You need to log in before you can comment on or make changes to this bug.
A heap-buffer-overflow in function LZWDecodeCompat at tif_lzw.c:763 when using tiff2ps tool in the latest libtiff4.0.9 by a created tiff file. tiffcp -i $FILE /tmp/foo The asan report is : ================================================================= ==16709==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000af at pc 0x000000607a23 bp 0x7ffdee2dde50 sp 0x7ffdee2dde48 WRITE of size 1 at 0x6020000000af thread T0 #0 0x607a22 in LZWDecodeCompat /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_lzw.c:763:11 #1 0x594aaa in TIFFReadScanline /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_read.c:450:7 #2 0x538620 in PSDataColorSeparate /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c:2526:8 #3 0x530900 in PSpage /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c #4 0x52c7a6 in TIFF2PS /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c #5 0x52ab7e in main /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c:479:9 #6 0x7f7c5cf7ff44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287 #7 0x41ca0b in _start (/home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff2ps-test/tiff2ps4.0.9+0x41ca0b) 0x6020000000af is located 1 bytes to the left of 8-byte region [0x6020000000b0,0x6020000000b8) allocated by thread T0 here: #0 0x4f5716 in __interceptor_malloc /home/xiaosatianyu/workspace/git/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88 #1 0x5a69d7 in _TIFFmalloc /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_unix.c:316:10 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_lzw.c:763:11 in LZWDecodeCompat Shadow bytes around the buggy address: 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa 00 fa fa fa 00 fa =>0x0c047fff8010: fa fa 00 07 fa[fa]00 fa fa fa fa fa fa fa fa fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==16709==ABORTING
Created an attachment (id=845) [details] poc
(In reply to comment #0) > A heap-buffer-overflow in function LZWDecodeCompat at tif_lzw.c:763 when > using tiff2ps tool in the latest libtiff4.0.9 by a created tiff file. > > tiffcp $FILE > > The asan report is : > ================================================================= > ==16709==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x6020000000af at pc 0x000000607a23 bp 0x7ffdee2dde50 sp 0x7ffdee2dde48 > WRITE of size 1 at 0x6020000000af thread T0 > #0 0x607a22 in LZWDecodeCompat > /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_lzw.c:763:11 > #1 0x594aaa in TIFFReadScanline > /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_read.c:450:7 > #2 0x538620 in PSDataColorSeparate > /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c:2526:8 > #3 0x530900 in PSpage > /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c > #4 0x52c7a6 in TIFF2PS > /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c > #5 0x52ab7e in main > /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/tools/tiff2ps.c:479:9 > #6 0x7f7c5cf7ff44 in __libc_start_main > /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287 > #7 0x41ca0b in _start > (/home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff2ps-test/tiff2ps4.0.9+0x41ca0b) > > 0x6020000000af is located 1 bytes to the left of 8-byte region > [0x6020000000b0,0x6020000000b8) > allocated by thread T0 here: > #0 0x4f5716 in __interceptor_malloc > /home/xiaosatianyu/workspace/git/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88 > #1 0x5a69d7 in _TIFFmalloc > /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_unix.c:316:10 > > SUMMARY: AddressSanitizer: heap-buffer-overflow > /home/xiaosatianyu/workspace/git/fuzz/for-cve/libtiff-test/tiff-4.0.9/libtiff/tif_lzw.c:763:11 > in LZWDecodeCompat > Shadow bytes around the buggy address: > 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa 00 fa fa fa 00 fa > =>0x0c047fff8010: fa fa 00 07 fa[fa]00 fa fa fa fa fa fa fa fa fa > 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==16709==ABORTING
the command is tiff2ps $File
This issue was assigned CVE-2018-8905
The source lines seem to have changed slightly since this bug was filed: ==11956== ==11956== HEAP SUMMARY: ==11956== in use at exit: 0 bytes in 0 blocks ==11956== total heap usage: 51 allocs, 51 frees, 114,243 bytes allocated ==11956== ==11956== All heap blocks were freed -- no leaks are possible ==11956== ==11956== ERROR SUMMARY: 220 errors from 1 contexts (suppressed: 0 from 0) ==11956== ==11956== 220 errors in context 1 of 1: ==11956== Invalid write of size 1 ==11956== at 0x4E8069F: LZWDecodeCompat (tif_lzw.c:761) ==11956== by 0x4E94C91: TIFFReadScanline (tif_read.c:448) ==11956== by 0x1114E4: PSDataColorSeparate (tiff2ps.c:2524) ==11956== by 0x110A44: PSpage (tiff2ps.c:2354) ==11956== by 0x10E7C0: TIFF2PS (tiff2ps.c:1610) ==11956== by 0x10AB35: main (tiff2ps.c:477) ==11956== Address 0x6319b7f is 1 bytes before a block of size 8 alloc'd ==11956== at 0x4C2CEDF: malloc (vg_replace_malloc.c:299) ==11956== by 0x4E9DA72: _TIFFmalloc (tif_unix.c:314) ==11956== by 0x111476: PSDataColorSeparate (tiff2ps.c:2516) ==11956== by 0x110A44: PSpage (tiff2ps.c:2354) ==11956== by 0x10E7C0: TIFF2PS (tiff2ps.c:1610) ==11956== by 0x10AB35: main (tiff2ps.c:477) ==11956== ==11956== ERROR SUMMARY: 220 errors from 1 contexts (suppressed: 0 from 0) I took a look at the code and it's pretty hideous. Best of luck to whomever wants to take a crack at it.
I'm currently working on a patch, please take a look at the Debian bug tracker for more info[0]. [0] https://bugs.debian.org/893806
Fixed per https://gitlab.com/libtiff/libtiff/commit/58a898cb4459055bb488ca815c23b880c242a27d