You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=883) [details] testcase version: libtiff 4.0.10 (commit 56a1976e9214d7f38249cc133dfcbf851683a498) OS: Ubuntu 16.04 x86_64 To reproduce, $ tiffcp -i crash /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. crash: Warning, Nonstandard tile width 65534, convert file. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag ignored. TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored. TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. JPEGLib: Not a JPEG file: starts with 0x78 0xda. ASAN:SIGSEGV ================================================================= ==12319==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbf596772ae (pc 0x000000406990 bp 0x7ffd526204a0 sp 0x7ffd52620460 T0) #0 0x40698f in cpSeparateBufToContigBuf ./libtiff/tools/tiffcp.c:1245 #1 0x4076a9 in readSeparateTilesIntoBuffer ./libtiff/tools/tiffcp.c:1467 #2 0x406acc in cpImage ./libtiff/tools/tiffcp.c:1270 #3 0x408a9d in cpSeparateTiles2SeparateTiles ./libtiff/tools/tiffcp.c:1764 #4 0x404f79 in tiffcp ./libtiff/tools/tiffcp.c:831 #5 0x402dd2 in main ./libtiff/tools/tiffcp.c:301 #6 0x7fbf5d5d582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #7 0x401b88 in _start (./libtiff/install-asan/bin/tiffcp+0x401b88) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ./libtiff/tools/tiffcp.c:1245 cpSeparateBufToContigBuf ==12319==ABORTING
I tracked the segfault down to TIFFWriteDirectoryTagTransferfunction() function. https://gitlab.com/libtiff/libtiff/merge_requests/54 tif->tif_dir.td_transferfunction[2] and tif->tif_dir.td_transferfunction[1] where NULL pointers.
The fix is in master now, so it will be included in 4.0.11
fixed per https://gitlab.com/libtiff/libtiff/commit/802d3cbf3043be5dce5317e140ccb1c17a6a2d39
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7663 was assigned for this issue.
Created an attachment (id=887) [details] the real testcase Sorry. I just find I have put a wrong poc here, which is the poc of http://bugzilla.maptools.org/show_bug.cgi?id=2820. The real poc is here and it still works in the latest version.
I still do not reproduce with your "real" test case and the master https://gitlab.com/libtiff/libtiff/commit/ae0bed1fe530a82faf2e9ea1775109dbf301a971 $ tools/tiffcp -i poc/bug2833_000432 /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. poc/bug2833_000432: Warning, Nonstandard tile width 65534, convert file. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag ignored. TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored. TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. JPEGLib: Not a JPEG file: starts with 0x78 0xda. TIFFFillTile: 0: Invalid tile byte count, tile 1. TIFFFillTile: 0: Invalid tile byte count, tile 2. TIFFFillTile: 0: Invalid tile byte count, tile 3. TIFFFillTile: 0: Invalid tile byte count, tile 4. [...] TIFFFillTile: 0: Invalid tile byte count, tile 49149. TIFFFillTile: 0: Invalid tile byte count, tile 49150. TIFFFillTile: 0: Invalid tile byte count, tile 49151. TIFFFillTile: 0: Invalid tile byte count, tile 49152. TIFFFillTile: 0: Invalid tile byte count, tile 49153. TIFFFillTile: 0: Invalid tile byte count, tile 49154. JPEGPreEncode: Strip/tile too large for JPEG. /tmp/foo: Error, can't write tile at 0 0 sample 0.
I can reproduce it in the master branch. $ tiffcp -i $POC /tmp/foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. crash: Warning, Nonstandard tile width 65534, convert file. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag ignored. TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored. TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. JPEGLib: Not a JPEG file: starts with 0x78 0xda. ASAN:SIGSEGV ================================================================= ==4686== ERROR: AddressSanitizer: SEGV on unknown address 0x7fca2687b2ae (pc 0x000000405f25 sp 0x7ffd96860460 bp 0x7ffd968604a0 T0) AddressSanitizer can not provide additional info. #0 0x405f24 in cpSeparateBufToContigBuf /home/wdw/experiment/libtiff/tools/tiffcp.c:1245 #1 0x406b55 in readSeparateTilesIntoBuffer /home/wdw/experiment/libtiff/tools/tiffcp.c:1467 #2 0x406061 in cpImage /home/wdw/experiment/libtiff/tools/tiffcp.c:1270 #3 0x407bee in cpSeparateTiles2SeparateTiles /home/wdw/experiment/libtiff/tools/tiffcp.c:1764 #4 0x4047dc in tiffcp /home/wdw/experiment/libtiff/tools/tiffcp.c:831 #5 0x4028a4 in main /home/wdw/experiment/libtiff/tools/tiffcp.c:301 #6 0x7fca28359f44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287 #7 0x401958 in _start (/home/wdw/experiment/libtiff/install-asan-new/bin/tiffcp+0x401958) SUMMARY: AddressSanitizer: SEGV /home/wdw/experiment/libtiff/tools/tiffcp.c:1245 cpSeparateBufToContigBuf ==4686== ABORTING And $ git log | head -n1 commit ae0bed1fe530a82faf2e9ea1775109dbf301a971
OK I think I have understood the cause of the bug. in tiffcp.c function readSeparateTilesIntoBuffer() int iskew = imagew - tilew*spp; https://gitlab.com/libtiff/libtiff/blob/master/tools/tiffcp.c#L1411 in your POC image : Image Width: 32 Image Length: 3 Tile Width: 65534 Tile Length: 32 Samples/Pixel: 49155 so the value tilew*spp=65534*49155 overflows 32bit signed int maximum value. We should add a check if (0x7fffffff / tilew < spp) { ERROR }
https://gitlab.com/libtiff/libtiff/merge_requests/60
fixed per https://gitlab.com/libtiff/libtiff/merge_requests/60