You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=687) [details] malformed tif Triggered in libtiff 4.0.6 with AFL and ASAN. ./tiffsplit test049 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. ================================================================= ==18669==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef78 at pc 0x407549 bp 0x7ffeeb10bc00 sp 0x7ffeeb10bbf8 READ of size 8 at 0x60200000ef78 thread T0 #0 0x407548 in cpStrips /root/libtiff/tools/tiffsplit.c:246 #1 0x407548 in tiffcp /root/libtiff/tools/tiffsplit.c:227 #2 0x407548 in main /root/libtiff/tools/tiffsplit.c:89 #3 0x7face2437b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #4 0x40836c (/root/libtiff/tools/tiffsplit+0x40836c) 0x60200000ef78 is located 0 bytes to the right of 8-byte region [0x60200000ef70,0x60200000ef78) allocated by thread T0 here: #0 0x7face2b169f6 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6) #1 0x4a9ea0 in _TIFFCheckRealloc /root/libtiff/libtiff/tif_aux.c:73 #2 0x4a9ea0 in _TIFFCheckMalloc /root/libtiff/libtiff/tif_aux.c:88 SUMMARY: AddressSanitizer: heap-buffer-overflow /root/libtiff/tools/tiffsplit.c:246 cpStrips Shadow bytes around the buggy address: 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9de0: fa fa fa fa fa fa fd fd fa fa 00 fa fa fa 00[fa] 0x0c047fff9df0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 00 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==18669==ABORTING
Can't reproduce this with the latest codebase from CVS. I have no idea what commit fixed this issue and I do not plan to investigate this further. I also tested with ASan build.
Fixed per 2016-11-10 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_strip.c: make TIFFNumberOfStrips() return the td->td_nstrips value when it is non-zero, instead of recomputing it. This is needed in TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of array in tiffsplit (or other utilities using TIFFNumberOfStrips()). Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587 /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog new revision: 1.1151; previous revision: 1.1150 /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v <-- libtiff/tif_strip.c new revision: 1.37; previous revision: 1.36
For reference this has been assigned CVE-2016-9273.