Bug 2640 - libtiff: heap-based buffer overflow in _TIFFmemcpy (tif_unix.c)
: libtiff: heap-based buffer overflow in _TIFFmemcpy (tif_unix.c)
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-12-20 12:04 by
Modified: 2016-12-20 12:28 (History)


Attachments
stacktrace (6.31 KB, text/plain)
2016-12-20 12:04, Agostino Sarubbo
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-12-20 12:04:39
Created an attachment (id=730) [details]
stacktrace

On 4.0.7:

# tiff2pdf $FILE -o foo

AddressSanitizer: heap-buffer-overflow
/tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413
in __asan_memcpy

which refers to:

_TIFFmemcpy
/tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2

Testcase:
https://github.com/asarubbo/poc/blob/master/00112-libtiff-heapoverflow-_TIFFmemcpy

FTR: this is confirmed on master
------- Comment #1 From 2016-12-20 12:28:38 -------
Fixed by

2016-12-20 Even Rouault <even.rouault at spatialys.com>

        * tools/tiff2pdf.c: avoid potential heap-based overflow in
        t2p_readwrite_pdf_image_tile().
        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640

/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
new revision: 1.1199; previous revision: 1.1198
/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v  <--  tools/tiff2pdf.c
new revision: 1.101; previous revision: 1.100