Null Pointer Dereference in tif_lzw.c.
Summary
We found a null pointer dereference in libtiff 4.5.0(libtiff/tif_lzw.c:655:20).
Version
libtiff 4.5.0
Steps to reproduce
Command Input
tiffcp -i poc_file /dev/null- we built libtiff with AddressSanitizer (ASAN) and UndefinedBehaviourSanitizer (UBSAN).
cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -g3 -fsanitize=address -fsanitize=undefined" -DCMAKE_CXX_FLAGS="-O0 -g3 -fsanitize=address -fsanitize=undefined" ..
Sanitizer Dump
/root/target/Invariants/libtiff-master/libtiff/tif_lzw.c:655:20: runtime error: member access within null pointer of type 'code_t' (aka 'struct code_ent')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/target/Invariants/libtiff-master/libtiff/tif_lzw.c:655:20 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3669671==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000b (pc 0x7f0ed44e80bd bp 0x7fff113a57b0 sp 0x7fff113a4630 T0)
==3669671==The signal is caused by a READ memory access.
==3669671==Hint: address points to the zero page.
#0 0x7f0ed44e80bd in LZWDecode /root/target/Invariants/libtiff-master/libtiff/tif_lzw.c:655:20
#1 0x7f0ed45a419d in TIFFReadScanline /root/target/Invariants/libtiff-master/libtiff/tif_read.c:458:13
#2 0x4d1e69 in cpContig2ContigByRow /root/target/Invariants/libtiff-master/tools/tiffcp.c:1159:13
#3 0x4ce160 in tiffcp /root/target/Invariants/libtiff-master/tools/tiffcp.c:1122:18
#4 0x4ca5ad in main /root/target/Invariants/libtiff-master/tools/tiffcp.c:396:18
#5 0x7f0ed3d9b082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#6 0x41c53d in _start (/root/target/Invariants/libtiff-master/build/tools/tiffcp+0x41c53d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/target/Invariants/libtiff-master/libtiff/tif_lzw.c:655:20 in LZWDecode
==3669671==ABORTING- we built libtiff without AddressSanitizer (ASAN) and UndefinedBehaviourSanitizer (UBSAN).
cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -g3" -DCMAKE_CXX_FLAGS="-O0 -g3" ..
GDB Dump
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x407980 (<__libc_csu_init>: endbr64)
RCX: 0x4
RDX: 0x40dcd1 --> 0x100000000000804
RSI: 0x40dcd0 --> 0x804ff
RDI: 0x40dd00 --> 0x40e218 ("/root/fuzzResult/AFLPLUSPLUS/tiffcp_ASAN_de_de_20230422_no_asan_ubsan/crashes/crashes/test")
RBP: 0x7fffffffdde0 --> 0x7fffffffde20 --> 0x7fffffffde70 --> 0x7fffffffdf10 --> 0x7fffffffdfa0 --> 0x0
RSP: 0x7fffffffdcf0 --> 0x0
RIP: 0x7ffff7f6f984 (<LZWDecode+2820>: mov cl,BYTE PTR [rax+0xb])
R8 : 0x2
R9 : 0x2
R10: 0x7ffff7fb49f5 (" not terminated with EOI code")
R11: 0x246
R12: 0x402350 (<_start>: endbr64)
R13: 0x7fffffffe090 --> 0x4
R14: 0x0
R15: 0x0
EFLAGS: 0x10217 (CARRY PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7f6f973 <LZWDecode+2803>: mov rax,QWORD PTR [rax]
0x7ffff7f6f976 <LZWDecode+2806>: mov QWORD PTR [rbp-0xb8],rax
0x7ffff7f6f97d <LZWDecode+2813>: mov rax,QWORD PTR [rbp-0xb8]
=> 0x7ffff7f6f984 <LZWDecode+2820>: mov cl,BYTE PTR [rax+0xb]
0x7ffff7f6f987 <LZWDecode+2823>: mov rax,QWORD PTR [rbp-0xd0]
0x7ffff7f6f98e <LZWDecode+2830>: mov rdx,rax
0x7ffff7f6f991 <LZWDecode+2833>: add rdx,0xffffffffffffffff
0x7ffff7f6f995 <LZWDecode+2837>: mov QWORD PTR [rbp-0xd0],rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdcf0 --> 0x0
0008| 0x7fffffffdcf8 --> 0xfff7db0154
0016| 0x7fffffffdd00 --> 0x40dceb --> 0x10001
0024| 0x7fffffffdd08 --> 0x7fffffffdd30 --> 0x40f9d0 --> 0x0
0032| 0x7fffffffdd10 --> 0x40dcd1 --> 0x100000000000804
0040| 0x7fffffffdd18 --> 0xec5e351000041ebd
0048| 0x7fffffffdd20 --> 0x110
0056| 0x7fffffffdd28 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7f6f984 in LZWDecode (tif=0x40dd00, op0=0x40dcd0 "\377\004\b", occ0=0x1e, s=0x0)
at /root/target/Invariants/libtiff-master/libtiff/tif_lzw.c:655
655 *--tp = codep->value;
gdb-peda$ p codep
$3 = (code_t *) 0x0Platform
- OS: Ubuntu 20.04.1
- clang:12.0.0
Poc