[BZ#2809] heap-buffer-overflow in tiff2pdf (CVE-2018-16335)
Submitted by Marsman1996 (lqliuyuwei at outlook dot com) on 2018-08-07 22:41
Description
Created an attachment (id=868)
the poc
on Ubuntu 16.04 32-bit, tiff4.0.9
How to reproduce:
1. compile: CC=clang CXX=clang++ ./configure && make && make install
2. ./tiff2pdf poc2
asan info:
=================================================================
==6699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb65006b7 at pc 0xb7ee1751 bp 0xbfdf0368 sp 0xbfdf035c
WRITE of size 8 at 0xb65006b7 thread T0
#0 0xb7ee1750 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0x31750)
#1 0xb7f63f89 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xb3f89)
#2 0xb7f8398b (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd398b)
#3 0x8134534 (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x8134534)
#4 0xb7c5e636 (/lib/i386-linux-gnu/libc.so.6+0x18636)
#5 0x805fb37 (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x805fb37)
0xb65006b7 is located 6 bytes to the right of 1-byte region [0xb65006b0,0xb65006b1)
allocated by thread T0 here:
#0 0x81041e4 (/home/ubuntu/tiff_asan/bin/tiff2pdf+0x81041e4)
#1 0xb7f83b53 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd3b53)
#2 0xb7f63f89 (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xb3f89)
#3 0xb7f8398b (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0xd398b)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/ubuntu/tiff_asan/lib/libtiff.so.5+0x31750)
Shadow bytes around the buggy address:
0x36ca0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ca0090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ca00a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ca00b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ca00c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36ca00d0: fa fa 01 fa fa fa[01]fa fa fa 00 fa fa fa fd fa
0x36ca00e0: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa
0x36ca00f0: fa fa 00 fa fa fa fd fa fa fa fd fd fa fa 00 00
0x36ca0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ca0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36ca0120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6699==ABORTING
gdb info:
Program received signal SIGSEGV, Segmentation fault. 0xb7f81302 in ChopUpSingleUncompressedStrip (tif=) at tif_dirread.c:5724 5724 newoffsets[strip] = stripbytes ? offset : 0; (gdb) bt #0 0xb7f81302 in ChopUpSingleUncompressedStrip (tif=) at tif_dirread.c:5724 #1 TIFFReadDirectory (tif=) at tif_dirread.c:4186 #2 0xb7fa55e0 in TIFFClientOpen (name=, mode=, clientdata=, readproc=, writeproc=, seekproc=, closeproc=, sizeproc=, mapproc=, unmapproc=) at tif_open.c:466 #3 0xb7faedbc in TIFFFdOpen (fd=3, name=, mode=0x805500a "r") at tif_unix.c:211 #4 TIFFOpen (name=, mode=0x805500a "r") at tif_unix.c:250 #5 0x080496ea in main (argc=, argv=) at tiff2pdf.c:751
Attachment 868, "the poc":
poc2