tiffcrop: FPE in computeOutputPixelOffsets, tiffcrop.c:5941
Summary
There is a FPE error in computeOutputPixelOffsets, tools/tiffcrop.c:5941. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.
Version
LIBTIFF, Version 4.4.0, commit id 19db1d31 (Sun May 22 11:01:54 2022 +0200)
Steps to reproduce
# CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --prefix=$PWD/build_orig --disable-shared
# make -j; make install; make clean
# ./build_orig/bin/tiffcrop -R 90 -H 300 -O landscape -P 300.0x300.0 -i poc /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 65353 (0xff49) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 42 (0x2a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 52942 (0xcece) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 206 (0xce) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22784 (0x5900) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22873 (0x5959) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 89 (0x59) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65378 (0xff62) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 15677 (0x3d3d) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22912 (0x5980) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 30041 (0x7559) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1024 (0x400) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 19836 (0x4d7c) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 24929 (0x6161) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 21081 (0x5259) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 18761 (0x4949) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 23016 (0x59e8) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22845 (0x593d) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 20569 (0x5059) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 31065 (0x7959) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 17241 (0x4359) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22905 (0x5979) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22869 (0x5955) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 23039 (0x59ff) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 514 (0x202) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22872 (0x5958) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 23897 (0x5d59) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22904 (0x5978) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 28 (0x1c) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 77 (0x4d) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22897 (0x5971) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22847 (0x593f) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22617 (0x5859) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 15683 (0x3d43) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 18009 (0x4659) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 18777 (0x4959) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59395 (0xe803) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8281 (0x2059) encountered.
TIFFReadDirectory: Warning, Invalid data type for tag StripOffsets.
TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpretation tag.
Fax3Decode1D: Warning, Premature EOL at line 0 of strip 0 (got 0, expected 7196).
Fax3Decode1D: Warning, Premature EOL at line 1 of strip 0 (got 116, expected 7196).
Fax3Decode1D: Warning, Premature EOL at line 2 of strip 0 (got 220, expected 7196).
Fax3Decode1D: Warning, Premature EOL at line 3 of strip 0 (got 11, expected 7196).
Fax3Decode1D: Warning, Premature EOL at line 4 of strip 0 (got 1856, expected 7196).
Fax3Decode1D: Warning, Premature EOL at line 5 of strip 0 (got 24, expected 7196).
Fax3Decode1D: Warning, Premature EOL at line 6 of strip 0 (got 105, expected 7196).
Fax3Decode1D: Warning, Premature EOL at line 7 of strip 0 (got 1854, expected 7196).
Fax3Decode1D: Warning, Premature EOL at line 8 of strip 0 (got 1664, expected 7196).
Fax3Decode1D: Warning, Premature EOL at line 9 of strip 0 (got 2306, expected 7196).
Fax3Decode1D: Warning, Premature EOL at line 10 of strip 0 (got 0, expected 7196).
Floating point exception (core dumped)
(gdb) # bt
#0 0x0000000000411835 in computeOutputPixelOffsets (crop=0x7fffffff8e70, image=0x7fffffff8bf0,
page=0x7fffffff8c10, sections=0x7fffffff9160, dump=0x7fffffffb4f0) at tiffcrop.c:5941
#1 0x00000000004076d7 in main (argc=0xc, argv=0x7fffffffe648) at tiffcrop.c:2459
#2 0x00007ffff6749840 in __libc_start_main (main=0x406c6d <main>, argc=0xc, argv=0x7fffffffe648,
init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe638)
at ../csu/libc-start.c:291
#3 0x0000000000402f69 in _start ()
Platform
# uname -a
Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux