tiffcp: heap-buffer-overflow at libtiff/tools/tiffcp.c:1528 in cpStripToTile()
Summary
An segmentation fault caused when using tiffcp.
AddressSanitizer reports it as heap-buffer-overflow.
Version
$ ./tools/tiffcp -h
LIBTIFF, Version 4.5.1
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Copy, convert, or combine TIFF files
Steps to reproduce
make
$ wget http://download.osgeo.org/libtiff/tiff-4.5.1.zip
$ unzip tiff-4.5.1.zip
$ cd tiff-4.5.1/
$ ./configure
$ make
run
$tiff-4.5.1/tools/tiffcp -i -c packbits Poc_SQ2_tiffcp.tiff /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
tools/Poc/Poc_SQ2_tiffcp.tiff: Warning, Nonstandard tile length 146, convert file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
tools/Poc/Poc_SQ2_tiffcp.tiff: JPEG compression support is not configured.
TIFFSetField: tools/Poc/Poc_SQ2_tiffcp.tiff: Unknown pseudo-tag 65538.
TIFFFillTile: Too large tile byte count 808464432, tile 0. Limiting to 1068436.
Segmentation fault
ASAN report
$ tiff-4.5.1-asan/tools/tiffcp -i -c packbits Poc_SQ2_tiffcp.tiff /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
tools/Poc/Poc_SQ2_tiffcp.tiff: Warning, Nonstandard tile length 146, convert file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
tools/Poc/Poc_SQ2_tiffcp.tiff: JPEG compression support is not configured.
TIFFSetField: tools/Poc/Poc_SQ2_tiffcp.tiff: Unknown pseudo-tag 65538.
TIFFFillTile: Too large tile byte count 808464432, tile 0. Limiting to 1068436.
=================================================================
==1226841==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63300001a7c2 at pc 0x5580870669f1 bp 0x7ffcfc768590 sp 0x7ffcfc768580
READ of size 1 at 0x63300001a7c2 thread T0
#0 0x5580870669f0 in cpStripToTile /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1528
#1 0x55808706741e in readContigTilesIntoBuffer /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1723
#2 0x558087066d81 in cpImage /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1594
#3 0x558087069306 in cpContigTiles2ContigTiles /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:2091
#4 0x558087065051 in tiffcp /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1122
#5 0x5580870620d1 in main /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:396
#6 0x7fa27d5ab082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#7 0x558087060abd in _start (/home/yan/tiff-4.5.1-asan/tools/tiffcp+0x1eabd)
0x63300001a7c2 is located 0 bytes to the right of 106434-byte region [0x633000000800,0x63300001a7c2)
allocated by thread T0 here:
#0 0x7fa27d9f1808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x55808712f99d in _TIFFmalloc /home/yan/tiff-4.5.1-asan/libtiff/tif_unix.c:326
#2 0x558087060c4e in limitMalloc /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:119
#3 0x5580870671fb in readContigTilesIntoBuffer /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1696
#4 0x558087066d81 in cpImage /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1594
#5 0x558087069306 in cpContigTiles2ContigTiles /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:2091
#6 0x558087065051 in tiffcp /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1122
#7 0x5580870620d1 in main /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:396
#8 0x7fa27d5ab082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1528 in cpStripToTile
Shadow bytes around the buggy address:
0x0c667fffb4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb4f0: 00 00 00 00 00 00 00 00[02]fa fa fa fa fa fa fa
0x0c667fffb500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1226841==ABORTING
Platform
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal