Bug 2788 - Heap Buffer Overflow in TIFFWriteScanline of tif_write.c (CVE-2018-10779)
: Heap Buffer Overflow in TIFFWriteScanline of tif_write.c (CVE-2018-10779)
Status: RESOLVED WONTFIX
: libtiff
default
: 3.8.2
: PC Linux
: P2 enhancement
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2018-05-04 21:11 by
Modified: 2018-08-15 09:35 (History)


Attachments
poc file (32 bytes, image/bmp)
2018-05-04 21:13, albertzjf@163.com
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2018-05-04 21:11:59
Description of problem:

Heap Buffer Overflow in TIFFWriteScanline of tif_write.c

How reproducible:

$ ./bmp2tiff  POC.mbp  /dev/null 

=================================================================
==65877==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7f4fde2ab7dc at pc 0x00000043735b bp 0x7ffce2c7afc0 sp 0x7ffce2c7afb0
READ of size 4 at 0x7f4fde2ab7dc thread T0
    #0 0x43735a in TIFFWriteScanline
/home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:127
    #1 0x4034e3 in main
/home/puppet/test_object_pic/tiff-3.8.2/tools/bmp2tiff.c:569
    #2 0x7f4fdc68582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #3 0x4022c8 in _start (/usr/local/bin/bmp2tiff+0x4022c8)

0x7f4fde2ab7dc is located 0 bytes to the right of 262108-byte region
[0x7f4fde26b800,0x7f4fde2ab7dc)
allocated by thread T0 here:
    #0 0x7f4fdd243602 in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4362df in _TIFFmalloc
/home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_unix.c:241
    #2 0x4398fd in TIFFSetupStrips
/home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:465
    #3 0x439eef in TIFFWriteCheck
/home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:533
    #4 0x436af3 in TIFFWriteScanline
/home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:56
    #5 0x4034e3 in main
/home/puppet/test_object_pic/tiff-3.8.2/tools/bmp2tiff.c:569
    #6 0x7f4fdc68582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:127
TIFFWriteScanline
Shadow bytes around the buggy address:
  0x0fea7bc4d6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fea7bc4d6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fea7bc4d6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fea7bc4d6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fea7bc4d6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fea7bc4d6f0: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
  0x0fea7bc4d700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fea7bc4d710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fea7bc4d720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fea7bc4d730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fea7bc4d740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==65877==ABORTING


This vulnerability was triggered in TIFFWriteScanline() at
libtiff/tif_write.c:127

if( td->td_stripbytecount[strip] > 0 )
{
    /* if we are writing over existing tiles, zero length */
    td->td_stripbytecount[strip] = 0;

    /* this forces TIFFAppendToStrip() to do a seek */
    tif->tif_curoff = 0;
}


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by NESA Lab(nesa.zju.edu.cn), with our custom
seed generate system, SmartSeed. Please contact  puppet@zju.edu.cn  and
albertzjf@163.com if you need more info about the team, the tool or the
vulnerability.
------- Comment #1 From 2018-05-04 21:13:30 -------
Created an attachment (id=852) [details]
poc file
------- Comment #2 From 2018-05-07 13:38:28 -------
This issue was assigned CVE-2018-10779.
------- Comment #3 From 2018-05-12 07:47:09 -------
bmp2tiff has been retired from libtiff in libtiff 4.0.7
------- Comment #4 From 2018-08-15 09:35:12 -------
Likely related fix
https://gitlab.com/libtiff/libtiff/commit/981e43ecae83935625c86c9118c0778c942c7048