Skip to content
GitLab
Closed
Issue created by 4ugustus@waugustusContributor

tiffcrop: heap-buffer-overflow in extractContigSamplesShifted24bits, tiffcrop.c:3604

Summary

There is a heap buffer overflow in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.

Version

LIBTIFF, Version 4.4.0, commit id 8e9ce052 (Mon Jun 13 17:04:20 2022 +0000)

Steps to reproduce

# CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared

# make -j; make install; make clean

# ./build_asan/bin/tiffcrop -Z 1:4,3:3 poc /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 42 (0x2a) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFReadDirectory: Warning, Ignoring ColorMap since BitsPerSample tag not found.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpretation tag.
Fax4Decode: Warning, Line length mismatch at line 0 of strip 0 (got 33, expected 32).
Fax4Decode: Warning, Line length mismatch at line 5 of strip 0 (got 33, expected 32).
Fax4Decode: Warning, Line length mismatch at line 10 of strip 0 (got 33, expected 32).
Fax4Decode: Warning, Line length mismatch at line 12 of strip 0 (got 39, expected 32).
Fax4Decode: Warning, Line length mismatch at line 14 of strip 0 (got 33, expected 32).
Fax4Decode: Bad code word at line 15 of strip 0 (x 30).
Fax4Decode: Warning, Premature EOL at line 15 of strip 0 (got 30, expected 32).
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 98 (0x62) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 17420 (0x440c) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8832 (0x2280) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 24655 (0x604f) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 62085 (0xf285) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 51248 (0xc830) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 31350 (0x7a76) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 771 (0x303) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 42 (0x2a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 15 (0xf) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 53970 (0xd2d2) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 843 (0x34b) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 12006 (0x2ee6) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFReadDirectory: Warning, Ignoring ColorMap since BitsPerSample tag not found.
loadImage: Image lacks Photometric interpretation tag.
Fax4Decode: Warning, Line length mismatch at line 0 of strip 0 (got 33, expected 32).
Fax4Decode: Warning, Line length mismatch at line 5 of strip 0 (got 33, expected 32).
Fax4Decode: Warning, Line length mismatch at line 10 of strip 0 (got 33, expected 32).
Fax4Decode: Warning, Line length mismatch at line 12 of strip 0 (got 39, expected 32).
Fax4Decode: Warning, Line length mismatch at line 14 of strip 0 (got 33, expected 32).
Fax4Decode: Bad code word at line 15 of strip 0 (x 30).
Fax4Decode: Warning, Premature EOL at line 15 of strip 0 (got 30, expected 32).
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 98 (0x62) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 53970 (0xd2d2) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 771 (0x303) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 31536 (0x7b30) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 64512 (0xfc00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 29807 (0x746f) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 18 (0x12) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 5635 (0x1603) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 835 (0x343) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 58624 (0xe500) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 35392 (0x8a40) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8832 (0x2280) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8707 (0x2203) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 46355 (0xb513) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 31348 (0x7a74) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59310 (0xe7ae) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2566 (0xa06) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 511 (0x1ff) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 32862 (0x805e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 22995 (0x59d3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 54998 (0xd6d6) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 794 (0x31a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 769 (0x301) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 32231 (0x7de7) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 32768 (0x8000) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 128 (0x80) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 470 (0x1d6) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 16840 (0x41c8) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 252 (0xfc) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 4883 (0x1313) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 29823 (0x747f) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 3"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 0"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 511" value failed; tag ignored.
TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 470"; tag ignored.
_TIFFVSetField: poc1: Bad value 32 for "FillOrder" tag.
TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength.
=================================================================
==2223766==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0000000b8 at pc 0x55555558ffc2 bp 0x7fffffff86c0 sp 0x7fffffff86b0
READ of size 1 at 0x60c0000000b8 thread T0
    #0 0x55555558ffc1 in extractContigSamplesShifted32bits /home/data/wdw/latest_programs/libtiff/tools/tiffcrop.c:3604
    #1 0x5555555a479e in extractCompositeRegions /home/data/wdw/latest_programs/libtiff/tools/tiffcrop.c:6636
    #2 0x5555555a85b7 in processCropSelections /home/data/wdw/latest_programs/libtiff/tools/tiffcrop.c:7623
    #3 0x55555558b6bc in main /home/data/wdw/latest_programs/libtiff/tools/tiffcrop.c:2415
    #4 0x7ffff6d87082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x55555558260d in _start (/home/data/wdw/latest_programs/libtiff/build_asan/bin/tiffcrop+0x2e60d)

0x60c0000000b8 is located 0 bytes to the right of 120-byte region [0x60c000000040,0x60c0000000b8)
allocated by thread T0 here:
    #0 0x7ffff768e808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x5555556233e5 in _TIFFmalloc /home/data/wdw/latest_programs/libtiff/libtiff/tif_unix.c:314
    #2 0x5555555827a0 in limitMalloc /home/data/wdw/latest_programs/libtiff/tools/tiffcrop.c:634
    #3 0x5555555ad3e9 in rotateImage /home/data/wdw/latest_programs/libtiff/tools/tiffcrop.c:8627
    #4 0x5555555a3d9c in correct_orientation /home/data/wdw/latest_programs/libtiff/tools/tiffcrop.c:6495
    #5 0x55555558b5e7 in main /home/data/wdw/latest_programs/libtiff/tools/tiffcrop.c:2403
    #6 0x7ffff6d87082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/data/wdw/latest_programs/libtiff/tools/tiffcrop.c:3604 in extractContigSamplesShifted32bits
Shadow bytes around the buggy address:
  0x0c187fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c187fff8010: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
  0x0c187fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2223766==ABORTING

Platform

# uname -a
Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

poc