Summary SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lin/libtiff/tools/tiffcrop.c:3351:12 in extractContigSamplesShifted16bits Version ``` ➜ tiffcrop_test git:(master) ✗ ./tiffcrop -v Library Release: LIBTIFF, Version 4.3.0 Copyright (c) 1988-1996 Sam Leffler Copyright (c) 1991-1996 Silicon Graphics, Inc. Tiffcrop version: 2.4, last updated: 12-13-2010 Tiffcp code: Copyright (c) 1988-1997 Sam Leffler : Copyright (c) 1991-1997 Silicon Graphics, Inc Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde ``` At branch 27f399af (libtiff version) Steps to reproduce ``` git clone git@gitlab.com:libtiff/libtiff.git cd libtiff/ ./autogen.sh ./configure CC=gcc CXX=g++ CFLAGS="-g -fsanitize=address" --disable-shared & make ./tools/tiffcrop -i -U in -z 1,1,1,1 ./poc ./out2 ``` (How one can reproduce the issue - this is very important) Platform ``` ➜ libtiff git:(master) ✗ gcc --version gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0 Copyright (C) 2017 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ➜ libtiff git:(master) ✗ uname -r 5.4.0-91-generic ➜ libtiff git:(master) ✗ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.5 LTS Release: 18.04 Codename: bionic ``` (Operating system, architecture, compiler details) - ASAN ``` TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2048 (0x800) encountered. TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 3" value failed; tag ignored. TIFFFetchNormalTag: Warning, Incompatible type for "DocumentName"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "ResolutionUnit"; tag ignored. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. TIFFAdvanceDirectory: Error fetching directory count. loadImage: Image lacks Photometric interpretation tag. TIFFFillStrip: Read error on strip 0; got 316 bytes, expected 952817. : Strip 1: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 1; got 324 bytes, expected 4263213616. : Strip 2: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 2; got 324 bytes, expected 4608. : Strip 3: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 3; got 324 bytes, expected 16777985. : Strip 4: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 4; got 324 bytes, expected 536870912. : Strip 5: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 5; got 324 bytes, expected 196608. : Strip 6: read -1 bytes, strip size 4. Fax3Decode1D: Warning, Premature EOL at line 0 of strip 6 (got 0, expected 32). : Strip 7: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 8; got 324 bytes, expected 65539. : Strip 9: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 9; got 324 bytes, expected 4160946176. : Strip 10: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 10; got 324 bytes, expected 16973824. : Strip 11: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 11; got 324 bytes, expected 16777219. : Strip 12: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 12; got 324 bytes, expected 16777985. : Strip 13: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 13; got 324 bytes, expected 687865856. : Strip 14: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 14; got 324 bytes, expected 50331648. : Strip 15: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 16; got 324 bytes, expected 16253696. : Strip 17: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 17; got 324 bytes, expected 50397952. : Strip 18: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 19; got 324 bytes, expected 2048. : Strip 20: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 20; got 324 bytes, expected 50398720. : Strip 21: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 21; got 324 bytes, expected 16777985. : Strip 22: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 22; got 324 bytes, expected 50331648. : Strip 23: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 23; got 324 bytes, expected 369098752. : Strip 24: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 24; got 324 bytes, expected 16777985. : Strip 25: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 25; got 324 bytes, expected 16777216. : Strip 26: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 26; got 324 bytes, expected 218103808. : Strip 27: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 27; got 324 bytes, expected 251719169. : Strip 28: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 28; got 324 bytes, expected 2986344448. : Strip 29: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 29; got 324 bytes, expected 285212673. : Strip 30: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 30; got 324 bytes, expected 16778241. : Strip 31: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 31; got 324 bytes, expected 134217728. : Strip 32: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 32; got 324 bytes, expected 301989888. : Strip 33: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 33; got 324 bytes, expected 2687745. : Strip 34: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 34; got 324 bytes, expected 196608. : Strip 35: read -1 bytes, strip size 4. Fax3Decode1D: Warning, Premature EOL at line 0 of strip 35 (got 0, expected 32). : Strip 36: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 36; got 324 bytes, expected 63491. : Strip 37: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 37; got 324 bytes, expected 196867. : Strip 38: read -1 bytes, strip size 4. Fax3Decode1D: Warning, Premature EOL at line 0 of strip 38 (got 0, expected 32). : Strip 39: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 39; got 324 bytes, expected 16777224. : Strip 40: read -1 bytes, strip size 4. TIFFFillStrip: Read error on strip 40; got 324 bytes, expected 536870912. ASAN:DEADLYSIGNAL ================================================================= ==25949==ERROR: AddressSanitizer: SEGV on unknown address 0x62d020000379 (pc 0x561b9c95987b bp 0x7ffdc05c17a0 sp 0x7ffdc05c1740 T0) ==25949==The signal is caused by a READ memory access. #0 0x561b9c95987a in extractContigSamples8bits /home/lin/libtiff/tools/tiffcrop.c:2861 #1 0x561b9c95c69c in extractContigSamplesToTileBuffer /home/lin/libtiff/tools/tiffcrop.c:3688 #2 0x561b9c950b26 in writeBufferToContigTiles /home/lin/libtiff/tools/tiffcrop.c:1314 #3 0x561b9c976815 in writeCroppedImage /home/lin/libtiff/tools/tiffcrop.c:8017 #4 0x561b9c970ae7 in writeSelections /home/lin/libtiff/tools/tiffcrop.c:6949 #5 0x561b9c957818 in main /home/lin/libtiff/tools/tiffcrop.c:2414 #6 0x7f032de1abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #7 0x561b9c94e629 in _start (/home/lin/libtiff/tools/tiffcrop+0x28629) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/lin/libtiff/tools/tiffcrop.c:2861 in extractContigSamples8bits ==25949==ABORTING ➜ libtiff git:(master) ✗ ./tools/tiffcrop -i -w 10 -U cm -z 10,10,10,10 ~/id:000571,sig:06,src:002616,op:arg1,rep:2 ./out2 TIFFOpen: /home/lin/id:000571,sig:06,src:002616,op:arg1,rep:2: No such file or directory. ➜ libtiff git:(master) ✗ ./tools/tiffcrop -i -U in -z 1,1,1,1 ~/id:000425,sig:06,src:002567+002846,op:splice,rep:8 ./out2 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 127 (0x7f) encountered. /home/lin/id:000425,sig:06,src:002567+002846,op:splice,rep:8: Warning, Nonstandard tile length 65293, convert file. TIFFReadDirectory: Warning, Unknown field with tag 25152 (0x6240) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored. OJPEGSetupDecode: Warning, Deprecated and troublesome old-style JPEG compression mode, please convert to new-style JPEG compression and notify vendor of writing software. ================================================================= ==26302==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000091 at pc 0x55ab2fa25228 bp 0x7ffd4cb856d0 sp 0x7ffd4cb856c0 WRITE of size 1 at 0x602000000091 thread T0 #0 0x55ab2fa25227 in extractContigSamplesShifted16bits /home/lin/libtiff/tools/tiffcrop.c:3351 #1 0x55ab2fa39323 in extractCompositeRegions /home/lin/libtiff/tools/tiffcrop.c:6433 #2 0x55ab2fa3d368 in processCropSelections /home/lin/libtiff/tools/tiffcrop.c:7458 #3 0x55ab2fa21681 in main /home/lin/libtiff/tools/tiffcrop.c:2396 #4 0x7f25f5ac9bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) #5 0x55ab2fa18629 in _start (/home/lin/libtiff/tools/tiffcrop+0x28629) 0x602000000091 is located 0 bytes to the right of 1-byte region [0x602000000090,0x602000000091) allocated by thread T0 here: #0 0x7f25f6bceb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40) #1 0x55ab2fab40b3 in _TIFFmalloc /home/lin/libtiff/libtiff/tif_unix.c:314 #2 0x55ab2fa187dd in limitMalloc /home/lin/libtiff/tools/tiffcrop.c:627 #3 0x55ab2fa3d0c7 in processCropSelections /home/lin/libtiff/tools/tiffcrop.c:7430 #4 0x55ab2fa21681 in main /home/lin/libtiff/tools/tiffcrop.c:2396 #5 0x7f25f5ac9bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lin/libtiff/tools/tiffcrop.c:3351 in extractContigSamplesShifted16bits Shadow bytes around the buggy address: 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff8000: fa fa 00 00 fa fa fd fd fa fa fd fa fa fa 00 fa =>0x0c047fff8010: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==26302==ABORTING ``` poc: [poc.zip](/uploads/57ae91d13a7a82381c7616457d5a52b4/poc.zip) Thanks !!