[BZ#2854] Potential heap overflow in tiff2pdf
Submitted by Shadow HUANG (featherrain26 at gmail dot com) on 2019-07-09 10:59
Description
Hi, there.
There is a heap overflow in tiff2pdf. To reproduce the issue, the compile flag is:
CFLAGS="-g -O0 -fsanitize=address,undefined" ./configure; make
then,
./tiff2pdf input
Here are the details reported by the ASAN:
==28950==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ef10 at pc 0x0000005f7898 bp 0x7ffe06102260 sp 0x7ffe06102250
READ of size 1 at 0x60300000ef10 thread T0
#0 0x5f7897 in _TIFFFax3fillruns /mnt/data/playground/tiff-4.0.10-a/libtiff/tif_fax3.c:439
#1 0x63bb96 in Fax3Decode1D /mnt/data/playground/tiff-4.0.10-a/libtiff/tif_fax3.c:247
#2 0x82bea2 in TIFFReadEncodedStrip /mnt/data/playground/tiff-4.0.10-a/libtiff/tif_read.c:544
#3 0x4459bb in t2p_readwrite_pdf_image /mnt/data/playground/tiff-4.0.10-a/tools/tiff2pdf.c:2584
#4 0x492170 in t2p_write_pdf /mnt/data/playground/tiff-4.0.10-a/tools/tiff2pdf.c:5601
#5 0x409e61 in main /mnt/data/playground/tiff-4.0.10-a/tools/tiff2pdf.c:810
#6 0x7f13a280282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x410538 in _start (/mnt/data/playground/tiff-4.0.10-a/tools/tiff2pdf+0x410538)
0x60300000ef10 is located 0 bytes to the right of 32-byte region [0x60300000eef0,0x60300000ef10)
allocated by thread T0 here:
#0 0x7f13a37f0602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x445840 in t2p_readwrite_pdf_image /mnt/data/playground/tiff-4.0.10-a/tools/tiff2pdf.c:2571
SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/data/playground/tiff-4.0.10-a/libtiff/tif_fax3.c:439 _TIFFFax3fillruns
Shadow bytes around the buggy address:
0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x0c067fff9de0: 00 00[fa]fa 00 00 04 fa fa fa 00 00 05 fa fa fa
0x0c067fff9df0: 00 00 04 fa fa fa 00 00 04 fa fa fa 00 00 00 00
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==28950==ABORTING
The attachment is the POC input.
Attachment 896, "The Poc input":
Poc