Skip to content
GitLab
Closed
Issue created by 4ugustus@waugustusContributor

tiffcrop: SEGV in _TIFFmemcpy, tif_unix.c:368

Summary

There is SEGV errors in _TIFFmemcpy in tools/tif_unix.c:368. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.

Version

LIBTIFF, Version master (post 4.4.0), commit id 1bdbd03f (Tue Nov 29 17:02:09 2022 +0000)

Steps to reproduce

# CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared

# make -j; make install; make clean

$ ./build_asan/bin/tiffcrop -e multiple  -z 1,1,2048,2048:1,2049,2048,4097 -R 270  -i poc /tmp/foo
TIFFReadDirectory: Warning, Ignoring ColorMap because BitsPerSample=64>24.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag ignored.
ZIPDecode: Decoding error at scanline 0.
: Strip 1: read -1 bytes, strip size 8192.
TIFFFillStrip: Invalid strip byte count 0, strip 1.
: Strip 2: read -1 bytes, strip size 8192.
TIFFFillStrip: Invalid strip byte count 0, strip 2.
: Strip 3: read -1 bytes, strip size 8192.
TIFFFillStrip: Invalid strip byte count 0, strip 3.
: Strip 4: read -1 bytes, strip size 8192.
TIFFFillStrip: Invalid strip byte count 0, strip 4.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==145219==ERROR: AddressSanitizer: SEGV on unknown address 0x62e000031f00 (pc 0x7f9e6e4fbcd2 bp 0x7ffdd30316f0 sp 0x7ffdd3030e58 T0)
==145219==The signal is caused by a READ memory access.
    #0 0x7f9e6e4fbcd1  (/lib/x86_64-linux-gnu/libc.so.6+0xbbcd1)
    #1 0x7f9e6ed9a37e in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
    #2 0x5607dd506184 in _TIFFmemcpy /root/programs_latest/libtiff/libtiff/tif_unix.c:368
    #3 0x5607dd46ed16 in extractContigSamplesBytes /root/programs_latest/libtiff/tools/tiffcrop.c:2903
    #4 0x5607dd486a55 in extractSeparateRegion /root/programs_latest/libtiff/tools/tiffcrop.c:6921
    #5 0x5607dd48aa94 in processCropSelections /root/programs_latest/libtiff/tools/tiffcrop.c:7835
    #6 0x5607dd46cbb1 in main /root/programs_latest/libtiff/tools/tiffcrop.c:2511
    #7 0x7f9e6e464082 in __libc_start_main ../csu/libc-start.c:308
    #8 0x5607dd46360d in _start (/root/programs_latest/libtiff/build_asan/bin/tiffcrop+0x2e60d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbbcd1) 
==145219==ABORTING

Platform

# uname -a
Linux dd189b3c7b86 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

poc.zip