NULL dereference in TIFFPrintDirectory when color map pointers are NULL under tiny memory limits
Hi, there is a potential bug in TIFFPrintDirectory reachable by printing colormaps under a small memory limit.
This bug was reproduced on 885b36e1.
Description
What crashes
- The program opens a crafted TIFF using TIFFOpenExt with extremely small memory limits (MaxSingleMemAlloc ~2 KiB, MaxCumulatedMemAlloc ~4 KiB). It then calls TIFFPrintDirectory to dump tag information.
- Inside libtiff at tif_print.c:560, TIFFPrintDirectory iterates the palette entries and prints the per-channel colormap values via td->td_colormap[0][l], td->td_colormap[1][l], td->td_colormap[2][l]. Due to the small memory limits, the colormap allocations have failed or were never populated, leaving one or more of the td->td_colormap[i] pointers as NULL.
- TIFFPrintDirectory does not guard against NULL per-channel pointers in this branch and dereferences a NULL pointer, causing a SourceAvNearNull crash.
POC
The following testcase demonstrates the bug:
testcase.cpp
#include <cstdio>
#include <cstdint>
extern "C" {
#include "/fuzz/install/include/tiff.h"
#include "/fuzz/install/include/tiffio.h"
}
int main() {
// First TIFF file data
unsigned char data1[4096] = {77, 77, 0, 42, 0, 0, 0, 8, 0, 15, 1, 0, 0, 4, 0, 0, 0, 1, 0, 0, 0, 32, 1, 1, 0, 4, 0, 0, 0, 1, 0, 0, 0, 3, 1, 3, 0, 3, 0, 0, 0, 1, 0, 5, 0, 0, 1, 6, 0, 3, 0, 0, 0, 1, 0, 3, 0, 0, 1, 21, 0, 3, 0, 0, 0, 1, 0, 1, 0, 0, 1, 28, 0, 3, 0, 0, 0, 1, 0, 1, 0, 0, 1, 2, 0, 3, 0, 0, 0, 1, 0, 8, 0, 0, 1, 18, 0, 3, 0, 0, 0, 1, 0, 4, 0, 0, 1, 26, 0, 5, 0, 0, 0, 1, 0, 0, 0, 194, 1, 27, 0, 5, 0, 0, 0, 1, 0, 0, 0, 202, 1, 40, 0, 3, 0, 0, 0, 1, 0, 2, 0, 0, 1, 64, 0, 3, 0, 0, 3, 0, 0, 0, 0, 210, 1, 22, 0, 4, 0, 0, 0, 1, 0, 0, 0, 1, 1, 17, 0, 4, 0, 0, 0, 3, 0, 0, 6, 210, 1, 23, 0, 4, 0, 0, 0, 3, 0, 0, 6, 222, 0, 0, 0, 0, 0, 0, 0, 72, 0, 0, 0, 1, 0, 0, 0, 72, 0, 0, 0, 1, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6, 7, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 13, 13, 14, 14, 15, 15, 16, 16, 17, 17, 18, 18, 19, 19, 20, 20, 21, 21, 22, 22, 23, 23, 24, 24, 25, 25, 26, 26, 27, 27, 28, 28, 29, 29, 30, 30, 31, 31, 32, 32, 33, 33, 34, 34, 35, 35, 36, 36, 37, 37, 38, 38, 39, 39, 40, 40, 41, 41, 42, 42, 43, 43, 44, 44, 45, 45, 46, 46, 47, 47, 48, 48, 49, 49, 50, 50, 51, 51, 52, 52, 53, 53, 54, 54, 55, 55, 56, 56, 57, 57, 58, 58, 59, 59, 60, 60, 61, 61, 62, 62, 63, 63, 64, 64, 65, 65, 66, 66, 67, 67, 68, 68, 69, 69, 70, 70, 71, 71, 72, 72, 73, 73, 74, 74, 75, 75, 76, 76, 77, 77, 78, 78, 79, 79, 80, 80, 81, 81, 82, 82, 83, 83, 84, 84, 85, 85, 86, 86, 87, 87, 88, 88, 89, 89, 90, 90, 91, 91, 92, 92, 93, 93, 94, 94, 95, 95, 96, 96, 97, 97, 98, 98, 99, 99, 100, 100, 101, 101, 102, 102, 103, 103, 104, 104, 105, 105, 106, 106, 107, 107, 108, 108, 109, 109, 110, 110, 111, 111, 112, 112, 113, 113, 114, 114, 115, 115, 116, 116, 117, 117, 118, 118, 119, 119, 120, 120, 121, 121, 122, 122, 123, 123, 124, 124, 125, 125, 126, 126, 127, 127, 128, 128, 129, 129, 130, 130, 131, 131, 132, 132, 133, 133, 134, 134, 135, 135, 136, 136, 137, 137, 138, 138, 139, 139, 140, 140, 141, 141, 142, 142, 143, 143, 144, 144, 145, 145, 146, 146, 147, 147, 148, 148, 149, 149, 150, 150, 151, 151, 152, 152, 153, 153, 154, 154, 155, 155, 156, 156, 157, 157, 158, 158, 159, 159, 160, 160, 161, 161, 162, 162, 163, 163, 164, 164, 165, 165, 166, 166, 167, 167, 168, 168, 169, 169, 170, 170, 171, 171, 172, 172, 173, 173, 174, 174, 175, 175, 176, 176, 177, 177, 178, 178, 179, 179, 180, 180, 181, 181, 182, 182, 183, 183, 184, 184, 185, 185, 186, 186, 187, 187, 188, 188, 189, 189, 190, 190, 191, 191, 192, 192, 193, 193, 194, 194, 195, 195, 196, 196, 197, 197, 198, 198, 199, 199, 200, 200, 201, 201, 202, 202, 203, 203, 204, 204, 205, 205, 206, 206, 207, 207, 208, 208, 209, 209, 210, 210, 211, 211, 212, 212, 213, 213, 214, 214, 215, 215, 216, 216, 217, 217, 218, 218, 219, 219, 220, 220, 221, 221, 222, 222, 223, 223, 224, 224, 225, 225, 226, 226, 227, 227, 228, 228, 229, 229, 230, 230, 231, 231, 232, 232, 233, 233, 234, 234, 235, 235, 236, 236, 237, 237, 238, 238, 239, 239, 240, 240, 241, 241, 242, 242, 243, 243, 244, 244, 245, 245, 246, 246, 247, 247, 248, 248, 249, 249, 250, 250, 251, 251, 252, 252, 253, 253, 254, 254, 255, 255, 255, 255, 254, 254, 253, 253, 252, 252, 251, 251, 250, 250, 249, 249, 248, 248, 247, 247, 246, 246, 245, 245, 244, 244, 243, 243, 242, 242, 241, 241, 240, 240, 239, 239, 238, 238, 237, 237, 236, 236, 235, 235, 234, 234, 233, 233, 232, 232, 231, 231, 230, 230, 229, 229, 228, 228, 227, 227, 226, 226, 225, 225, 224, 224, 223, 223, 222, 222, 221, 221, 220, 220, 219, 219, 218, 218, 217, 217, 216, 216, 215, 215, 214, 214, 213, 213, 212, 212, 211, 211, 210, 210, 209, 209, 208, 208, 207, 207, 206, 206, 205, 205, 204, 204, 203, 203, 202, 202, 201, 201, 200, 200, 199, 199, 198, 198, 197, 197, 196, 196, 195, 195, 194, 194, 193, 193, 192, 192, 191, 191, 190, 190, 189, 189, 188, 188, 187, 187, 186, 186, 185, 185, 184, 184, 183, 183, 182, 182, 181, 181, 180, 180, 179, 179, 178, 178, 177, 177, 176, 176, 175, 175, 174, 174, 173, 173, 172, 172, 171, 171, 170, 170, 169, 169, 168, 168, 167, 167, 166, 166, 165, 165, 164, 164, 163, 163, 162, 162, 161, 161, 160, 160, 159, 159, 158, 158, 157, 157, 156, 156, 155, 155, 154, 154, 153, 153, 152, 152, 151, 151, 150, 150, 149, 149, 148, 148, 147, 147, 146, 146, 145, 145, 144, 144, 143, 143, 142, 142, 141, 141, 140, 140, 139, 139, 138, 138, 137, 137, 136, 136, 135, 135, 134, 134, 133, 133, 132, 132, 131, 131, 130, 130, 129, 129, 128, 128, 127, 127, 126, 126, 125, 125, 124, 124, 123, 123, 122, 122, 121, 121, 120, 120, 119, 119, 118, 118, 117, 117, 116, 116, 115, 115, 114, 114, 113, 113, 112, 112, 111, 111, 110, 110, 109, 109, 108, 108, 107, 107, 106, 106, 105, 105, 104, 104, 103, 103, 102, 102, 101, 101, 100, 100, 99, 99, 98, 98, 97, 97, 96, 96, 95, 95, 94, 94, 93, 93, 92, 92, 91, 91, 90, 90, 89, 89, 88, 88, 87, 87, 86, 86, 85, 85, 84, 84, 83, 83, 82, 82, 81, 81, 80, 80, 79, 79, 78, 78, 77, 77, 76, 76, 75, 75, 74, 74, 73, 73, 72, 72, 71, 71, 70, 70, 69, 69, 68, 68, 67, 67, 66, 66, 65, 65, 64, 64, 63, 63, 62, 62, 61, 61, 60, 60, 59, 59, 58, 58, 57, 57, 56, 56, 55, 55, 54, 54, 53, 53, 52, 52, 51, 51, 50, 50, 49, 49, 48, 48, 47, 47, 46, 46, 45, 45, 44, 44, 43, 43, 42, 42, 41, 41, 40, 40, 39, 39, 38, 38, 37, 37, 36, 36, 35, 35, 34, 34, 33, 33, 32, 32, 31, 31, 30, 30, 29, 29, 28, 28, 27, 27, 26, 26, 25, 25, 24, 24, 23, 23, 22, 22, 21, 21, 20, 20, 19, 19, 18, 18, 17, 17, 16, 16, 15, 15, 14, 14, 13, 13, 12, 12, 11, 11, 10, 10, 9, 9, 8, 8, 7, 7, 6, 6, 5, 5, 4, 4, 3, 3, 2, 2, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 236, 0, 0, 6, 244, 0, 0, 7, 4, 0, 0, 0, 8, 0, 0, 0, 16, 0, 0, 0, 32, 0, 0, 193, 193, 193, 193, 193, 193, 193, 193, 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, 201, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119, 119};
// TIFFOpenExt
const char *path = "test.tif";
FILE *fp = fopen(path, "wb");
if (!fp) { return 0; }
fwrite(data1, 1, 1828, fp);
fclose(fp);
// const char *path = gf_fuzz_param::write_to_temp_file(data1, 1828);
TIFFOpenOptions *opts = TIFFOpenOptionsAlloc();
if (!opts) { return 0; }
TIFFOpenOptionsSetWarnAboutUnknownTags(opts, 0);
TIFFOpenOptionsSetMaxSingleMemAlloc(opts, 2047);
TIFFOpenOptionsSetMaxCumulatedMemAlloc(opts, 4095);
TIFFOpenOptionsSetErrorHandlerExtR(opts, nullptr, nullptr);
TIFFOpenOptionsSetWarningHandlerExtR(opts, nullptr, nullptr);
TIFF *tif = TIFFOpenExt(path, "r", opts);
TIFFOpenOptionsFree(opts);
if (!tif) { return 0; }
// TIFFPrintDirectory
const char *tmpname = "out";
fp = fopen(tmpname, "wb");
if (!fp) { return 0; }
TIFFPrintDirectory(tif, fp, TIFFPRINT_COLORMAP);
fclose(fp);
return 0;
}stdout
stderr
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
_TIFFmallocExt: Cumulated memory allocation of 3784 + 512 bytes is beyond the 4095 cumulated byte limit defined in open options.
_TIFFmallocExt: Cumulated memory allocation of 3784 + 512 bytes is beyond the 4095 cumulated byte limit defined in open options.
_TIFFmallocExt: Cumulated memory allocation of 3784 + 512 bytes is beyond the 4095 cumulated byte limit defined in open options.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55a82da27357 bp 0x7ffd82b47af0 sp 0x7ffd82b46e00 T0)
==1==The signal is caused by a READ memory access.
==1==Hint: address points to the zero page.
#0 0x55a82da27357 in TIFFPrintDirectory (/fuzz/test+0x131357) (BuildId: defe8f578b9c9345fd99c39fd78cf1f7955b0306)
#1 0x55a82da1dade in main /fuzz/testcase.cpp:36:5
#2 0x7f1b9938ed8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#3 0x7f1b9938ee3f in __libc_start_main csu/../csu/libc-start.c:392:3
#4 0x55a82d942764 in _start (/fuzz/test+0x4c764) (BuildId: defe8f578b9c9345fd99c39fd78cf1f7955b0306)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/fuzz/test+0x131357) (BuildId: defe8f578b9c9345fd99c39fd78cf1f7955b0306) in TIFFPrintDirectory
==1==ABORTING
Steps to Reproduce
The crash was triaged with the following Dockerfile:
Dockerfile
# Ubuntu 22.04 with some packages pre-installed
FROM hgarrereyn/stitch_repro_base@sha256:3ae94cdb7bf2660f4941dc523fe48cd2555049f6fb7d17577f5efd32a40fdd2c
RUN git clone https://gitlab.com/libtiff/libtiff.git /fuzz/src && \
cd /fuzz/src && \
git checkout 885b36e137c584aaf784fc63784340a2c98a41d5 && \
git submodule update --init --remote --recursive
ENV LD_LIBRARY_PATH=/fuzz/install/lib
ENV ASAN_OPTIONS=hard_rss_limit_mb=1024:detect_leaks=0
RUN echo '#!/bin/bash\nexec clang-17 -fsanitize=address -O0 "$@"' > /usr/local/bin/clang_wrapper && \
chmod +x /usr/local/bin/clang_wrapper && \
echo '#!/bin/bash\nexec clang++-17 -fsanitize=address -O0 "$@"' > /usr/local/bin/clang_wrapper++ && \
chmod +x /usr/local/bin/clang_wrapper++
# Install build tools
RUN apt-get update && apt-get install -y --no-install-recommends \
libjpeg-turbo8-dev libjbig-dev libzstd-dev liblzma-dev \
cmake ninja-build make pkg-config \
&& rm -rf /var/lib/apt/lists/*
RUN cd /fuzz/src && \
./autogen.sh && \
./configure \
CC=clang_wrapper \
CXX=clang_wrapper++ \
CFLAGS="-DLOGLUV_PUBLIC=1" \
CXXFLAGS="-DLOGLUV_PUBLIC=1" \
--prefix=/fuzz/install \
--disable-shared \
--enable-static && \
make -j$(nproc) && \
make installBuild Command
clang++-17 -fsanitize=address -g -O0 -o /fuzz/test /fuzz/testcase.cpp -I/fuzz/install/include -L/fuzz/install/lib -ltiff -ltiffxx -lz -ljpeg -ljbig -llzma -lzstd && /fuzz/testReproduce
- Copy
Dockerfileandtestcase.cppinto a local folder. - Build the repro image:
docker build . -t repro --platform=linux/amd64- Compile and run the testcase in the image:
docker run \
-it --rm \
--platform linux/amd64 \
--mount type=bind,source="$(pwd)/testcase.cpp",target=/fuzz/testcase.cpp \
repro \
bash -c "clang++-17 -fsanitize=address -g -O0 -o /fuzz/test /fuzz/testcase.cpp -I/fuzz/install/include -L/fuzz/install/lib -ltiff -ltiffxx -lz -ljpeg -ljbig -llzma -lzstd && /fuzz/test"Additional Info
This testcase was discovered by STITCH, an autonomous fuzzing system. All reports are reviewed manually (by a human) before submission.