# Summary An SIGSEGV caused when using tiffcrop. AddressSanitizer reports it as heap-buffer-overflow. # Version ``` $ ./tools/tiffcrop -v Library Release: LIBTIFF, Version 4.5.0 Copyright (c) 1988-1996 Sam Leffler Copyright (c) 1991-1996 Silicon Graphics, Inc. Tiffcp code: Copyright (c) 1988-1997 Sam Leffler : Copyright (c) 1991-1997 Silicon Graphics, Inc Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde $ git log --oneline -1 a63e18ca (HEAD -> master, origin/master, origin/HEAD) Merge branch 'add_windows_DLL_versioninfo' into 'master' ``` # Steps to reproduce ## make ``` git clone https://gitlab.com/libtiff/libtiff.git cd libtiff ./autogen.sh ./configure make ``` ## run ``` ./tools/tiffcrop -Z 12:50,12:99 -R 270 poc /dev/null TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file. TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. TIFFAdvanceDirectory: Error fetching directory count. loadImage: Image lacks Photometric interpretation tag. Fax4Decode: Uncompressed data (not supported) at line 0 of strip 0 (x 10). (... too long ignore) fish: Job 1, './tools/tiffcrop -Z 12:50,12:9…' terminated by signal SIGSEGV (Address boundary error) ``` # Platform ``` $ uname -a Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux $ gcc --version gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0 Copyright (C) 2019 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ``` # ASAN report ``` ==3490861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb40a368a45 at pc 0x7fb40d6e7f3d bp 0x7ffca5726e70 sp 0x7ffca5726618 WRITE of size 296067 at 0x7fb40a368a45 thread T0 #0 0x7fb40d6e7f3c in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 #1 0x7fb40d614fb7 in _TIFFmemset /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:341 #2 0x560accbdb18a in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8499 #3 0x560accbbe0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807 #4 0x7fb40d0d8082 in __libc_start_main ../csu/libc-start.c:308 #5 0x560accbb4b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/.libs/tiffcrop+0x9b6d) 0x7fb40a368a45 is located 0 bytes to the right of 148037-byte region [0x7fb40a344800,0x7fb40a368a45) allocated by thread T0 here: #0 0x7fb40d78d808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x7fb40d614f03 in _TIFFmalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:326 #2 0x560accbb4d00 in limitMalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:710 #3 0x560accbe005e in rotateImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:9605 #4 0x560accbdb9f3 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8566 #5 0x560accbbe0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807 #6 0x7fb40d0d8082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset Shadow bytes around the buggy address: 0x0ff7014650f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff701465100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff701465110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff701465120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff701465130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ff701465140: 00 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa 0x0ff701465150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff701465160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff701465170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff701465180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff701465190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3490861==ABORTING ``` # poc [poc](/uploads/434e1926d806f413edafb3b81cde4b54/poc)