[BZ#2690] libtiff: heap buffer overflow in bmp2tiff

Submitted by lolopop (sonwoine at hotmail dot com) on 2017-05-07 05:23

Link to original bug (#2690)

Description

Created an attachment (id=771)
report.rar contains poc and a brief analysis of the vulnerability

Did not check the user input BMP file. The program does not check for biWidth and biHeight in bitmap-information header. The biWidth and biHeight do not match the actual input of the bmp image causing the heap buffer overflow

=================================================================
==11044==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f715afe4c00 at pc 0x6805e4 bp 0x7ffd7878c2d0 sp 0x7ffd7878c2c8
READ of size 1 at 0x7f715afe4c00 thread T0
==11044==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x6805e3 (/home/lolopop/projects/build-clang-build/libtiff/tools/bmp2tiff+0x6805e3)
    #1 0x5c1106 (/home/lolopop/projects/build-clang-build/libtiff/tools/bmp2tiff+0x5c1106)
    #2 0x48a155 (/home/lolopop/projects/build-clang-build/libtiff/tools/bmp2tiff+0x48a155)
    #3 0x7f7159ce9f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #4 0x47e7cc (/home/lolopop/projects/build-clang-build/libtiff/tools/bmp2tiff+0x47e7cc)

0x7f715afe4c00 is located 0 bytes to the right of 1049600-byte region [0x7f715aee4800,0x7f715afe4c00)
allocated by thread T0 here:
    #0 0x4686e9 (/home/lolopop/projects/build-clang-build/libtiff/tools/bmp2tiff+0x4686e9)
    #1 0x5d4447 (/home/lolopop/projects/build-clang-build/libtiff/tools/bmp2tiff+0x5d4447)
    #2 0x486289 (/home/lolopop/projects/build-clang-build/libtiff/tools/bmp2tiff+0x486289)
    #3 0x7f7159ce9f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0feeab5f4930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feeab5f4940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feeab5f4950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feeab5f4960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feeab5f4970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0feeab5f4980:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feeab5f4990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feeab5f49a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feeab5f49b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feeab5f49c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0feeab5f49d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==11044==ABORTING

Poc and analysis reports：

Attachment 771, "report.rar contains poc and a brief analysis of the vulnerability":
report.rar