You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=859) [details] Triggered by ./tiffset POC Triggered by ./tiffset POC Version:4.0.9 The output information is as follows: $ ./tiffset POC TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 36 (0x24) encountered. TIFFReadDirectory: Warning, Unknown field with tag 43433 (0xa9a9) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 36"; tag ignored. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. tiffset: tif_dirwrite.c:700: TIFFWriteDirectorySec: Assertion `0' failed. Aborted (core dumped) GDB debugging information is as follows: (gdb) set args POC (gdb) r TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 36 (0x24) encountered. TIFFReadDirectory: Warning, Unknown field with tag 43433 (0xa9a9) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 36"; tag ignored. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. tiffset: tif_dirwrite.c:700: TIFFWriteDirectorySec: Assertion `0' failed. Program received signal SIGABRT, Aborted. 0x00007ffff72c6428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007ffff72c6428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 #1 0x00007ffff72c802a in __GI_abort () at abort.c:89 #2 0x00007ffff72bebd7 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x5743fd "0", file=file@entry=0x574328 "tif_dirwrite.c", line=line@entry=700, function=function@entry=0x574e90 <__PRETTY_FUNCTION__.4815> "TIFFWriteDirectorySec") at assert.c:92 #3 0x00007ffff72bec82 in __GI___assert_fail (assertion=assertion@entry=0x5743fd "0", file=file@entry=0x574328 "tif_dirwrite.c", line=line@entry=700, function=function@entry=0x574e90 <__PRETTY_FUNCTION__.4815> "TIFFWriteDirectorySec") at assert.c:101 #4 0x000000000048ddc9 in TIFFWriteDirectorySec (tif=tif@entry=0x79d010, isimage=isimage@entry=1, imagedone=imagedone@entry=1, pdiroff=pdiroff@entry=0x0) at tif_dirwrite.c:700 #5 0x000000000049766c in TIFFWriteDirectorySec (pdiroff=<optimized out>, imagedone=<optimized out>, isimage=<optimized out>, tif=<optimized out>) at tif_dirwrite.c:320 #6 TIFFWriteDirectory (tif=<optimized out>) at tif_dirwrite.c:184 #7 TIFFRewriteDirectory (tif=tif@entry=0x79d010) at tif_dirwrite.c:360 #8 0x0000000000403a75 in main (argc=2, argv=<optimized out>) at tiffset.c:344 Breakpoint 1 at 0x48ddb0: file tif_dirwrite.c, line 700. (gdb) r Starting program: /home/afl/parse/eval/tiffset/tiffset POC TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 36 (0x24) encountered. TIFFReadDirectory: Warning, Unknown field with tag 43433 (0xa9a9) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 36"; tag ignored. TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr. TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. Breakpoint 1, TIFFWriteDirectorySec (tif=tif@entry=0x79d010, isimage=isimage@entry=1, imagedone=imagedone@entry=1, pdiroff=pdiroff@entry=0x0) at tif_dirwrite.c:700 700 assert(0); /* we should never get here */ (gdb) l 695 if (!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb)) 696 goto bad; 697 } 698 break; 699 default: 700 assert(0); /* we should never get here */ 701 break; 702 } 703 } 704 } (gdb) n tiffset: tif_dirwrite.c:700: TIFFWriteDirectorySec: Assertion `0' failed. Program received signal SIGABRT, Aborted. 0x00007ffff72c6428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54 54 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. Actual results: crash Expected results: crash Additional info: The crash can be reproduced by the attached file. Tiffset sets the value of a TIFF header to a specified value.It will modify the raw POC file,so it's better to have a backup everytime before testing.
This issue was assigned CVE-2018-10963
Fixed per https://gitlab.com/libtiff/libtiff/commit/de144fd228e4be8aa484c3caf3d814b6fa88c6d9