[BZ#2855] Heap overflow in tiff2ps
Submitted by Shadow HUANG (featherrain26 at gmail dot com) on 2019-08-16 04:39
Description
Created an attachment (id=897)
PoC input
Hi, there.
There is a heap overflow issue in the newest version (4bb584a35f87af42d6cf09d15e9ce8909a839145) of tiff2ps.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
gcc: 5.4.0
To reproduce the bug,
compile the project with flag
CFLAGS="-m32 -O0 -g -fsanitize=address,leak,undefined" CXXFLAGS="-m32 -O0 -g -fsanitize=address,leak,undefined" ./configure
then run:
tiff2ps PoC
Here is the trace reported by ASAN:
==55421==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4500f77 at pc 0x08053e8a bp 0xffee8498 sp 0xffee8488
READ of size 1 at 0xf4500f77 thread T0
#0 0x8053e89 in PSDataColorContig /mnt/data/playground/libtiff/tools/tiff2ps.c:2479
#1 0x805385c in PSpage /mnt/data/playground/libtiff/tools/tiff2ps.c:2361
#2 0x804fbe1 in TIFF2PS /mnt/data/playground/libtiff/tools/tiff2ps.c:1610
#3 0x804a528 in main /mnt/data/playground/libtiff/tools/tiff2ps.c:477
#4 0xf681b636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#5 0x8049680 (/mnt/data/playground/libtiff/tools/.libs/lt-tiff2ps+0x8049680)
0xf4500f77 is located 0 bytes to the right of 39-byte region [0xf4500f50,0xf4500f77)
allocated by thread T0 here:
#0 0xf7285dee in malloc (/usr/lib32/libasan.so.2+0x96dee)
#1 0xf70700b0 in _TIFFmalloc /mnt/data/playground/libtiff/libtiff/tif_unix.c:314
#2 0x8053d4d in PSDataColorContig /mnt/data/playground/libtiff/tools/tiff2ps.c:2452
#3 0x805385c in PSpage /mnt/data/playground/libtiff/tools/tiff2ps.c:2361
#4 0x804fbe1 in TIFF2PS /mnt/data/playground/libtiff/tools/tiff2ps.c:1610
#5 0x804a528 in main /mnt/data/playground/libtiff/tools/tiff2ps.c:477
#6 0xf681b636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/data/playground/libtiff/tools/tiff2ps.c:2479 PSDataColorContig
Shadow bytes around the buggy address:
0x3e8a0190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e8a01a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e8a01b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e8a01c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e8a01d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3e8a01e0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[07]fa
0x3e8a01f0: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 04 fa
0x3e8a0200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e8a0210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e8a0220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e8a0230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==55421==ABORTING
Attachment 897, "PoC input":
poc1