You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=692) [details] 2016-11-10-heap-buffer-overflow.tif SHA1: 7da0b511cf5506e7d1cd14a8c29daa852a485ad6 Found by: Henri Salo from Nixu Corporation Used tools: - afl 2.35b - rc0r's afl-utils CVS build ========= tiffcrop 2016-11-10-heap-buffer-overflow.tif test TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 515 (0x203) encountered. TIFFReadDirectory: Warning, Unknown field with tag 518 (0x206) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65278 (0xfefe) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32557 (0x7f2d) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65408 (0xff80) encountered. TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "NumberOfInks"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 309"; tag ignored. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFFAdvanceDirectory: Error fetching directory count. loadImage: Image lacks Photometric interpreation tag. *** Error in `/home/hsalo/builds/libtiff/2016-11-10/bin/tiffcrop': malloc(): memory corruption: 0x00000000022e4ae0 *** Aborted With ASan ========= tiffcrop 2016-11-10-heap-buffer-overflow.tif test TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 515 (0x203) encountered. TIFFReadDirectory: Warning, Unknown field with tag 518 (0x206) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65278 (0xfefe) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32557 (0x7f2d) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65408 (0xff80) encountered. TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "NumberOfInks"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 309"; tag ignored. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFFAdvanceDirectory: Error fetching directory count. loadImage: Image lacks Photometric interpreation tag. ================================================================= ==6129==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eeb1 at pc 0x7f842fdedd46 bp 0x7ffe78dac900 sp 0x7ffe78dac8e8 READ of size 223 at 0x60200000eeb1 thread T0 #0 0x7f842fdedd45 in __interceptor_write (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x29d45) #1 0x7f842fba0115 in _tiffWriteProc /home/hsalo/src/libtiff-cvs/libtiff/tif_unix.c:115 #2 0x7f842fb9eea3 in TIFFAppendToStrip /home/hsalo/src/libtiff-cvs/libtiff/tif_write.c:771 #3 0x7f842fb9d9ca in TIFFWriteEncodedStrip /home/hsalo/src/libtiff-cvs/libtiff/tif_write.c:273 #4 0x402bc2 in writeBufferToSeparateStrips /home/hsalo/src/libtiff-cvs/tools/tiffcrop.c:1197 #5 0x413c3f in writeCroppedImage /home/hsalo/src/libtiff-cvs/tools/tiffcrop.c:7944 #6 0x405b08 in main /home/hsalo/src/libtiff-cvs/tools/tiffcrop.c:2356 #7 0x7f842ec11b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #8 0x401928 (/home/hsalo/builds/libtiff/2016-11-10-asan/bin/tiffcrop+0x401928) 0x60200000eeb1 is located 0 bytes to the right of 1-byte region [0x60200000eeb0,0x60200000eeb1) allocated by thread T0 here: #0 0x7f842fe1873f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x7f842fba047f in _TIFFmalloc /home/hsalo/src/libtiff-cvs/libtiff/tif_unix.c:316 #2 0x4029fa in writeBufferToSeparateStrips /home/hsalo/src/libtiff-cvs/tools/tiffcrop.c:1170 #3 0x413c3f in writeCroppedImage /home/hsalo/src/libtiff-cvs/tools/tiffcrop.c:7944 #4 0x405b08 in main /home/hsalo/src/libtiff-cvs/tools/tiffcrop.c:2356 #5 0x7f842ec11b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_write Shadow bytes around the buggy address: 0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00 =>0x0c047fff9dd0: fa fa 00 00 fa fa[01]fa fa fa 00 00 fa fa 00 00 0x0c047fff9de0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa fd fa 0x0c047fff9df0: fa fa fd fa fa fa 02 fa fa fa fd fa fa fa 00 00 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==6129==ABORTING Backtrace ========= >>> bt #0 0x00007ffff6c58067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff6c59448 in __GI_abort () at abort.c:89 #2 0x00007ffff6c961b4 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff6d8b210 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007ffff6c9b98e in malloc_printerr (action=1, str=0x7ffff6d873a7 "malloc(): memory corruption", ptr=<optimized out>) at malloc.c:4996 #4 0x00007ffff6c9d609 in _int_malloc (av=0x7ffff6fc8620 <main_arena>, bytes=16) at malloc.c:3447 #5 0x00007ffff6c9f020 in __GI___libc_malloc (bytes=16) at malloc.c:2891 #6 0x00007ffff7bb5bdd in TIFFSetupStrips (tif=tif@entry=0x6193e0) at tif_write.c:543 #7 0x00007ffff7bb5e17 in TIFFWriteCheck (tif=0x6193e0, tiles=<optimized out>, module=0x7ffff7bce3e0 <module> "TIFFWriteEncodedStrip") at tif_write.c:613 #8 0x00007ffff7bb66ee in TIFFWriteEncodedStrip (tif=0x6193e0, strip=0, data=0x618ac0, cc=223) at tif_write.c:194 #9 0x0000000000409129 in writeBufferToSeparateStrips (out=0x5e14, out@entry=0x6193e0, buf=0x5e14 <error: Cannot access memory at address 0x5e14>, buf@entry=0x618590 "", length=6, length@entry=1, width=1, spp=12336, spp@entry=2, dump=0x7fffffffbfd0) at tiffcrop.c:1197 #10 0x000000000040a0ac in writeCroppedImage (in=0x618010, out=0x6193e0, image=<optimized out>, dump=0x7fffffffbfd0, width=254, length=1, crop_buff=0x618590 "", pagenum=0, total_pages=1) at tiffcrop.c:7944 #11 0x0000000000403bf3 in main (argc=-31128, argv=0x5e14) at tiffcrop.c:2356 Valgrind ======== ==23244== Memcheck, a memory error detector ==23244== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==23244== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==23244== Command: /home/hsalo/builds/libtiff/2016-11-10/bin/tiffcrop 2016-11-10-heap-buffer-overflow.tif test ==23244== TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 515 (0x203) encountered. TIFFReadDirectory: Warning, Unknown field with tag 518 (0x206) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65278 (0xfefe) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32557 (0x7f2d) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65408 (0xff80) encountered. TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "NumberOfInks"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 309"; tag ignored. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. TIFFAdvanceDirectory: Error fetching directory count. loadImage: Image lacks Photometric interpreation tag. ==23244== Invalid write of size 1 ==23244== at 0x408A65: extractContigSamples24bits.constprop.10 (tiffcrop.c:2977) ==23244== by 0x4090AC: extractContigSamplesToBuffer (tiffcrop.c:3539) ==23244== by 0x4090AC: writeBufferToSeparateStrips (tiffcrop.c:1184) ==23244== by 0x40A0AB: writeCroppedImage (tiffcrop.c:7944) ==23244== by 0x403BF2: main (tiffcrop.c:2356) ==23244== Address 0x61f93c1 is 0 bytes after a block of size 1 alloc'd ==23244== at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==23244== by 0x408F0E: writeBufferToSeparateStrips (tiffcrop.c:1170) ==23244== by 0x40A0AB: writeCroppedImage (tiffcrop.c:7944) ==23244== by 0x403BF2: main (tiffcrop.c:2356) ==23244== ==23244== Invalid write of size 1 ==23244== at 0x408A54: extractContigSamples24bits.constprop.10 (tiffcrop.c:2975) ==23244== by 0x4090AC: extractContigSamplesToBuffer (tiffcrop.c:3539) ==23244== by 0x4090AC: writeBufferToSeparateStrips (tiffcrop.c:1184) ==23244== by 0x40A0AB: writeCroppedImage (tiffcrop.c:7944) ==23244== by 0x403BF2: main (tiffcrop.c:2356) ==23244== Address 0x61f93c2 is 1 bytes after a block of size 1 alloc'd ==23244== at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==23244== by 0x408F0E: writeBufferToSeparateStrips (tiffcrop.c:1170) ==23244== by 0x40A0AB: writeCroppedImage (tiffcrop.c:7944) ==23244== by 0x403BF2: main (tiffcrop.c:2356) ==23244== valgrind: m_mallocfree.c:304 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed. valgrind: Heap block lo/hi size mismatch: lo = 80, hi = 576460892964194048. This is probably caused by your program erroneously writing past the end of a heap block and corrupting heap metadata. If you fix any invalid writes reported by Memcheck, this assertion failure will probably go away. Please try that before reporting this as a bug. host stacktrace: ==23244== at 0x380A48EF: ??? (in /usr/lib/valgrind/memcheck-amd64-linux) ==23244== by 0x380A49E4: ??? (in /usr/lib/valgrind/memcheck-amd64-linux) ==23244== by 0x380A4B66: ??? (in /usr/lib/valgrind/memcheck-amd64-linux) ==23244== by 0x380B170D: ??? (in /usr/lib/valgrind/memcheck-amd64-linux) ==23244== by 0x3809DC93: ??? (in /usr/lib/valgrind/memcheck-amd64-linux) ==23244== by 0x3809C73B: ??? (in /usr/lib/valgrind/memcheck-amd64-linux) ==23244== by 0x380A05BA: ??? (in /usr/lib/valgrind/memcheck-amd64-linux) ==23244== by 0x3809BCB2: ??? (in /usr/lib/valgrind/memcheck-amd64-linux) ==23244== by 0x802CC2169: ??? ==23244== by 0x802B95EEF: ??? ==23244== by 0x3807290F: ??? (in /usr/lib/valgrind/memcheck-amd64-linux) ==23244== by 0x40908F: extractContigSamplesToBuffer (tiffcrop.c:3521) ==23244== by 0x40908F: writeBufferToSeparateStrips (tiffcrop.c:1184) ==23244== by 0x1BFF: ??? sched status: running_tid=1 Thread 1: status = VgTs_Runnable ==23244== at 0x408AAF: extractContigSamples24bits.constprop.10 (tiffcrop.c:2991) ==23244== by 0x4090AC: extractContigSamplesToBuffer (tiffcrop.c:3539) ==23244== by 0x4090AC: writeBufferToSeparateStrips (tiffcrop.c:1184) ==23244== by 0x40A0AB: writeCroppedImage (tiffcrop.c:7944) ==23244== by 0x403BF2: main (tiffcrop.c:2356)
This fuzzing was sponsored by Kapsi internet-käyttäjät ry https://www.kapsi.fi/
Fixed per 2016-11-11 Even Rouault <even.rouault at spatialys.com> * tools/tiffcrop.c: fix multiple uint32 overflows in writeBufferToSeparateStrips(), writeBufferToContigTiles() and writeBufferToSeparateTiles() that could cause heap buffer overflows. Reported by Henri Salo from Nixu Corporation. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592 /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog new revision: 1.1152; previous revision: 1.1151 /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c new revision: 1.43; previous revision: 1.42
CVE request: http://www.openwall.com/lists/oss-security/2016/11/11/14
This was assigned CVE-2016-9532.