You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=690) [details] poc Triggered in libtiff 4.0.6 with AFL and ASAN. Only crashes if I LD_PRELOAD AFL's libdislocator (more info: https://github.com/mirrorer/afl/tree/master/libdislocator). LD_PRELOAD=/root/afl-2.35b/libdislocator/libdislocator.so ./tiffinfo -i test000 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, Unknown field with tag 12291 (0x3003) encountered. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFF Directory at offset 0x62 (98) Image Width: 12336 Image Length: 12336 Compression Scheme: None Planar Configuration: single image plane ASAN:SIGSEGV ================================================================= ==6884==ERROR: AddressSanitizer: SEGV on unknown address 0x7faf9b2d2000 (pc 0x7faf999ecd10 sp 0x7ffe26e325b8 bp 0x7faf9b2d1fff T0) #0 0x7faf999ecd0f in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x81d0f) #1 0x7faf999d52ee in _IO_fputs (/lib/x86_64-linux-gnu/libc.so.6+0x6a2ee) #2 0x490376 in _TIFFPrintField /root/libtiff/libtiff/tif_print.c:127 #3 0x490376 in TIFFPrintDirectory /root/libtiff/libtiff/tif_print.c:647 #4 0x405545 in tiffinfo /root/libtiff/tools/tiffinfo.c:463 #5 0x405545 in main /root/libtiff/tools/tiffinfo.c:152 #6 0x7faf9998cb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #7 0x40648c (/root/libtiff/tools/tiffinfo+0x40648c) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 strlen ==6884==ABORTING
Without the LD_PRELOAD we see this: ./tiffinfo -i test000 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered. TIFFReadDirectory: Warning, Unknown field with tag 12291 (0x3003) encountered. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFF Directory at offset 0x62 (98) Image Width: 12336 Image Length: 12336 Compression Scheme: None Planar Configuration: single image plane Tag 12291: 0
Fixed per 2016-11-11 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII access are null terminated, to avoid potential read outside buffer in _TIFFPrintField(). Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590 /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog new revision: 1.1154; previous revision: 1.1153 /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c new revision: 1.203; previous revision: 1.202
For reference this flaw has been assigned CVE-2016-9297.