Skip to content

tiffcrop: heap-buffer-overflow in extractContigSamplesShifted16bits, tiffcrop.c:3516

Summary

There is heap-buffer-overflow errors in extractContigSamplesShifted16bits in tools/tiffcrop.c:3516. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.

Version

LIBTIFF, Version master (post 4.4.0), commit id 1bdbd03f (Tue Nov 29 17:02:09 2022 +0000)

Steps to reproduce

# CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared

# make -j; make install; make clean

$ ./build_asan/bin/tiffcrop -E right -U in -z 1,1,2048,2048:1,2049,2048,4097  -i  poc /tmp/foo
TIFFFetchNormalTag: Warning, Incompatible type for "Orientation"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "ResolutionUnit"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
ZIPDecode: Decoding error at scanline 0.
: Strip 1: read -1 bytes, strip size 1024.
TIFFFillStrip: Invalid strip byte count 0, strip 1.
: Strip 2: read -1 bytes, strip size 1024.
TIFFFillStrip: Invalid strip byte count 0, strip 2.
: Strip 3: read -1 bytes, strip size 1024.
TIFFFillStrip: Invalid strip byte count 0, strip 3.
: Strip 4: read -1 bytes, strip size 1024.
TIFFFillStrip: Invalid strip byte count 0, strip 4.
: Strip 5: read -1 bytes, strip size 1024.
...
TIFFFillStrip: Invalid strip byte count 0, strip 511.
=================================================================
==145436==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000041c0 at pc 0x56340d1cdb4a bp 0x7ffcf1f74c40 sp 0x7ffcf1f74c30
WRITE of size 1 at 0x6290000041c0 thread T0
    #0 0x56340d1cdb49 in extractContigSamplesShifted16bits /root/programs_latest/libtiff/tools/tiffcrop.c:3516
    #1 0x56340d1e3251 in extractCompositeRegions /root/programs_latest/libtiff/tools/tiffcrop.c:6801
    #2 0x56340d1e6d0a in processCropSelections /root/programs_latest/libtiff/tools/tiffcrop.c:7733
    #3 0x56340d1c9bb1 in main /root/programs_latest/libtiff/tools/tiffcrop.c:2511
    #4 0x7f5d015e7082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x56340d1c060d in _start (/root/programs_latest/libtiff/build_asan/bin/tiffcrop+0x2e60d)

0x6290000041c0 is located 1 bytes to the right of 16319-byte region [0x629000000200,0x6290000041bf)
allocated by thread T0 here:
    #0 0x7f5d01f8f808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x56340d26309e in _TIFFmalloc /root/programs_latest/libtiff/libtiff/tif_unix.c:336
    #2 0x56340d1c07a0 in limitMalloc /root/programs_latest/libtiff/tools/tiffcrop.c:644
    #3 0x56340d1e6a81 in processCropSelections /root/programs_latest/libtiff/tools/tiffcrop.c:7705
    #4 0x56340d1c9bb1 in main /root/programs_latest/libtiff/tools/tiffcrop.c:2511
    #5 0x7f5d015e7082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/programs_latest/libtiff/tools/tiffcrop.c:3516 in extractContigSamplesShifted16bits
Shadow bytes around the buggy address:
  0x0c527fff87e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff8830: 00 00 00 00 00 00 00 07[fa]fa fa fa fa fa fa fa
  0x0c527fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==145436==ABORTING

Platform

# uname -a
Linux dd189b3c7b86 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

poc.zip