Bug 2610 - tiffcp: heap-based buffer overflow in cpStripToTile (tiffcp.c)
: tiffcp: heap-based buffer overflow in cpStripToTile (tiffcp.c)
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-11-27 06:20 by
Modified: 2016-12-03 11:43 (History)


Attachments
stacktrace (3.43 KB, text/plain)
2016-11-27 06:20, Agostino Sarubbo
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-11-27 06:20:41
Created an attachment (id=708) [details]
stacktrace

ON 4.0.7:

tiffcp -i $FILE /tmp/foo

AddressSanitizer: heap-buffer-overflow
/tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1171:11 in
cpStripToTile


Testcase:
https://github.com/asarubbo/poc/blob/master/00082-libtiff-heap-overflow-cpStripToTile
------- Comment #1 From 2016-12-03 11:43:23 -------
Fixed per

2016-12-03 Even Rouault <even.rouault at spatialys.com>

        * tools/tiffcp.c: fix uint32 underflow/overflow that can cause
heap-based
        buffer overflow.
        Reported by Agostino Sarubbo.
        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610

/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
new revision: 1.1187; previous revision: 1.1186
/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v  <--  tools/tiffcp.c
new revision: 1.59; previous revision: 1.58