Summary -(Summarize the bug encountered concisely) There is a Heap buffer overflow in /tools/tiffcrop.c:3142 in extractContigSamples32bits function Version - (libtiff version) ``` root@ubuntu:/home/libtiff/tools# ./tiffcrop -v Library Release: LIBTIFF, Version 4.3.0 Copyright (c) 1988-1996 Sam Leffler Copyright (c) 1991-1996 Silicon Graphics, Inc. Tiffcrop version: 2.4, last updated: 12-13-2010 Tiffcp code: Copyright (c) 1988-1997 Sam Leffler : Copyright (c) 1991-1997 Silicon Graphics, Inc Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde ``` Steps to reproduce - (How one can reproduce the issue - this is very important) ``` Clone the latest source from the gitlab repository - git clone https://gitlab.com/libtiff/libtiff.git cd libtiff compile the source using the following command : CC=gcc CXX=g++ CFLAGS="-ggdb -fsanitize=address,undefined -fno-sanitize-recover=all" CXXFLAGS="-ggdb -fsanitize=address,undefined -fno-sanitize-recover=all" LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -lm" ./configure --disable-shared Reproduce the crash with the following commmand : ./tiffcrop -i -E l -H 10 -V 10 -S 8:4 -R 270 poc.tif a.tif ``` Platform - (Operating system, architecture, compiler details) ``` gcc --version gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0 Copyright (C) 2019 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. uname -r 5.13.0-28-generic uname -a Linux ubuntu 5.13.0-28-generic #31~20.04.1-Ubuntu SMP Wed Jan 19 14:08:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.3 LTS Release: 20.04 Codename: focal ``` - Address Sanitizer Logs ( ASAN ) ``` TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 57568 (0xe0e0) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1028 (0x404) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "Model" does not end in null byte. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFFAdvanceDirectory: Error fetching directory count. loadImage: Image lacks Photometric interpretation tag. ================================================================= ==2014==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000210 at pc 0x55bbcdc5bb9a bp 0x7fff3dbae7c0 sp 0x7fff3dbae7b0 READ of size 4 at 0x602000000210 thread T0 #0 0x55bbcdc5bb99 in extractContigSamples32bits /home/targets/libtiff/tools/tiffcrop.c:3142 #1 0x55bbcdc70529 in extractContigSamplesToBuffer /home/targets/libtiff/tools/tiffcrop.c:3627 #2 0x55bbcdc70529 in writeBufferToSeparateStrips /home/targets/libtiff/tools/tiffcrop.c:1218 #3 0x55bbcdc7d4b9 in writeSingleSection /home/targets/libtiff/tools/tiffcrop.c:7377 #4 0x55bbcdc3ce20 in writeImageSections /home/targets/libtiff/tools/tiffcrop.c:7104 #5 0x55bbcdc3ce20 in main /home/targets/libtiff/tools/tiffcrop.c:2451 #6 0x7f20439f70b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #7 0x55bbcdc434ed in _start (/home/targets/libtiff/tools/tiffcrop+0x324ed) 0x602000000213 is located 0 bytes to the right of 3-byte region [0x602000000210,0x602000000213) allocated by thread T0 here: #0 0x7f2043e3abc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8) #1 0x55bbcdc3d94d in createImageSection /home/targets/libtiff/tools/tiffcrop.c:7402 #2 0x55bbcdc3d94d in writeImageSections /home/targets/libtiff/tools/tiffcrop.c:7090 #3 0x55bbcdc3d94d in main /home/targets/libtiff/tools/tiffcrop.c:2451 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/targets/libtiff/tools/tiffcrop.c:3142 in extractContigSamples32bits Shadow bytes around the buggy address: 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa 02 fa fa fa fd fa 0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa 0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa 00 fa 0x0c047fff8030: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 04 =>0x0c047fff8040: fa fa[03]fa fa fa 02 fa fa fa 02 fa fa fa 06 fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2014==ABORTING ```[poc.zip](/uploads/4df5ce99cd3cbed76031489ef39f12fb/poc.zip)