Bug 2664 - heap-buffer-overflow in LZWEncode tif_lzw.c
: heap-buffer-overflow in LZWEncode tif_lzw.c
Status: RESOLVED WONTFIX
: libtiff
default
: unspecified
: PC Linux
: P2 critical
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2017-01-18 11:10 by
Modified: 2017-04-27 14:21 (History)


Attachments
poc (54 bytes, application/octet-stream)
2017-01-18 11:10, wang junjie
Details
Patch that solves this issue (999 bytes, patch)
2017-03-29 04:24, Fridrich Strba
Details | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2017-01-18 11:10:14
Created an attachment (id=749) [details]
poc

the stack trace is as follows and the command is:
libtiff/tools/bmp2tiff -c lzw poc out.tif


==26872== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb53fe830
at pc 0x81844a4 bp 0xbf962628 sp 0xbf96261c
READ of size 1 at 0xb53fe830 thread T0
    #0 0x81844a3 in LZWEncode /home/b/asan/libtiff/libtiff/tif_lzw.c:925
    #1 0x810833f in TIFFWriteScanline
/home/b/asan/libtiff/libtiff/tif_write.c:173
    #2 0x804df67 in main /home/b/asan/libtiff/tools/bmp2tiff.c:775
    #3 0xb5f5fa82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #4 0x8051060 in _start (/home/b/asan/libtiff/tools/bmp2tiff+0x8051060)
0xb53fe830 is located 0 bytes to the right of 3158064-byte region
[0xb50fb800,0xb53fe830)
allocated by thread T0 here:
    #0 0xb6151854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
    #1 0x804c7da in main /home/b/asan/libtiff/tools/bmp2tiff.c:678
    #2 0xb5f5fa82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/b/asan/libtiff/libtiff/tif_lzw.c:921 LZWEncode
Shadow bytes around the buggy address:
  0x36a7fcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a7fcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a7fcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a7fce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36a7fcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36a7fd00: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x36a7fd10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a7fd20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a7fd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a7fd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36a7fd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
------- Comment #1 From 2017-03-29 04:24:46 -------
Created an attachment (id=757) [details]
Patch that solves this issue

This patch sanitizes the code so that it does not read past the initialized
data.
------- Comment #2 From 2017-04-27 14:21:13 -------
The bmp2tif utility has been removed from libtiff upstream. Closing as wontfix