Bug 2508 - uninitialized memory in NeXTDecode
: uninitialized memory in NeXTDecode
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P2 normal
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2015-04-02 06:28 by
Modified: 2015-12-27 11:56 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2015-04-02 06:28:35
See libtiff5.tif from

http://www.openwall.com/lists/oss-security/2015/01/24/16

With 4.0.4 beta I get:

$ tiffinfo -d libtiff5.tif
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
libtiff5.tif: Warning, Nonstandard tile width 61, convert file.
TIFF Directory at offset 0xa0 (160)
  Image Width: 32 Image Length: 32
  Tile Width: 61 Tile Length: 3
  Bits/Sample: 2
  Compression Scheme: NeXT
  FillOrder: lsb-to-msb
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 1
  Rows/Strip: 3
  Planar Configuration: single image plane
  DocumentName: foo.tif
TIFFFillTile: Read error at row 4294967295, col 4294967295, tile 0; got 0
bytes, expected 8.
TIFFFillTile: 0: Invalid tile byte count, tile 1.
TIFFFillTile: 0: Invalid tile byte count, tile 2.
TIFFFillTile: 0: Invalid tile byte count, tile 3.
Tile (12,0):
 05 00 00 00 01 fc 07 0a 00 00 00 00 00 00 00 00
 aa aa aa aa 55 55 55 55 57 00 00 00 00 00 00 00
 55 55 55 55 aa aa aa aa 00 00 00 00 55 55 55 55
TIFFFillTile: Read error at row 0, col 244, tile 5; got 0 bytes, expected 1.
TIFFFillTile: 0: Invalid tile byte count, tile 6.
TIFFFillTile: 0: Invalid tile byte count, tile 7.
NeXTDecode: Not enough data for scanline 0.
NeXTDecode: Not enough data for scanline 0.
NeXTDecode: Not enough data for scanline 0.
*** Error in `tiffinfo': free(): invalid pointer: 0x0000000001d1c520 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x70cbf)[0x7f89fde67cbf]
/lib64/libc.so.6(+0x760be)[0x7f89fde6d0be]
/usr/lib64/libtiff.so.5(_TIFFfree+0x18)[0x7f89fe1f6c61]
tiffinfo[0x401e0c]
tiffinfo[0x401fe8]
tiffinfo[0x402452]
tiffinfo[0x401708]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f89fde178c5]
tiffinfo[0x4012f9]
======= Memory map: ========
Aborted
:/ #
------- Comment #1 From 2015-04-02 06:37:30 -------
I get a slightly different error, but otherwise pretty much the exact same
output:
[...]
NeXTDecode: Not enough data for scanline 0.
*** Error in `tiffinfo': free(): invalid next size (fast): 0x093423a0
***
======= Backtrace: =========
/lib/i686/libc.so.6(+0x6b8f3)[0xb753e8f3]
/lib/i686/libc.so.6(+0x731f4)[0xb75461f4]
/lib/libtiff.so.5(_TIFFfree+0x1b)[0xb76cf8db]
tiffinfo[0x8049836]
tiffinfo[0x8049a9d]
tiffinfo[0x8049e55]
tiffinfo[0x8048fc8]
/lib/i686/libc.so.6(__libc_start_main+0xf3)[0xb74ecb33]
tiffinfo[0x8049091]
======= Memory map: ========
------- Comment #2 From 2015-04-02 09:48:12 -------
(gdb) b tiffinfo.c:297
Breakpoint 9 at 0x401cdd: file tiffinfo.c, line 297.
(gdb) run -D libtiff5.tif
[...]
Breakpoint 9, TIFFReadContigTileData (tif=0x604010) at tiffinfo.c:297
297        buf = (unsigned char *)_TIFFmalloc(TIFFTileSize(tif));
(gdb) call TIFFTileSize(tif)
$40 = 48

So 48 bytes is malloc'ed for buf.

(gdb) b tif_next.c:126
Breakpoint 11 at 0x7ffff7b93609: file tif_next.c, line 126.
(gdb) condition 11 op-buf >= 48
[...]
Breakpoint 11, NeXTDecode (tif=0x604010, buf=0x604520 "\005", occ=8, s=0) at
tif_next.c:126
126                        SETPIXEL(op, grey);

(gdb) bt
#0  NeXTDecode (tif=0x604010, buf=0x604520 "\005", occ=8, s=0) at
tif_next.c:126
#1  0x00007ffff7ba6a6a in TIFFReadEncodedTile (tif=0x604010, tile=4,
buf=0x604520, size=48) at tif_read.c:668
#2  0x00007ffff7ba6952 in TIFFReadTile (tif=0x604010, buf=0x604520, x=0, y=12,
z=0, s=0) at tif_read.c:641
#3  0x0000000000401d9f in TIFFReadContigTileData (tif=0x604010) at
tiffinfo.c:308
#4  0x0000000000401fe8 in TIFFReadData (tif=0x604010) at tiffinfo.c:359
#5  0x0000000000402452 in tiffinfo (tif=0x604010, order=0, flags=0, is_image=1)
at tiffinfo.c:461
#6  0x0000000000401708 in main (argc=3, argv=0x7fffffffe868) at tiffinfo.c:150
------- Comment #3 From 2015-07-20 08:41:02 -------
Still not fixed in 4.0.4 final.  See:
https://bugs.mageia.org/show_bug.cgi?id=15519#c27
------- Comment #4 From 2015-12-27 11:56:23 -------
Fixed by tif_next.c revision: 1.17

2015-12-27  Even Rouault <even.rouault at spatialys.com>

        * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
        triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
        (bugzilla #2508)