You need to log in before you can comment on or make changes to this bug.
Description of problem: Heap Buffer Overflow in TIFFWriteScanline of tif_write.c How reproducible: $ ./bmp2tiff POC.mbp /dev/null ================================================================= ==65877==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f4fde2ab7dc at pc 0x00000043735b bp 0x7ffce2c7afc0 sp 0x7ffce2c7afb0 READ of size 4 at 0x7f4fde2ab7dc thread T0 #0 0x43735a in TIFFWriteScanline /home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:127 #1 0x4034e3 in main /home/puppet/test_object_pic/tiff-3.8.2/tools/bmp2tiff.c:569 #2 0x7f4fdc68582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #3 0x4022c8 in _start (/usr/local/bin/bmp2tiff+0x4022c8) 0x7f4fde2ab7dc is located 0 bytes to the right of 262108-byte region [0x7f4fde26b800,0x7f4fde2ab7dc) allocated by thread T0 here: #0 0x7f4fdd243602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x4362df in _TIFFmalloc /home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_unix.c:241 #2 0x4398fd in TIFFSetupStrips /home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:465 #3 0x439eef in TIFFWriteCheck /home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:533 #4 0x436af3 in TIFFWriteScanline /home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:56 #5 0x4034e3 in main /home/puppet/test_object_pic/tiff-3.8.2/tools/bmp2tiff.c:569 #6 0x7f4fdc68582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/puppet/test_object_pic/tiff-3.8.2/libtiff/tif_write.c:127 TIFFWriteScanline Shadow bytes around the buggy address: 0x0fea7bc4d6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fea7bc4d6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fea7bc4d6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fea7bc4d6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fea7bc4d6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0fea7bc4d6f0: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa 0x0fea7bc4d700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fea7bc4d710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fea7bc4d720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fea7bc4d730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0fea7bc4d740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==65877==ABORTING This vulnerability was triggered in TIFFWriteScanline() at libtiff/tif_write.c:127 if( td->td_stripbytecount[strip] > 0 ) { /* if we are writing over existing tiles, zero length */ td->td_stripbytecount[strip] = 0; /* this forces TIFFAppendToStrip() to do a seek */ tif->tif_curoff = 0; } Actual results: crash Expected results: crash Additional info: This vulnerability is detected by NESA Lab(nesa.zju.edu.cn), with our custom seed generate system, SmartSeed. Please contact puppet@zju.edu.cn and albertzjf@163.com if you need more info about the team, the tool or the vulnerability.
Created an attachment (id=852) [details] poc file
This issue was assigned CVE-2018-10779.
bmp2tiff has been retired from libtiff in libtiff 4.0.7
Likely related fix https://gitlab.com/libtiff/libtiff/commit/981e43ecae83935625c86c9118c0778c942c7048