buffer-overflow in process_command_opts() at tools/tiffcrop.c:1969 or 1771 or 1773 or 1775 when multiple option B, L, M, or C are used.
When the command has multiple option "B","L","M" and "C", the stack buffer will overflow. That is to say, option "B","L","M" and "C" form any nine or more option configurations, such as "-LBMLLCMMBCL".
tools/tiffcrop.c Line 1769-1775
case 'B': *mp++ = 'b'; *mp = '\0';
break;
case 'L': *mp++ = 'l'; *mp = '\0';
break;
case 'M': *mp++ = 'm'; *mp = '\0';
break;
case 'C': *mp++ = 'c'; *mp = '\0';
In process_command_opts()
, tiffcrop parses options "B","L", "M" and "C" in the same way. The index of char array mp
will add one since the program processes the four options. However, these options can appear multiple times. As a result, mp
buffer will overflow.
Test Environment
Ubuntu 20.04, 64bit libtiff(master, b6a17e56)
How to trigger
- Compile the program with AddressSanitizer
- Run command
$ ./tiffcrop -BLMCLMCBC
Details
ASAN Report
./tiffcrop -BLMCLMCBC
=================================================================
==3112519==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffbdc8ed2a at pc 0x55612c27b6fb bp 0x7fffbdc89e20 sp 0x7fffbdc89e10
WRITE of size 1 at 0x7fffbdc8ed2a thread T0
#0 0x55612c27b6fa in process_command_opts /home/ubuntu20/experiment/libtiff/libtiff-v4.4.0/tools/tiffcrop.c:1774
#1 0x55612c27ed77 in main /home/ubuntu20/experiment/libtiff/libtiff-v4.4.0/tools/tiffcrop.c:2266
#2 0x7fb8ba9a4082 in __libc_start_main ../csu/libc-start.c:308
#3 0x55612c276aed in _start (/home/ubuntu20/bug_report/libtiff/tiffcrop/crash/tiffcrop+0x9aed)
Address 0x7fffbdc8ed2a is located in stack of thread T0 at offset 19930 in frame
#0 0x55612c27e673 in main /home/ubuntu20/experiment/libtiff/libtiff-v4.4.0/tools/tiffcrop.c:2219
This frame has 21 object(s):
[32, 34) 'defconfig' (line 2224)
[48, 50) 'deffillorder' (line 2225)
[64, 68) 'deftilewidth' (line 2226)
[80, 84) 'deftilelength' (line 2227)
[96, 100) 'defrowsperstrip' (line 2228)
[112, 116) 'dirnum' (line 2229)
[128, 132) 'image_count' (line 2248)
[144, 148) 'next_page' (line 2251)
[160, 168) 'out' (line 2232)
[192, 200) 'read_buff' (line 2243)
[224, 232) 'crop_buff' (line 2244)
[256, 264) 'sect_buff' (line 2245)
[288, 320) 'image' (line 2237)
[352, 440) 'page' (line 2239)
[480, 992) 'seg_buffs' (line 2241)
[1056, 1800) 'crop' (line 2238)
[1936, 2832) 'sections' (line 2240)
[2960, 11156) 'imagelist' (line 2247)
[11424, 19656) 'dump' (line 2242)
[19920, 19930) 'mode' (line 2233) <== Memory access at offset 19930 overflows this variable
[19952, 24064) 'temp_filename' (line 2257)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/ubuntu20/experiment/libtiff/libtiff-v4.4.0/tools/tiffcrop.c:1774 in process_command_opts
Shadow bytes around the buggy address:
0x100077b89d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077b89d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077b89d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077b89d80: 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x100077b89d90: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
=>0x100077b89da0: f2 f2 00 00 00[02]f2 f2 00 00 00 00 00 00 00 00
0x100077b89db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077b89dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077b89dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077b89de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100077b89df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3112519==ABORTING