Bug 2682 - libtiff:memory leak in tiff2pdf.c:751
: libtiff:memory leak in tiff2pdf.c:751
Status: RESOLVED DUPLICATE of bug 2689
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2017-04-20 00:53 by
Modified: 2018-08-07 21:29 (History)


Attachments
testcase (1.86 KB, image/tiff)
2017-04-20 00:53, bestshow
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2017-04-20 00:53:02
Created an attachment (id=763) [details]
testcase

on libtiff 4.0.7

A memory leak vulnerability was found in tiff2pdf.c:751  which allows attackers
to cause a denial of service via a crafted file.

tiff2pdf $FILE -o out.pdf

==28111==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7f8063966bb8 in __interceptor_malloc
../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x507dd3 in _TIFFmalloc
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:316
    #2 0x452057 in TIFFReadDirEntryLong8Array
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:1919
    #3 0x464d88 in TIFFFetchStripThing
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:5402
    #4 0x45a226 in TIFFReadDirectory
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:3737
    #5 0x4dc630 in TIFFClientOpen
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_open.c:466
    #6 0x507b43 in TIFFFdOpen
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:211
    #7 0x507d92 in TIFFOpen
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:250
    #8 0x404065 in main
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2pdf.c:751
    #9 0x7f8062b72b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s).

testcase:https://github.com/bestshow/p0cs/blob/master/memory-leak-in-tiff2pdf-2.tif
------- Comment #1 From 2017-06-24 22:48:20 -------
Credit : ADLab of Venustech
------- Comment #2 From 2017-06-25 13:35:34 -------
CVE-2017-9815 has been assigned for this issue. Please use it in the ChangeLog
and commit messages.
------- Comment #3 From 2017-10-22 23:36:47 -------
The stack shown here is very similar to the stack shown on the bug 2689. This
issue could be a duplicate.
------- Comment #4 From 2018-08-07 21:29:30 -------
As mentioned in the comment above, the stack is exactly the same to bug 2689
except that the "main" function, are in different files. Also the bug files are
exactly the same, byte for byte. This bug is a duplicate of bug 2689 and should
be marked so.

*** This bug has been marked as a duplicate of bug 2689 ***