tiffcrop and tiffcp : FPE at /libtiff/libtiff/tif_ojpeg.c:1364 in OJPEGWriteHeaderInfo() (SIGFPE)
Summary
An SIGFPE caused when using tiffcrop and tiffcp.
Version
$ ./tools/tiffcrop -v
Library Release: LIBTIFF, Version 4.5.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
: Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
$ git log --oneline -1
9bd48f0d (HEAD -> master, origin/master, origin/HEAD) Merge branch 'mymaster1' into 'master'
Steps to reproduce
make
git clone https://gitlab.com/libtiff/libtiff.git
cd libtiff
./autogen.sh
./configure
make
run
$ ./tools/tiffcrop pocmin /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 7472 (0x1d30) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 7472 (Tag 7472) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 0 (Tag 0) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
TIFFAdvanceDirectory: Error fetching directory count.
OJPEGSetupDecode: Warning, Deprecated and troublesome old-style JPEG compression mode, please convert to new-style JPEG compression and notify vendor of writing software.
OJPEGSubsamplingCorrect: Warning, Subsampling values [0,17] are not allowed in TIFF.
fish: Job 1, './tools/tiffcr…' terminated by signal SIGFPE (Floating point exception)
$ ./tools/tiffcp pocmin /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 7472 (0x1d30) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 7472 (Tag 7472) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 0 (Tag 0) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
OJPEGSubsamplingCorrect: Warning, Subsampling values [0,17] are not allowed in TIFF.
OJPEGSetupDecode: Warning, Deprecated and troublesome old-style JPEG compression mode, please convert to new-style JPEG compression and notify vendor of writing software.
fish: Job 1, './tools/tiffcp…' terminated by signal SIGFPE (Floating point exception)
Platform
$ uname -a
Linux fuzzer-System-Product-Name 5.15.0-69-generic #76~20.04.1-Ubuntu SMP Mon Mar 20 15:54:19 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ gcc --version
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
ASAN report
$ ./libtiff/tools/tiffcrop pocmin /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 7472 (0x1d30) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 7472 (Tag 7472) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 0 (Tag 0) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
TIFFAdvanceDirectory: Error fetching directory count.
OJPEGSetupDecode: Warning, Deprecated and troublesome old-style JPEG compression mode, please convert to new-style JPEG compression and notify vendor of writing software.
OJPEGSubsamplingCorrect: Warning, Subsampling values [0,17] are not allowed in TIFF.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4023983==ERROR: AddressSanitizer: FPE on unknown address 0x559ec05eee42 (pc 0x559ec05eee42 bp 0x7ffd248755a0 sp 0x7ffd24875570 T0)
#0 0x559ec05eee41 in OJPEGWriteHeaderInfo /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_ojpeg.c:1364
#1 0x559ec05ea09f in OJPEGPreDecode /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_ojpeg.c:771
#2 0x559ec059614c in TIFFStartTile /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_read.c:1481
#3 0x559ec0595181 in TIFFFillTile /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_read.c:1333
#4 0x559ec05937e2 in TIFFReadEncodedTile /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_read.c:965
#5 0x559ec05934c2 in TIFFReadTile /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_read.c:921
#6 0x559ec04fd6b4 in readContigTilesIntoBuffer /home/fuzzer/paper_eval/report/libtiff/tools/tiffcrop.c:1012
#7 0x559ec051e64e in loadImage /home/fuzzer/paper_eval/report/libtiff/tools/tiffcrop.c:7158
#8 0x559ec05065e6 in main /home/fuzzer/paper_eval/report/libtiff/tools/tiffcrop.c:2782
#9 0x7fe9f26b1082 in __libc_start_main ../csu/libc-start.c:308
#10 0x559ec04fd17d in _start (/home/fuzzer/paper_eval/report/libtiff/tools/tiffcrop+0x2a17d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_ojpeg.c:1364 in OJPEGWriteHeaderInfo
==4023983==ABORTING
$ ./libtiff/tools/tiffcp pocmin /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 7472 (0x1d30) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 7472 (Tag 7472) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 0 (Tag 0) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
OJPEGSubsamplingCorrect: Warning, Subsampling values [0,17] are not allowed in TIFF.
OJPEGSetupDecode: Warning, Deprecated and troublesome old-style JPEG compression mode, please convert to new-style JPEG compression and notify vendor of writing software.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==506728==ERROR: AddressSanitizer: FPE on unknown address 0x563c2c7db97d (pc 0x563c2c7db97d bp 0x7ffde2914280 sp 0x7ffde2914250 T0)
#0 0x563c2c7db97c in OJPEGWriteHeaderInfo /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_ojpeg.c:1364
#1 0x563c2c7d6bda in OJPEGPreDecode /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_ojpeg.c:771
#2 0x563c2c808852 in TIFFStartTile /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_read.c:1481
#3 0x563c2c807887 in TIFFFillTile /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_read.c:1333
#4 0x563c2c805ee8 in TIFFReadEncodedTile /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_read.c:965
#5 0x563c2c805bc8 in TIFFReadTile /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_read.c:921
#6 0x563c2c72c775 in readContigTilesIntoBuffer /home/fuzzer/paper_eval/report/libtiff/tools/tiffcp.c:1711
#7 0x563c2c72c1a9 in cpImage /home/fuzzer/paper_eval/report/libtiff/tools/tiffcp.c:1594
#8 0x563c2c72e71d in cpContigTiles2ContigTiles /home/fuzzer/paper_eval/report/libtiff/tools/tiffcp.c:2091
#9 0x563c2c72a4c8 in tiffcp /home/fuzzer/paper_eval/report/libtiff/tools/tiffcp.c:1122
#10 0x563c2c727599 in main /home/fuzzer/paper_eval/report/libtiff/tools/tiffcp.c:396
#11 0x7fd113b65082 in __libc_start_main ../csu/libc-start.c:308
#12 0x563c2c725f9d in _start (/home/fuzzer/paper_eval/report/libtiff/tools/tiffcp+0x24f9d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/fuzzer/paper_eval/report/libtiff/libtiff/tif_ojpeg.c:1364 in OJPEGWriteHeaderInfo
==506728==ABORTING