Bug 2693 - Out of bound read in _TIFFVGetField (tiffsplit)
: Out of bound read in _TIFFVGetField (tiffsplit)
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
:
:
:
:
: 2580
  Show dependency treegraph
 
Reported: 2017-05-12 05:59 by
Modified: 2017-06-09 17:40 (History)


Attachments
testcase (226 bytes, patch)
2017-05-12 05:59, zhangtan
Details | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2017-05-12 05:59:03
Created an attachment (id=774) [details]
testcase

On 4.0.7:

# tiffsplit $FILE

==2007== Invalid read of size 4
==2007==    at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
==2007==    by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
==2007==    by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
==2007==    by 0x404CCF: tiffcp (tiffsplit.c:220)
==2007==    by 0x404CCF: main (tiffsplit.c:89)
==2007==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
------- Comment #1 From 2017-05-15 01:20:26 -------
The place of Out of bound read:

ret_val = 0;
for (i = 0; i < td->td_customValueCount; i++) {
    TIFFTagValue *tv = td->td_customValues + i;

if (tv->info->field_tag != tag)
                        continue;
------- Comment #2 From 2017-05-15 01:29:10 -------
The place of Out of bound read:

The 1072 line of tif_dir.c

1068     ret_val = 0;
1069     for (i = 0; i < td->td_customValueCount; i++) {
1070             TIFFTagValue *tv = td->td_customValues + i;
1071                    
1072             if (tv->info->field_tag != tag)
1073                     continue;

As tv increased in 1070, Out of bound read happened in 1072 when the pointer tv
was referenced.
------- Comment #3 From 2017-05-15 01:46:33 -------
PoC:

Detailed information of the bug can be reproduced using the valgrind tool:

# valgrind tiffsplit $File(the testcase in the attachment)

Error Message:
==23520== Invalid read of size 4
==23520==    at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
==23520==    by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
==23520==    by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
==23520==    by 0x404CCF: tiffcp (tiffsplit.c:220)
==23520==    by 0x404CCF: main (tiffsplit.c:89)
==23520==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==23520== 
==23520== 
==23520== Process terminating with default action of signal 11 (SIGSEGV)
==23520==  Access not within mapped region at address 0x0
==23520==    at 0x40CD1A: _TIFFVGetField (tif_dir.c:1072)
==23520==    by 0x41B2C5: TIFFVGetField (tif_dir.c:1198)
==23520==    by 0x41B2C5: TIFFGetField (tif_dir.c:1182)
==23520==    by 0x404CCF: tiffcp (tiffsplit.c:220)
==23520==    by 0x404CCF: main (tiffsplit.c:89)
==23520==  If you believe this happened as a result of a stack
==23520==  overflow in your program's main thread (unlikely but
==23520==  possible), you can try to increase the size of the
==23520==  main thread stack using the --main-stacksize= flag.
==23520==  The main thread stack size used in this run was 8388608.
==23520== 
==23520== HEAP SUMMARY:
==23520==     in use at exit: 17,821 bytes in 42 blocks
==23520==   total heap usage: 96 allocs, 54 frees, 59,223 bytes allocated
==23520== 
==23520== LEAK SUMMARY:
==23520==    definitely lost: 0 bytes in 0 blocks
==23520==    indirectly lost: 0 bytes in 0 blocks
==23520==      possibly lost: 0 bytes in 0 blocks
==23520==    still reachable: 17,821 bytes in 42 blocks
==23520==         suppressed: 0 bytes in 0 blocks
==23520== Rerun with --leak-check=full to see details of leaked memory
==23520== 
==23520== For counts of detected and suppressed errors, rerun with: -v
==23520== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
------- Comment #4 From 2017-05-31 14:17:14 -------
Another occurence of http://bugzilla.maptools.org/show_bug.cgi?id=2580
------- Comment #5 From 2017-05-31 14:17:38 -------
Another occurence of http://bugzilla.maptools.org/show_bug.cgi?id=2580
------- Comment #6 From 2017-06-01 07:45:40 -------
Fixed per http://bugzilla.maptools.org/show_bug.cgi?id=2580