tiffcp: heap-buffer-overflow at libtiff/tools/tiffcp.c:1528 in cpStripToTile() (#606) · Issues · libtiff / libtiff

tiffcp: heap-buffer-overflow at libtiff/tools/tiffcp.c:1528 in cpStripToTile()

# Summary An segmentation fault caused when using tiffcp. AddressSanitizer reports it as heap-buffer-overflow. # Version ``` $ ./tools/tiffcp -h LIBTIFF, Version 4.5.1 Copyright (c) 1988-1996 Sam Leffler Copyright (c) 1991-1996 Silicon Graphics, Inc. Copy, convert, or combine TIFF files ``` # Steps to reproduce ## make ``` $ wget http://download.osgeo.org/libtiff/tiff-4.5.1.zip $ unzip tiff-4.5.1.zip $ cd tiff-4.5.1/ $ ./configure $ make ``` ## run ``` $tiff-4.5.1/tools/tiffcp -i -c packbits Poc_SQ2_tiffcp.tiff /dev/null TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. tools/Poc/Poc_SQ2_tiffcp.tiff: Warning, Nonstandard tile length 146, convert file. TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. tools/Poc/Poc_SQ2_tiffcp.tiff: JPEG compression support is not configured. TIFFSetField: tools/Poc/Poc_SQ2_tiffcp.tiff: Unknown pseudo-tag 65538. TIFFFillTile: Too large tile byte count 808464432, tile 0. Limiting to 1068436. Segmentation fault ``` ## ASAN report ``` $ tiff-4.5.1-asan/tools/tiffcp -i -c packbits Poc_SQ2_tiffcp.tiff /dev/null TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. tools/Poc/Poc_SQ2_tiffcp.tiff: Warning, Nonstandard tile length 146, convert file. TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. tools/Poc/Poc_SQ2_tiffcp.tiff: JPEG compression support is not configured. TIFFSetField: tools/Poc/Poc_SQ2_tiffcp.tiff: Unknown pseudo-tag 65538. TIFFFillTile: Too large tile byte count 808464432, tile 0. Limiting to 1068436. ================================================================= ==1226841==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63300001a7c2 at pc 0x5580870669f1 bp 0x7ffcfc768590 sp 0x7ffcfc768580 READ of size 1 at 0x63300001a7c2 thread T0 #0 0x5580870669f0 in cpStripToTile /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1528 #1 0x55808706741e in readContigTilesIntoBuffer /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1723 #2 0x558087066d81 in cpImage /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1594 #3 0x558087069306 in cpContigTiles2ContigTiles /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:2091 #4 0x558087065051 in tiffcp /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1122 #5 0x5580870620d1 in main /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:396 #6 0x7fa27d5ab082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #7 0x558087060abd in _start (/home/yan/tiff-4.5.1-asan/tools/tiffcp+0x1eabd) 0x63300001a7c2 is located 0 bytes to the right of 106434-byte region [0x633000000800,0x63300001a7c2) allocated by thread T0 here: #0 0x7fa27d9f1808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x55808712f99d in _TIFFmalloc /home/yan/tiff-4.5.1-asan/libtiff/tif_unix.c:326 #2 0x558087060c4e in limitMalloc /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:119 #3 0x5580870671fb in readContigTilesIntoBuffer /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1696 #4 0x558087066d81 in cpImage /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1594 #5 0x558087069306 in cpContigTiles2ContigTiles /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:2091 #6 0x558087065051 in tiffcp /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1122 #7 0x5580870620d1 in main /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:396 #8 0x7fa27d5ab082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/yan/tiff-4.5.1-asan/tools/tiffcp.c:1528 in cpStripToTile Shadow bytes around the buggy address: 0x0c667fffb4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c667fffb4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c667fffb4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c667fffb4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c667fffb4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c667fffb4f0: 00 00 00 00 00 00 00 00[02]fa fa fa fa fa fa fa 0x0c667fffb500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c667fffb510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c667fffb520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c667fffb530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c667fffb540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1226841==ABORTING ``` Platform ``` $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.6 LTS Release: 20.04 Codename: focal ``` # Poc ![Poc_SQ2_tiffcp](/uploads/4044433a138cc25a6f6126d8015dd13f/Poc_SQ2_tiffcp.tiff)

issue