Bug 2592 - CVE-2016-9532: Heap buffer overflow via writeBufferToSeparateStrips tiffcrop.c:1170
: CVE-2016-9532: Heap buffer overflow via writeBufferToSeparateStrips tiffcrop....
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-11-10 11:25 by
Modified: 2016-11-22 04:32 (History)


Attachments
2016-11-10-heap-buffer-overflow.tif (2.78 KB, image/tiff)
2016-11-10 11:25, Henri Salo
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-11-10 11:25:47
Created an attachment (id=692) [details]
2016-11-10-heap-buffer-overflow.tif

SHA1: 7da0b511cf5506e7d1cd14a8c29daa852a485ad6

Found by: Henri Salo from Nixu Corporation
Used tools:
- afl 2.35b
- rc0r's afl-utils

CVS build
=========

tiffcrop 2016-11-10-heap-buffer-overflow.tif test
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 515 (0x203) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 518 (0x206) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65278 (0xfefe) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 32557 (0x7f2d) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65408 (0xff80) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "NumberOfInks"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 309"; tag ignored.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpreation tag.
*** Error in `/home/hsalo/builds/libtiff/2016-11-10/bin/tiffcrop': malloc():
memory corruption: 0x00000000022e4ae0 ***
Aborted

With ASan
=========

tiffcrop 2016-11-10-heap-buffer-overflow.tif test
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 515 (0x203) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 518 (0x206) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65278 (0xfefe) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 32557 (0x7f2d) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65408 (0xff80) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "NumberOfInks"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 309"; tag ignored.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpreation tag.
=================================================================
==6129==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eeb1
at pc 0x7f842fdedd46 bp 0x7ffe78dac900 sp 0x7ffe78dac8e8
READ of size 223 at 0x60200000eeb1 thread T0
    #0 0x7f842fdedd45 in __interceptor_write
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x29d45)
    #1 0x7f842fba0115 in _tiffWriteProc
/home/hsalo/src/libtiff-cvs/libtiff/tif_unix.c:115
    #2 0x7f842fb9eea3 in TIFFAppendToStrip
/home/hsalo/src/libtiff-cvs/libtiff/tif_write.c:771
    #3 0x7f842fb9d9ca in TIFFWriteEncodedStrip
/home/hsalo/src/libtiff-cvs/libtiff/tif_write.c:273
    #4 0x402bc2 in writeBufferToSeparateStrips
/home/hsalo/src/libtiff-cvs/tools/tiffcrop.c:1197
    #5 0x413c3f in writeCroppedImage
/home/hsalo/src/libtiff-cvs/tools/tiffcrop.c:7944
    #6 0x405b08 in main /home/hsalo/src/libtiff-cvs/tools/tiffcrop.c:2356
    #7 0x7f842ec11b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #8 0x401928
(/home/hsalo/builds/libtiff/2016-11-10-asan/bin/tiffcrop+0x401928)

0x60200000eeb1 is located 0 bytes to the right of 1-byte region
[0x60200000eeb0,0x60200000eeb1)
allocated by thread T0 here:
    #0 0x7f842fe1873f in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x7f842fba047f in _TIFFmalloc
/home/hsalo/src/libtiff-cvs/libtiff/tif_unix.c:316
    #2 0x4029fa in writeBufferToSeparateStrips
/home/hsalo/src/libtiff-cvs/tools/tiffcrop.c:1170
    #3 0x413c3f in writeCroppedImage
/home/hsalo/src/libtiff-cvs/tools/tiffcrop.c:7944
    #4 0x405b08 in main /home/hsalo/src/libtiff-cvs/tools/tiffcrop.c:2356
    #5 0x7f842ec11b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_write
Shadow bytes around the buggy address:
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x0c047fff9dd0: fa fa 00 00 fa fa[01]fa fa fa 00 00 fa fa 00 00
  0x0c047fff9de0: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa fd fa
  0x0c047fff9df0: fa fa fd fa fa fa 02 fa fa fa fd fa fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==6129==ABORTING

Backtrace
=========

>>> bt
#0  0x00007ffff6c58067 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff6c59448 in __GI_abort () at abort.c:89
#2  0x00007ffff6c961b4 in __libc_message (do_abort=do_abort@entry=1,
fmt=fmt@entry=0x7ffff6d8b210 "*** Error in `%s': %s: 0x%s ***\n") at
../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff6c9b98e in malloc_printerr (action=1, str=0x7ffff6d873a7
"malloc(): memory corruption", ptr=<optimized out>) at malloc.c:4996
#4  0x00007ffff6c9d609 in _int_malloc (av=0x7ffff6fc8620 <main_arena>,
bytes=16) at malloc.c:3447
#5  0x00007ffff6c9f020 in __GI___libc_malloc (bytes=16) at malloc.c:2891
#6  0x00007ffff7bb5bdd in TIFFSetupStrips (tif=tif@entry=0x6193e0) at
tif_write.c:543
#7  0x00007ffff7bb5e17 in TIFFWriteCheck (tif=0x6193e0, tiles=<optimized out>,
module=0x7ffff7bce3e0 <module> "TIFFWriteEncodedStrip") at tif_write.c:613
#8  0x00007ffff7bb66ee in TIFFWriteEncodedStrip (tif=0x6193e0, strip=0,
data=0x618ac0, cc=223) at tif_write.c:194
#9  0x0000000000409129 in writeBufferToSeparateStrips (out=0x5e14,
out@entry=0x6193e0, buf=0x5e14 <error: Cannot access memory at address 0x5e14>,
buf@entry=0x618590 "", length=6, length@entry=1, width=1, spp=12336,
spp@entry=2, dump=0x7fffffffbfd0) at tiffcrop.c:1197
#10 0x000000000040a0ac in writeCroppedImage (in=0x618010, out=0x6193e0,
image=<optimized out>, dump=0x7fffffffbfd0, width=254, length=1,
crop_buff=0x618590 "", pagenum=0, total_pages=1) at tiffcrop.c:7944
#11 0x0000000000403bf3 in main (argc=-31128, argv=0x5e14) at tiffcrop.c:2356

Valgrind
========

==23244== Memcheck, a memory error detector
==23244== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==23244== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==23244== Command: /home/hsalo/builds/libtiff/2016-11-10/bin/tiffcrop
2016-11-10-heap-buffer-overflow.tif test
==23244==
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 515 (0x203) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 518 (0x206) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65278 (0xfefe) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 32557 (0x7f2d) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65408 (0xff80) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "NumberOfInks"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 309"; tag ignored.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpreation tag.
==23244== Invalid write of size 1
==23244==    at 0x408A65: extractContigSamples24bits.constprop.10
(tiffcrop.c:2977)
==23244==    by 0x4090AC: extractContigSamplesToBuffer (tiffcrop.c:3539)
==23244==    by 0x4090AC: writeBufferToSeparateStrips (tiffcrop.c:1184)
==23244==    by 0x40A0AB: writeCroppedImage (tiffcrop.c:7944)
==23244==    by 0x403BF2: main (tiffcrop.c:2356)
==23244==  Address 0x61f93c1 is 0 bytes after a block of size 1 alloc'd
==23244==    at 0x4C28C20: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23244==    by 0x408F0E: writeBufferToSeparateStrips (tiffcrop.c:1170)
==23244==    by 0x40A0AB: writeCroppedImage (tiffcrop.c:7944)
==23244==    by 0x403BF2: main (tiffcrop.c:2356)
==23244==
==23244== Invalid write of size 1
==23244==    at 0x408A54: extractContigSamples24bits.constprop.10
(tiffcrop.c:2975)
==23244==    by 0x4090AC: extractContigSamplesToBuffer (tiffcrop.c:3539)
==23244==    by 0x4090AC: writeBufferToSeparateStrips (tiffcrop.c:1184)
==23244==    by 0x40A0AB: writeCroppedImage (tiffcrop.c:7944)
==23244==    by 0x403BF2: main (tiffcrop.c:2356)
==23244==  Address 0x61f93c2 is 1 bytes after a block of size 1 alloc'd
==23244==    at 0x4C28C20: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23244==    by 0x408F0E: writeBufferToSeparateStrips (tiffcrop.c:1170)
==23244==    by 0x40A0AB: writeCroppedImage (tiffcrop.c:7944)
==23244==    by 0x403BF2: main (tiffcrop.c:2356)
==23244==

valgrind: m_mallocfree.c:304 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi'
failed.
valgrind: Heap block lo/hi size mismatch: lo = 80, hi = 576460892964194048.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.


host stacktrace:
==23244==    at 0x380A48EF: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==23244==    by 0x380A49E4: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==23244==    by 0x380A4B66: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==23244==    by 0x380B170D: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==23244==    by 0x3809DC93: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==23244==    by 0x3809C73B: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==23244==    by 0x380A05BA: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==23244==    by 0x3809BCB2: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==23244==    by 0x802CC2169: ???
==23244==    by 0x802B95EEF: ???
==23244==    by 0x3807290F: ??? (in /usr/lib/valgrind/memcheck-amd64-linux)
==23244==    by 0x40908F: extractContigSamplesToBuffer (tiffcrop.c:3521)
==23244==    by 0x40908F: writeBufferToSeparateStrips (tiffcrop.c:1184)
==23244==    by 0x1BFF: ???

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==23244==    at 0x408AAF: extractContigSamples24bits.constprop.10
(tiffcrop.c:2991)
==23244==    by 0x4090AC: extractContigSamplesToBuffer (tiffcrop.c:3539)
==23244==    by 0x4090AC: writeBufferToSeparateStrips (tiffcrop.c:1184)
==23244==    by 0x40A0AB: writeCroppedImage (tiffcrop.c:7944)
==23244==    by 0x403BF2: main (tiffcrop.c:2356)
------- Comment #1 From 2016-11-10 11:35:03 -------
This fuzzing was sponsored by Kapsi internet-käyttäjät ry https://www.kapsi.fi/
------- Comment #2 From 2016-11-11 14:33:30 -------
Fixed per

2016-11-11 Even Rouault <even.rouault at spatialys.com>

        * tools/tiffcrop.c: fix multiple uint32 overflows in
        writeBufferToSeparateStrips(), writeBufferToContigTiles() and
        writeBufferToSeparateTiles() that could cause heap buffer overflows.
        Reported by Henri Salo from Nixu Corporation.
        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2592


/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
new revision: 1.1152; previous revision: 1.1151
/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v  <--  tools/tiffcrop.c
new revision: 1.43; previous revision: 1.42
------- Comment #3 From 2016-11-16 07:09:31 -------
CVE request: http://www.openwall.com/lists/oss-security/2016/11/11/14
------- Comment #4 From 2016-11-22 04:32:59 -------
This was assigned CVE-2016-9532.