
# ./build_asan/bin/tiffcrop -X 1 -Y 2 -R 180 -H 300 -V 300 -i poc /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 4 (0x4) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
...
TIFFFillStrip: Read error on strip 248; got 18446744073707546436 bytes, expected 8128.
: Strip 249: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 249; got 18446744073707538308 bytes, expected 8128.
: Strip 250: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 250; got 18446744073707530180 bytes, expected 8128.
: Strip 251: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 251; got 18446744073707522052 bytes, expected 8128.
: Strip 252: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 252; got 18446744073707513924 bytes, expected 8128.
: Strip 253: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 253; got 18446744073707505796 bytes, expected 8128.
: Strip 254: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 254; got 18446744073707497668 bytes, expected 8128.
: Strip 255: read -1 bytes, strip size 8128.
TIFFFillStrip: Read error on strip 255; got 18446744073707489540 bytes, expected 8128.
=================================================================
==31028==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000d032 at pc 0x7f0d920c0bec bp 0x7fff218b1fb0 sp 0x7fff218b1758
WRITE of size 48 at 0x60400000d032 thread T0
#0 0x7f0d920c0beb in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbeb)
#1 0x496376 in _TIFFmemset /root/test5/libtiff/libtiff/tif_unix.c:340
#2 0x42587c in processCropSelections /root/test5/libtiff/tools/tiffcrop.c:7612
#3 0x40b474 in main /root/test5/libtiff/tools/tiffcrop.c:2415
#4 0x7f0d909a683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#5 0x403888 in _start (/root/test5/libtiff/build_asan/bin/tiffcrop+0x403888)
0x60400000d032 is located 0 bytes to the right of 34-byte region [0x60400000d010,0x60400000d032)
allocated by thread T0 here:
#0 0x7f0d920cc602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4962d2 in _TIFFmalloc /root/test5/libtiff/libtiff/tif_unix.c:314
#2 0x403a21 in limitMalloc /root/test5/libtiff/tools/tiffcrop.c:634
#3 0x42a190 in rotateImage /root/test5/libtiff/tools/tiffcrop.c:8621
#4 0x425ffc in processCropSelections /root/test5/libtiff/tools/tiffcrop.c:7671
#5 0x40b474 in main /root/test5/libtiff/tools/tiffcrop.c:2415
#6 0x7f0d909a683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memset
Shadow bytes around the buggy address:
0x0c087fff99b0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff99c0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff99d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff99e0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fff99f0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 02 fa
=>0x0c087fff9a00: fa fa 00 00 00 00[02]fa fa fa fd fd fd fd fd fd
0x0c087fff9a10: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9a20: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9a30: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9a40: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9a50: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==31028==ABORTING
Platform
# uname -a
Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux