You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=807) [details] Triggered by "./tiffset $POC7" The output information is as follows: $ ./tiffset POC7 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65280 (0xff00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 54484 (0xd4d4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 54272 (0xd400) encountered. TIFFReadDirectory: Warning, Unknown field with tag 42148 (0xa4a4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 42144 (0xa4a0) encountered. TIFFReadDirectory: Warning, Unknown field with tag 16 (0x10) encountered. TIFFReadDirectory: Warning, Unknown field with tag 58506 (0xe48a) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32645 (0x7f85) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32639 (0x7f7f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 30692 (0x77e4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 51914 (0xcaca) encountered. TIFFReadDirectory: Warning, Unknown field with tag 51248 (0xc830) encountered. TIFFReadDirectory: Warning, Unknown field with tag 31350 (0x7a76) encountered. TIFFReadDirectory: Warning, Unknown field with tag 59310 (0xe7ae) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4608 (0x1200) encountered. TIFFReadDirectory: Warning, Unknown field with tag 34175 (0x857f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 512 (0x200) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2048 (0x800) encountered. TIFFReadDirectory: Warning, Unknown field with tag 127 (0x7f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 57822 (0xe1de) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8 (0x8) encountered. TIFFReadDirectory: Warning, Unknown field with tag 60050 (0xea92) encountered. TIFFReadDirectory: Warning, Unknown field with tag 54273 (0xd401) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4096 (0x1000) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 2"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored. TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 127" value failed; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 8"; tag ignored. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. tiffset: tif_dirwrite.c:824: TIFFWriteDirectorySec: Assertion `na<ndir' failed. Aborted The gdb debugging information is listed below: (gdb) set args POC7 (gdb) r ... The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/company/real/libtiff-cvs/libtiff/install_asan/bin/tiffset POC7 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65280 (0xff00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 54484 (0xd4d4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 54272 (0xd400) encountered. TIFFReadDirectory: Warning, Unknown field with tag 42148 (0xa4a4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 42144 (0xa4a0) encountered. TIFFReadDirectory: Warning, Unknown field with tag 16 (0x10) encountered. TIFFReadDirectory: Warning, Unknown field with tag 58506 (0xe48a) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32645 (0x7f85) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32639 (0x7f7f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 30692 (0x77e4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 51914 (0xcaca) encountered. TIFFReadDirectory: Warning, Unknown field with tag 51248 (0xc830) encountered. TIFFReadDirectory: Warning, Unknown field with tag 31350 (0x7a76) encountered. TIFFReadDirectory: Warning, Unknown field with tag 59310 (0xe7ae) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4608 (0x1200) encountered. TIFFReadDirectory: Warning, Unknown field with tag 34175 (0x857f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 512 (0x200) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2048 (0x800) encountered. TIFFReadDirectory: Warning, Unknown field with tag 127 (0x7f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 57822 (0xe1de) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8 (0x8) encountered. TIFFReadDirectory: Warning, Unknown field with tag 60050 (0xea92) encountered. TIFFReadDirectory: Warning, Unknown field with tag 54273 (0xd401) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4096 (0x1000) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 2"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored. TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 127" value failed; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 8"; tag ignored. TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength. Breakpoint 1, TIFFWriteDirectorySec (tif=0x61900000fa80, isimage=<optimized out>, imagedone=<optimized out>, pdiroff=<optimized out>) at tif_dirwrite.c:824 824 assert(na<ndir); (gdb) bt #0 0x00007ffff67d3267 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 #1 0x00007ffff67d4eca in __GI_abort () at abort.c:89 #2 0x00007ffff67cc03d in __assert_fail_base (fmt=0x7ffff692e028 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7ffff6c22b80 "na<ndir", file=file@entry=0x7ffff6c22100 "tif_dirwrite.c", line=line@entry=824, function=function@entry=0x7ffff6c23880 <__PRETTY_FUNCTION__.5118> "TIFFWriteDirectorySec") at assert.c:92 #3 0x00007ffff67cc0f2 in __GI___assert_fail (assertion=assertion@entry=0x7ffff6c22b80 "na<ndir", file=file@entry=0x7ffff6c22100 "tif_dirwrite.c", line=line@entry=824, function=function@entry=0x7ffff6c23880 <__PRETTY_FUNCTION__.5118> "TIFFWriteDirectorySec") at assert.c:101 #4 0x00007ffff6bbaf94 in TIFFWriteDirectorySec (tif=0x61900000fa80, isimage=<optimized out>, imagedone=<optimized out>, pdiroff=<optimized out>) at tif_dirwrite.c:824 #5 0x00007ffff6bbbcb0 in TIFFRewriteDirectory (tif=tif@entry=0x61900000fa80) at tif_dirwrite.c:360 #6 0x000000000040146a in main (argc=2, argv=0x7fffffffe558) at tiffset.c:344 (gdb) n 825 if (nb->tdir_tag==TIFFTAG_SUBIFD) (gdb) ... (gdb) n 824 assert(na<ndir); (gdb) tiffset: tif_dirwrite.c:824: TIFFWriteDirectorySec: Assertion `na<ndir' failed. Program received signal SIGABRT, Aborted. 0x00007ffff67d3267 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) Program terminated with signal SIGABRT, Aborted. The program no longer exists. Trigged in TIFFWriteDirectorySec (tif=0x61900000fa80, isimage=<optimized out>, imagedone=<optimized out>, pdiroff=<optimized out>) at tif_dirwrite.c:824 (gdb) list 819 { 820 uint32 na; 821 TIFFDirEntry* nb; 822 for (na=0, nb=dir; ; na++, nb++) 823 { 824 assert(na<ndir); 825 if (nb->tdir_tag==TIFFTAG_SUBIFD) 826 break; 827 } 828 if (!(tif->tif_flags&TIFF_BIGTIFF)) [note]: Tiffset sets the value of a TIFF header to a specified value.It will modify the raw POC file,so you'd better make a backup file every time you are going to run. Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Fixed per 2017-08-23 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_dirwrite.c: replace assertion related to not finding the SubIFD tag by runtime check. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2727 Reported by team OWL337 /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog new revision: 1.1278; previous revision: 1.1277 /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v <-- libtiff/tif_dirwrite.c new revision: 1.88; previous revision: 1.87