Bug 2620 - tiffcrop: heap-based buffer overflow in _TIFFFax3fillruns (tif_fax3.c)
: tiffcrop: heap-based buffer overflow in _TIFFFax3fillruns (tif_fax3.c)
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-12-03 05:06 by
Modified: 2016-12-03 06:39 (History)


Attachments
stacktrace (5.57 KB, text/plain)
2016-12-03 05:06, Agostino Sarubbo
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-12-03 05:06:06
Created an attachment (id=712) [details]
stacktrace

On 4.0.7:

# tiffcrop -i $FILE /tmp/foo

AddressSanitizer: heap-buffer-overflow
/tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_fax3.c:413:13 in
_TIFFFax3fillruns


Testcase:
https://github.com/asarubbo/poc/blob/master/00100-libtiff-heapoverflow-_TIFFFax3fillruns
------- Comment #1 From 2016-12-03 06:36:15 -------
Fixed per:

2016-12-03 Even Rouault <even.rouault at spatialys.com>

        * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore)
mode so
        that the output buffer is correctly incremented to avoid write outside
bounds.
        Reported by Agostino Sarubbo.
        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620

/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
new revision: 1.1178; previous revision: 1.1177
/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v  <--  tools/tiffcrop.c
new revision: 1.47; previous revision: 1.46
------- Comment #2 From 2016-12-03 06:39:37 -------
*** Bug 2622 has been marked as a duplicate of this bug. ***