tiffcrop: SEGV in extractContigSamplesShifted24bits, tiffcrop.c:3592
Summary
There is SEGV errors in extractContigSamplesShifted24bits in tools/tiffcrop.c:3592. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.
Version
LIBTIFF, Version master (post 4.4.0), commit id 1bdbd03f (Tue Nov 29 17:02:09 2022 +0000)
Steps to reproduce
# CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared
# make -j; make install; make clean
$ ./build_asan/bin/tiffcrop -e multiple -z 1,1,2048,2048:1,2049,2048,4097 -R 270 -i poc /tmp/foo
TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag ignored.
ZIPDecode: Decoding error at scanline 0.
: Strip 1: read -1 bytes, strip size 1536.
TIFFFillStrip: Invalid strip byte count 0, strip 1.
: Strip 2: read -1 bytes, strip size 1536.
TIFFFillStrip: Invalid strip byte count 0, strip 2.
: Strip 3: read -1 bytes, strip size 1536.
TIFFFillStrip: Invalid strip byte count 0, strip 3.
: Strip 4: read -1 bytes, strip size 1536.
TIFFFillStrip: Invalid strip byte count 0, strip 4.
: Strip 5: read -1 bytes, strip size 1536.
TIFFFillStrip: Invalid strip byte count 0, strip 5.
: Strip 6: read -1 bytes, strip size 1536.
TIFFFillStrip: Invalid strip byte count 0, strip 6.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==145317==ERROR: AddressSanitizer: SEGV on unknown address 0x626000012382 (pc 0x560e87aeada4 bp 0x7ffe0adb85d0 sp 0x7ffe0adb8560 T0)
==145317==The signal is caused by a READ memory access.
#0 0x560e87aeada3 in extractContigSamplesShifted24bits /root/programs_latest/libtiff/tools/tiffcrop.c:3592
#1 0x560e87b00bb8 in extractSeparateRegion /root/programs_latest/libtiff/tools/tiffcrop.c:6954
#2 0x560e87b04a94 in processCropSelections /root/programs_latest/libtiff/tools/tiffcrop.c:7835
#3 0x560e87ae6bb1 in main /root/programs_latest/libtiff/tools/tiffcrop.c:2511
#4 0x7fcc3b5b4082 in __libc_start_main ../csu/libc-start.c:308
#5 0x560e87add60d in _start (/root/programs_latest/libtiff/build_asan/bin/tiffcrop+0x2e60d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/programs_latest/libtiff/tools/tiffcrop.c:3592 in extractContigSamplesShifted24bits
==145317==ABORTING
Platform
# uname -a
Linux dd189b3c7b86 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux