Bug 2833 - There is a Segmentation fault at tiffcp.c:1245 in cpSeparateBufToContigBuf (CVE-2019-7663)
: There is a Segmentation fault at tiffcp.c:1245 in cpSeparateBufToContigBuf (C...
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P2 critical
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2018-12-18 03:59 by
Modified: 2019-02-19 09:39 (History)


Attachments
testcase (431 bytes, application/x-zip-compressed)
2018-12-18 03:59, Augustus Wang
Details
the real testcase (352 bytes, application/octet-stream)
2019-02-10 11:28, Augustus Wang
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2018-12-18 03:59:36
Created an attachment (id=883) [details]
testcase

version: libtiff 4.0.10 (commit 56a1976e9214d7f38249cc133dfcbf851683a498)
OS: Ubuntu 16.04 x86_64

To reproduce,

$ tiffcp -i crash /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
crash: Warning, Nonstandard tile width 65534, convert file.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag
ignored.
TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and
ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as
ExtraSamples..
JPEGLib: Not a JPEG file: starts with 0x78 0xda.
ASAN:SIGSEGV
=================================================================
==12319==ERROR: AddressSanitizer: SEGV on unknown address 0x7fbf596772ae (pc
0x000000406990 bp 0x7ffd526204a0 sp 0x7ffd52620460 T0)
    #0 0x40698f in cpSeparateBufToContigBuf ./libtiff/tools/tiffcp.c:1245
    #1 0x4076a9 in readSeparateTilesIntoBuffer ./libtiff/tools/tiffcp.c:1467
    #2 0x406acc in cpImage ./libtiff/tools/tiffcp.c:1270
    #3 0x408a9d in cpSeparateTiles2SeparateTiles ./libtiff/tools/tiffcp.c:1764
    #4 0x404f79 in tiffcp ./libtiff/tools/tiffcp.c:831
    #5 0x402dd2 in main ./libtiff/tools/tiffcp.c:301
    #6 0x7fbf5d5d582f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x401b88 in _start (./libtiff/install-asan/bin/tiffcp+0x401b88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ./libtiff/tools/tiffcp.c:1245
cpSeparateBufToContigBuf
==12319==ABORTING
------- Comment #1 From 2019-01-29 05:26:03 -------
I tracked the segfault down to TIFFWriteDirectoryTagTransferfunction()
function.
https://gitlab.com/libtiff/libtiff/merge_requests/54

tif->tif_dir.td_transferfunction[2] and tif->tif_dir.td_transferfunction[1]
where NULL pointers.
------- Comment #2 From 2019-02-02 07:08:32 -------
The fix is in master now, so it will be included in 4.0.11
------- Comment #4 From 2019-02-09 15:39:59 -------
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7663 was assigned for
this issue.
------- Comment #5 From 2019-02-10 11:28:03 -------
Created an attachment (id=887) [details]
the real testcase

Sorry. I just find I have put a wrong poc here, which is the poc of
http://bugzilla.maptools.org/show_bug.cgi?id=2820. The real poc is here and it
still works in the latest version.
------- Comment #6 From 2019-02-10 18:02:24 -------
I still do not reproduce with your "real" test case and the master 
https://gitlab.com/libtiff/libtiff/commit/ae0bed1fe530a82faf2e9ea1775109dbf301a971


$ tools/tiffcp -i poc/bug2833_000432  /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
poc/bug2833_000432: Warning, Nonstandard tile width 65534, convert file.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag
ignored.
TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and
ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as
ExtraSamples..
JPEGLib: Not a JPEG file: starts with 0x78 0xda.
TIFFFillTile: 0: Invalid tile byte count, tile 1.
TIFFFillTile: 0: Invalid tile byte count, tile 2.
TIFFFillTile: 0: Invalid tile byte count, tile 3.
TIFFFillTile: 0: Invalid tile byte count, tile 4.
[...]
TIFFFillTile: 0: Invalid tile byte count, tile 49149.
TIFFFillTile: 0: Invalid tile byte count, tile 49150.
TIFFFillTile: 0: Invalid tile byte count, tile 49151.
TIFFFillTile: 0: Invalid tile byte count, tile 49152.
TIFFFillTile: 0: Invalid tile byte count, tile 49153.
TIFFFillTile: 0: Invalid tile byte count, tile 49154.
JPEGPreEncode: Strip/tile too large for JPEG.
/tmp/foo: Error, can't write tile at 0 0 sample 0.
------- Comment #7 From 2019-02-10 23:44:09 -------
I can reproduce it in the master branch.

$ tiffcp -i $POC /tmp/foo 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
crash: Warning, Nonstandard tile width 65534, convert file.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag
ignored.
TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and
ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as
ExtraSamples..
JPEGLib: Not a JPEG file: starts with 0x78 0xda.
ASAN:SIGSEGV
=================================================================
==4686== ERROR: AddressSanitizer: SEGV on unknown address 0x7fca2687b2ae (pc
0x000000405f25 sp 0x7ffd96860460 bp 0x7ffd968604a0 T0)
AddressSanitizer can not provide additional info.
    #0 0x405f24 in cpSeparateBufToContigBuf
/home/wdw/experiment/libtiff/tools/tiffcp.c:1245
    #1 0x406b55 in readSeparateTilesIntoBuffer
/home/wdw/experiment/libtiff/tools/tiffcp.c:1467
    #2 0x406061 in cpImage /home/wdw/experiment/libtiff/tools/tiffcp.c:1270
    #3 0x407bee in cpSeparateTiles2SeparateTiles
/home/wdw/experiment/libtiff/tools/tiffcp.c:1764
    #4 0x4047dc in tiffcp /home/wdw/experiment/libtiff/tools/tiffcp.c:831
    #5 0x4028a4 in main /home/wdw/experiment/libtiff/tools/tiffcp.c:301
    #6 0x7fca28359f44 in __libc_start_main
/build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287
    #7 0x401958 in _start
(/home/wdw/experiment/libtiff/install-asan-new/bin/tiffcp+0x401958)
SUMMARY: AddressSanitizer: SEGV
/home/wdw/experiment/libtiff/tools/tiffcp.c:1245 cpSeparateBufToContigBuf
==4686== ABORTING

And 

$ git log | head -n1
commit ae0bed1fe530a82faf2e9ea1775109dbf301a971
------- Comment #8 From 2019-02-11 03:57:02 -------
OK I think I have understood the cause of the bug.

in tiffcp.c function readSeparateTilesIntoBuffer()
int iskew  = imagew - tilew*spp;
https://gitlab.com/libtiff/libtiff/blob/master/tools/tiffcp.c#L1411

in your POC image :
  Image Width: 32 Image Length: 3
  Tile Width: 65534 Tile Length: 32
  Samples/Pixel: 49155

so the value tilew*spp=65534*49155 overflows 32bit signed int maximum value.

We should add a check 

if (0x7fffffff / tilew < spp)
{
 ERROR
}
------- Comment #9 From 2019-02-11 04:07:20 -------
https://gitlab.com/libtiff/libtiff/merge_requests/60
------- Comment #10 From 2019-02-19 09:39:41 -------
fixed per https://gitlab.com/libtiff/libtiff/merge_requests/60