Heap-buffer-overflow on address 0x6020000000b1 in tiffcp
Summary
Hi there, I use my fuzzer for fuzzing the binary tiffcp, the version of Libtiff is 99c28085 and the operation system is Ubuntu 18.04.6 LTS (docker), this binary crashes with the following.
Version
Libtiff master branch(99c28085) && Libtiff release version(v4.4.0)
Steps to reproduce
Detected heap-buffer-overflow on address 0x6020000000b1 in tiffcp, this may be different from #456 (closed) .
root@23sdsfs17rte:/fuzz-tiffcp/tiffcp/test# ./../tiffcp POC_tiffcp_87069270 out_test.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFFetchNormalTag: Warning, ASCII value for tag "InkNames" does not end in null byte. Forcing it to be null.
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength.
=================================================================
==1423235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000b1 at pc 0x0000007638b4 bp 0x7ffdd7b36dd0 sp 0x7ffdd7b36580
READ of size 1 at 0x6020000000b1 thread T0
#0 0x7638b3 in __interceptor_strlen.part.36 /llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372
#1 0x411f2f in tiffcp (/fuzz-tiffcp/tiffcp/tiffcp+0x411f2f)
#2 0x40a7c0 in main (/fuzz-tiffcp/tiffcp/tiffcp+0x40a7c0)
#3 0x7f5f90d8fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#4 0x406db9 in _start (/fuzz-tiffcp/tiffcp/tiffcp+0x406db9)
0x6020000000b1 is located 0 bytes to the right of 1-byte region [0x6020000000b0,0x6020000000b1)
allocated by thread T0 here:
#0 0x7d82e0 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x759433 in _TIFFmalloc (/fuzz-tiffcp/tiffcp/tiffcp+0x759433)
#2 0x4432b9 in setByteArray (/fuzz-tiffcp/tiffcp/tiffcp+0x4432b9)
#3 0x4a1ae8 in _TIFFsetNString (/fuzz-tiffcp/tiffcp/tiffcp+0x4a1ae8)
#4 0x465b34 in _TIFFVSetField (/fuzz-tiffcp/tiffcp/tiffcp+0x465b34)
#5 0x443bdd in TIFFVSetField (/fuzz-tiffcp/tiffcp/tiffcp+0x443bdd)
#6 0x443976 in TIFFSetField (/fuzz-tiffcp/tiffcp/tiffcp+0x443976)
#7 0x4e2a33 in TIFFFetchNormalTag (/fuzz-tiffcp/tiffcp/tiffcp+0x4e2a33)
#8 0x4b9bb4 in TIFFReadDirectory (/fuzz-tiffcp/tiffcp/tiffcp+0x4b9bb4)
#9 0x69688d in TIFFClientOpen (/fuzz-tiffcp/tiffcp/tiffcp+0x69688d)
#10 0x755c3b in TIFFFdOpen (/fuzz-tiffcp/tiffcp/tiffcp+0x755c3b)
#11 0x7592b1 in TIFFOpen (/fuzz-tiffcp/tiffcp/tiffcp+0x7592b1)
#12 0x40bbc0 in openSrcImage (/fuzz-tiffcp/tiffcp/tiffcp+0x40bbc0)
#13 0x40a556 in main (/fuzz-tiffcp/tiffcp/tiffcp+0x40a556)
#14 0x7f5f90d8fc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
SUMMARY: AddressSanitizer: heap-buffer-overflow /llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372 in __interceptor_strlen.part.36
Shadow bytes around the buggy address:
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa 02 fa fa fa fd fa
=>0x0c047fff8010: fa fa fd fa fa fa[01]fa fa fa fd fa fa fa fd fd
0x0c047fff8020: fa fa fd fa fa fa 00 fa fa fa fd fa fa fa 00 fa
0x0c047fff8030: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa 02 fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1423235==ABORTING
POC
Platform
Ubuntu 18.04.6 LTS (docker), clang 12.0.1, clang++ 12.0.1
Credit
Xudong Cao (NCNIPC of China), Han Zheng (NCNIPC of China, Hexhive)
Thank you for your time!
Edited by DylanSec