heap-buffer-overflow in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801
Summary
A heap-buffer-overflow caused when using tiffcrop, it's related to issue #536 (closed) and #537 (closed) . This may be helpful in fixing the error.
Version
$ ./tools/tiffcrop -v
Library Release: LIBTIFF, Version 4.5.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
: Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
$ git log --oneline -1
17adf430 (HEAD -> master, origin/master, origin/HEAD) Merge branch 'tif_ovrcache_TIFFSetSubDirectory' into 'master'
Steps to reproduce
CC=clang CXX=clang++ CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --disable-shared
make
./tools/tiffcrop -R 270 -S 4:2 -O l -e d -U cm -m 1,2,3,4 -i poc /dev/null
Results
$ ./tools/tiffcrop -R 270 -S 4:2 -O l -e d -U cm -m 1,2,3,4 -i poc1 /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 59649 (0xe901) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 509 (0x1fd) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 501 (0x1f5) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 7442 (0x1d12) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 32552 (0x7f28) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 48602 (0xbdda) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 24000 (0x5dc0) encountered.
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 59649" value failed; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 7442"; tag ignored.
TIFFFetchNormalTag: Defined set_field_type of custom tag 32552 (Tag 32552) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 48602 (Tag 48602) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 24000 (Tag 24000) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpretation tag.
computeOutputPixelOffsets: Number of user input section rows down (2) was changed to (6).
computeOutputPixelOffsets: Number of user input section cols across (4) was changed to (2).
=================================================================
==30876==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000005f3 at pc 0x0000004fb124 bp 0x7fffffff7f80 sp 0x7fffffff7f78
READ of size 1 at 0x6140000005f3 thread T0
#0 0x4fb123 in extractImageSection /src/PoC/libtiff/libtiff/tools/tiffcrop.c:7916:33
#1 0x4e4eba in writeImageSections /src/PoC/libtiff/libtiff/tools/tiffcrop.c:8124:13
#2 0x4d01d3 in main /src/PoC/libtiff/libtiff/tools/tiffcrop.c:2868:21
#3 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#4 0x41c49d in _start (/src/PoC/libtiff/libtiff/tools/tiffcrop+0x41c49d)
0x6140000005f3 is located 0 bytes to the right of 435-byte region [0x614000000440,0x6140000005f3)
allocated by thread T0 here:
#0 0x4976fd in malloc (/src/PoC/libtiff/libtiff/tools/tiffcrop+0x4976fd)
#1 0x5adccc in _TIFFmalloc /src/PoC/libtiff/libtiff/libtiff/tif_unix.c:326:13
#2 0x4e82b4 in limitMalloc /src/PoC/libtiff/libtiff/tools/tiffcrop.c:709:12
#3 0x4d4d02 in loadImage /src/PoC/libtiff/libtiff/tools/tiffcrop.c:7113:26
#4 0x4cf88e in main /src/PoC/libtiff/libtiff/tools/tiffcrop.c:2782:17
#5 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/PoC/libtiff/libtiff/tools/tiffcrop.c:7916:33 in extractImageSection
Shadow bytes around the buggy address:
0x0c287fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c287fff8080: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c287fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[03]fa
0x0c287fff80c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c287fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c287fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c287fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c287fff8100: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==30876==ABORTING
$ ./tools/tiffcrop -R 270 -S 4:2 -O l -e d -U cm -m 1,2,3,4 -i poc2 /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 59649 (0xe901) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 501 (0x1f5) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 295 (0x127) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 48602 (0xbdda) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 24000 (0x5dc0) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 59649 (Tag 59649) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" does not end in null byte.
TIFFFetchNormalTag: Defined set_field_type of custom tag 295 (Tag 295) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 48602 (Tag 48602) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 24000 (Tag 24000) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpretation tag.
TIFFFillStrip: Read error on strip 0; got 725 bytes, expected 13764.
TIFFFillStrip: Read error on strip 1; got 797 bytes, expected 13764.
TIFFFillStrip: Read error on strip 2; got 797 bytes, expected 13764.
computeOutputPixelOffsets: Number of user input section rows down (2) was changed to (16).
computeOutputPixelOffsets: Number of user input section cols across (4) was changed to (1).
=================================================================
==31775==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e00000a54f at pc 0x000000496aa7 bp 0x7fffffff7f50 sp 0x7fffffff7718
READ of size 312 at 0x62e00000a54f thread T0
#0 0x496aa6 in __asan_memcpy (/src/PoC/libtiff/libtiff/tools/tiffcrop+0x496aa6)
#1 0x5addd4 in _TIFFmemcpy /src/PoC/libtiff/libtiff/libtiff/tif_unix.c:345:5
#2 0x4faeb7 in extractImageSection /src/PoC/libtiff/libtiff/tools/tiffcrop.c:7801:13
#3 0x4e4eba in writeImageSections /src/PoC/libtiff/libtiff/tools/tiffcrop.c:8124:13
#4 0x4d01d3 in main /src/PoC/libtiff/libtiff/tools/tiffcrop.c:2868:21
#5 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#6 0x41c49d in _start (/src/PoC/libtiff/libtiff/tools/tiffcrop+0x41c49d)
0x62e00000a54f is located 0 bytes to the right of 41295-byte region [0x62e000000400,0x62e00000a54f)
allocated by thread T0 here:
#0 0x4976fd in malloc (/src/PoC/libtiff/libtiff/tools/tiffcrop+0x4976fd)
#1 0x5adccc in _TIFFmalloc /src/PoC/libtiff/libtiff/libtiff/tif_unix.c:326:13
#2 0x4e82b4 in limitMalloc /src/PoC/libtiff/libtiff/tools/tiffcrop.c:709:12
#3 0x4d4d02 in loadImage /src/PoC/libtiff/libtiff/tools/tiffcrop.c:7113:26
#4 0x4cf88e in main /src/PoC/libtiff/libtiff/tools/tiffcrop.c:2782:17
#5 0x7ffff7c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/src/PoC/libtiff/libtiff/tools/tiffcrop+0x496aa6) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c5c7fff9450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff9460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff9470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff9480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff9490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5c7fff94a0: 00 00 00 00 00 00 00 00 00[07]fa fa fa fa fa fa
0x0c5c7fff94b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff94c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff94d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==31775==ABORTING
Platform
$ uname -a
Linux 2edec7eb4bdd 5.4.0-132-generic #148~18.04.1-Ubuntu SMP Mon Oct 24 20:41:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
PoC
Edited by xingxing wei