Bug 2836 - memory leaks when use pal2rgb
: memory leaks when use pal2rgb
Status: RESOLVED FIXED
: libtiff
default
: 4.0.1
: PC All
: P2 enhancement
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2019-01-04 12:51 by
Modified: 2019-02-02 09:46 (History)


Attachments
libtiff-pal2rgb-memory-leak (572 bytes, application/octet-stream)
2019-01-04 12:51, zerokeeper
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2019-01-04 12:51:15
Created an attachment (id=886) [details]
libtiff-pal2rgb-memory-leak 

hi,libtiff team,i found some memory leaks points when use pal2rgb.
the vuln is triggred by  ./pal2rgb  poc  /dev/null

the asan debug info is blew:

=================================================================
==18208==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 1140 byte(s) in 1 object(s) allocated from:
    #0 0x4e2280 in malloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2280)
    #1 0x57e329 in _TIFFmalloc /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:314:10
    #2 0x57e0ff in TIFFFdOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:209:8
    #3 0x57e0ff in TIFFOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:248

Indirect leak of 1240 byte(s) in 2 object(s) allocated from:
    #0 0x4e2700 in realloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2700)
    #1 0x57e985 in _TIFFCheckRealloc
/root/fuzz/tiff-4.0.10/libtiff/tif_aux.c:71:8

Indirect leak of 80 byte(s) in 2 object(s) allocated from:
    #0 0x4e2280 in malloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2280)
    #1 0x57e329 in _TIFFmalloc /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:314:10

Indirect leak of 48 byte(s) in 1 object(s) allocated from:
    #0 0x4e2700 in realloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2700)
    #1 0x521b89 in _TIFFVSetField
/root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:524:8
    #2 0x51a626 in TIFFVSetField /root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:852:6
    #3 0x51a626 in TIFFSetField /root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:796
    #4 0x54452d in TIFFFetchNormalTag
/root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c:5472:8
    #5 0x53937a in TIFFReadDirectory
/root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c:3985:12
    #6 0x569e40 in TIFFClientOpen
/root/fuzz/tiff-4.0.10/libtiff/tif_open.c:464:8
    #7 0x57e0ff in TIFFFdOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:209:8
    #8 0x57e0ff in TIFFOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:248

Indirect leak of 16 byte(s) in 2 object(s) allocated from:
    #0 0x4e2280 in malloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2280)
    #1 0x57e329 in _TIFFmalloc /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:314:10
    #2 0x559b8e in TIFFFetchStripThing
/root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c:5604:6
    #3 0x539642 in TIFFReadDirectory
/root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c
    #4 0x569e40 in TIFFClientOpen
/root/fuzz/tiff-4.0.10/libtiff/tif_open.c:464:8
    #5 0x57e0ff in TIFFFdOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:209:8
    #6 0x57e0ff in TIFFOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:248

Indirect leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x4e2280 in malloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2280)
    #1 0x57e329 in _TIFFmalloc /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:314:10
    #2 0x51a626 in TIFFVSetField /root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:852:6
    #3 0x51a626 in TIFFSetField /root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:796
    #4 0x539554 in TIFFReadDirectory
/root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c:3862:10
    #5 0x569e40 in TIFFClientOpen
/root/fuzz/tiff-4.0.10/libtiff/tif_open.c:464:8
    #6 0x57e0ff in TIFFFdOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:209:8
    #7 0x57e0ff in TIFFOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:248

Indirect leak of 6 byte(s) in 2 object(s) allocated from:
    #0 0x4e2700 in realloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2700)
    #1 0x57eab1 in _TIFFCheckRealloc
/root/fuzz/tiff-4.0.10/libtiff/tif_aux.c:71:8
    #2 0x57eab1 in _TIFFCheckMalloc /root/fuzz/tiff-4.0.10/libtiff/tif_aux.c:86

Indirect leak of 2 byte(s) in 1 object(s) allocated from:
    #0 0x4e2280 in malloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2280)
    #1 0x57e329 in _TIFFmalloc /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:314:10
    #2 0x51a626 in TIFFVSetField /root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:852:6
    #3 0x51a626 in TIFFSetField /root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:796
    #4 0x543295 in TIFFFetchNormalTag
/root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c:5210:9
    #5 0x53937a in TIFFReadDirectory
/root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c:3985:12
    #6 0x569e40 in TIFFClientOpen
/root/fuzz/tiff-4.0.10/libtiff/tif_open.c:464:8
    #7 0x57e0ff in TIFFFdOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:209:8
    #8 0x57e0ff in TIFFOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:248

SUMMARY: AddressSanitizer: 2540 byte(s) leaked in 12 allocation(s).
------- Comment #1 From 2019-01-11 03:36:46 -------
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6128 got assigned for
this issue.
------- Comment #2 From 2019-01-23 15:17:30 -------
I submitted a change request that I believe fixes this issue:
https://gitlab.com/sgayou/libtiff/commit/0c74a9f49b8d7a36b17b54a7428b3526d20f88a8

This doesn't actually seem security relevant -- it's just a simple memory leak
where a developer didn't free in the case of errors. Let me know if I missed
anything.
------- Comment #3 From 2019-01-23 15:27:10 -------
Here's my valgrind run before and after the fix:

```
valgrind --leak-check=full pal2rgb tiff /dev/null
==10055== Memcheck, a memory error detector
==10055== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==10055== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==10055== Command: pal2rgb tiff /dev/null
==10055== 
TIFFReadDirectory: Warning, Unknown field with tag 2056 (0x808) encountered.
tiff: Expecting a palette image.
==10055== 
==10055== HEAP SUMMARY:
==10055==     in use at exit: 2,485 bytes in 12 blocks
==10055==   total heap usage: 24 allocs, 12 frees, 6,775 bytes allocated
==10055== 
==10055== 2,485 (1,085 direct, 1,400 indirect) bytes in 1 blocks are definitely
lost in loss record 11 of 11
==10055==    at 0x483880B: malloc (vg_replace_malloc.c:309)
==10055==    by 0x4880201: TIFFClientOpen (tif_open.c:117)
==10055==    by 0x488D9C4: TIFFFdOpen (tif_unix.c:209)
==10055==    by 0x488DA26: TIFFOpen (tif_unix.c:248)
==10055==    by 0x4013C0: main (pal2rgb.c:114)
==10055== 
==10055== LEAK SUMMARY:
==10055==    definitely lost: 1,085 bytes in 1 blocks
==10055==    indirectly lost: 1,400 bytes in 11 blocks
==10055==      possibly lost: 0 bytes in 0 blocks
==10055==    still reachable: 0 bytes in 0 blocks
==10055==         suppressed: 0 bytes in 0 blocks
==10055== 
==10055== For counts of detected and suppressed errors, rerun with: -v
==10055== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
```

After fix:

```
valgrind --leak-check=full pal2rgb tiff /dev/null
==10894== Memcheck, a memory error detector
==10894== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==10894== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==10894== Command: pal2rgb tiff /dev/null
==10894== 
TIFFReadDirectory: Warning, Unknown field with tag 2056 (0x808) encountered.
tiff: Expecting a palette image.
==10894== 
==10894== HEAP SUMMARY:
==10894==     in use at exit: 0 bytes in 0 blocks
==10894==   total heap usage: 24 allocs, 24 frees, 6,775 bytes allocated
==10894== 
==10894== All heap blocks were freed -- no leaks are possible
==10894== 
==10894== For counts of detected and suppressed errors, rerun with: -v
==10894== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
```