Skip to content
GitLab

tiffcrop: SEGV in Fax3Encode tif_fax3.c:1164

Summary

There is SEGV errors in Fax3Encode in libtiff/tif_fax3.c:1164. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.

Version

LIBTIFF, Version 4.5.0, commit id feb8db62 (Feb 9, 2023 12:05am GMT+0800)

Steps to reproduce

./autogen.sh;
CFLAGS="-fsanitize=address" CXXFLAGS=" -fsanitize=address" ./configure --disable-shared 
make clean; make -j$(nproc)

./tools/tiffcrop -Z 12:50,12:99 -R 270 poc /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFReadDirectory: Warning, Invalid data type for tag StripOffsets.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpretation tag.
Fax3Decode1D: Warning, Premature EOL at line 0 of tile 0 (got 0, expected 12336).
TIFFWriteDirectoryTagData: IO error writing tag data.
: Failed to write IFD for page number 0.
writeRegions: Unable to write new image.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFReadDirectory: Warning, Invalid data type for tag StripOffsets.
TIFFFetchNormalTag: Defined set_field_type of custom tag 0 (Tag 0) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
loadImage: Image lacks Photometric interpretation tag.
Fax3Decode2D: Warning, Premature EOL at line 0 of tile 0 (got 0, expected 304).
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1539810==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f9578167e9a bp 0x60e000000124 sp 0x7ffe11d99168 T0)
==1539810==The signal is caused by a WRITE memory access.
==1539810==Hint: address points to the zero page.
    #0 0x7f9578167e9a  (/lib/x86_64-linux-gnu/libc.so.6+0xbee9a)
    #1 0x5d5bcd in _TIFFmemcpy /home/afl-libtiff/libtiff/tif_unix.c:345:5
    #2 0x5f18f2 in Fax3Encode /home/afl-libtiff/libtiff/tif_fax3.c:1164:17
    #3 0x5d2f44 in TIFFWriteEncodedTile /home/afl-libtiff/libtiff/tif_write.c:509:10
    #4 0x5d24e8 in TIFFWriteTile /home/afl-libtiff/libtiff/tif_write.c:398:13
    #5 0x532c4b in writeBufferToContigTiles /home/afl-libtiff/tools/tiffcrop.c:1516:17
    #6 0x52655c in writeCroppedImage /home/afl-libtiff/tools/tiffcrop.c:9200:17
    #7 0x512982 in writeSelections /home/afl-libtiff/tools/tiffcrop.c:8020:17
    #8 0x512982 in main /home/afl-libtiff/tools/tiffcrop.c:2825:21
    #9 0x7f95780d00b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #10 0x41c5fd in _start (/home/afl-libtiff/tools-asan/tiffcrop+0x41c5fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbee9a)
==1539810==ABORTING

Platform

Linux 520e28fed44e 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

poc