Summary There is a heap buffer overflow in _TIFFmemset in libtiff/tif_unix.c:340. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. Version LIBTIFF, Version 4.4.0, commit id 19db1d316bf959de10df7491b7b78a256811b6e4 (Sun May 22 11:01:54 2022 +0200) Steps to reproduce ``` # CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared # make -j; make install; make clean # ./build_asan/bin/tiffcrop -X 1 -Y 2 -R 180 -H 300 -V 300 -i poc /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 4 (0x4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered. ... TIFFFillStrip: Read error on strip 248; got 18446744073707546436 bytes, expected 8128. : Strip 249: read -1 bytes, strip size 8128. TIFFFillStrip: Read error on strip 249; got 18446744073707538308 bytes, expected 8128. : Strip 250: read -1 bytes, strip size 8128. TIFFFillStrip: Read error on strip 250; got 18446744073707530180 bytes, expected 8128. : Strip 251: read -1 bytes, strip size 8128. TIFFFillStrip: Read error on strip 251; got 18446744073707522052 bytes, expected 8128. : Strip 252: read -1 bytes, strip size 8128. TIFFFillStrip: Read error on strip 252; got 18446744073707513924 bytes, expected 8128. : Strip 253: read -1 bytes, strip size 8128. TIFFFillStrip: Read error on strip 253; got 18446744073707505796 bytes, expected 8128. : Strip 254: read -1 bytes, strip size 8128. TIFFFillStrip: Read error on strip 254; got 18446744073707497668 bytes, expected 8128. : Strip 255: read -1 bytes, strip size 8128. TIFFFillStrip: Read error on strip 255; got 18446744073707489540 bytes, expected 8128. ================================================================= ==31028==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000d032 at pc 0x7f0d920c0bec bp 0x7fff218b1fb0 sp 0x7fff218b1758 WRITE of size 48 at 0x60400000d032 thread T0 #0 0x7f0d920c0beb in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbeb) #1 0x496376 in _TIFFmemset /root/test5/libtiff/libtiff/tif_unix.c:340 #2 0x42587c in processCropSelections /root/test5/libtiff/tools/tiffcrop.c:7612 #3 0x40b474 in main /root/test5/libtiff/tools/tiffcrop.c:2415 #4 0x7f0d909a683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) #5 0x403888 in _start (/root/test5/libtiff/build_asan/bin/tiffcrop+0x403888) 0x60400000d032 is located 0 bytes to the right of 34-byte region [0x60400000d010,0x60400000d032) allocated by thread T0 here: #0 0x7f0d920cc602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x4962d2 in _TIFFmalloc /root/test5/libtiff/libtiff/tif_unix.c:314 #2 0x403a21 in limitMalloc /root/test5/libtiff/tools/tiffcrop.c:634 #3 0x42a190 in rotateImage /root/test5/libtiff/tools/tiffcrop.c:8621 #4 0x425ffc in processCropSelections /root/test5/libtiff/tools/tiffcrop.c:7671 #5 0x40b474 in main /root/test5/libtiff/tools/tiffcrop.c:2415 #6 0x7f0d909a683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memset Shadow bytes around the buggy address: 0x0c087fff99b0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 0x0c087fff99c0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 0x0c087fff99d0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 0x0c087fff99e0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 0x0c087fff99f0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 02 fa =>0x0c087fff9a00: fa fa 00 00 00 00[02]fa fa fa fd fd fd fd fd fd 0x0c087fff9a10: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9a20: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9a30: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9a40: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c087fff9a50: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==31028==ABORTING ``` Platform ``` # uname -a Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux ``` [poc](/uploads/4f46ed57bf2ca0834b590ed539b97aac/poc)