tiffcrop: SEGV in extractContigSamplesShifted16bits, tiffcrop.c:3488
Summary
There is SEGV errors in extractContigSamplesShifted8bits in tools/tiffcrop.c:3488. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.
Version
LIBTIFF, Version master (post 4.4.0), commit id 1bdbd03f (Tue Nov 29 17:02:09 2022 +0000)
Steps to reproduce
# CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared
# make -j; make install; make clean
$ ./build_asan/bin/tiffcrop -e multiple -z 1,1,2048,2048:1,2049,2048,4097 -R 270 -i poc /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag ignored.
OJPEGSetupDecode: Warning, Deprecated and troublesome old-style JPEG compression mode, please convert to new-style JPEG compression and notify vendor of writing software.
OJPEGReadHeaderInfoSecTablesQTable: Missing JPEG tables.
: Strip 1: read -1 bytes, strip size 512.
OJPEGReadHeaderInfoSecTablesQTable: Missing JPEG tables.
: Strip 2: read -1 bytes, strip size 512.
OJPEGReadHeaderInfoSecTablesQTable: Missing JPEG tables.
: Strip 3: read -1 bytes, strip size 512.
OJPEGReadHeaderInfoSecTablesQTable: Missing JPEG tables.
: Strip 4: read -1 bytes, strip size 512.
OJPEGReadHeaderInfoSecTablesQTable: Missing JPEG tables.
: Strip 5: read -1 bytes, strip size 512.
OJPEGReadHeaderInfoSecTablesQTable: Missing JPEG tables.
...[poc.zip](/uploads/0c89c355d648c8c76ffd8365d330b41d/poc.zip)
OJPEGReadHeaderInfoSecTablesQTable: Missing JPEG tables.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==145158==ERROR: AddressSanitizer: SEGV on unknown address 0x7f38d0600000 (pc 0x558347eee908 bp 0x7ffd71cf82a0 sp 0x7ffd71cf8230 T0)
==145158==The signal is caused by a READ memory access.
#0 0x558347eee907 in extractContigSamplesShifted16bits /root/programs_latest/libtiff/tools/tiffcrop.c:3488
#1 0x558347f04b44 in extractSeparateRegion /root/programs_latest/libtiff/tools/tiffcrop.c:6944
#2 0x558347f08a94 in processCropSelections /root/programs_latest/libtiff/tools/tiffcrop.c:7835
#3 0x558347eeabb1 in main /root/programs_latest/libtiff/tools/tiffcrop.c:2511
#4 0x7f38d3b3b082 in __libc_start_main ../csu/libc-start.c:308
#5 0x558347ee160d in _start (/root/programs_latest/libtiff/build_asan/bin/tiffcrop+0x2e60d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/programs_latest/libtiff/tools/tiffcrop.c:3488 in extractContigSamplesShifted16bits
==145158==ABORTING
Platform
# uname -a
Linux dd189b3c7b86 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux