You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=886) [details] libtiff-pal2rgb-memory-leak hi,libtiff team,i found some memory leaks points when use pal2rgb. the vuln is triggred by ./pal2rgb poc /dev/null the asan debug info is blew: ================================================================= ==18208==ERROR: LeakSanitizer: detected memory leaks Direct leak of 1140 byte(s) in 1 object(s) allocated from: #0 0x4e2280 in malloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2280) #1 0x57e329 in _TIFFmalloc /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:314:10 #2 0x57e0ff in TIFFFdOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:209:8 #3 0x57e0ff in TIFFOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:248 Indirect leak of 1240 byte(s) in 2 object(s) allocated from: #0 0x4e2700 in realloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2700) #1 0x57e985 in _TIFFCheckRealloc /root/fuzz/tiff-4.0.10/libtiff/tif_aux.c:71:8 Indirect leak of 80 byte(s) in 2 object(s) allocated from: #0 0x4e2280 in malloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2280) #1 0x57e329 in _TIFFmalloc /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:314:10 Indirect leak of 48 byte(s) in 1 object(s) allocated from: #0 0x4e2700 in realloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2700) #1 0x521b89 in _TIFFVSetField /root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:524:8 #2 0x51a626 in TIFFVSetField /root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:852:6 #3 0x51a626 in TIFFSetField /root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:796 #4 0x54452d in TIFFFetchNormalTag /root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c:5472:8 #5 0x53937a in TIFFReadDirectory /root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c:3985:12 #6 0x569e40 in TIFFClientOpen /root/fuzz/tiff-4.0.10/libtiff/tif_open.c:464:8 #7 0x57e0ff in TIFFFdOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:209:8 #8 0x57e0ff in TIFFOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:248 Indirect leak of 16 byte(s) in 2 object(s) allocated from: #0 0x4e2280 in malloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2280) #1 0x57e329 in _TIFFmalloc /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:314:10 #2 0x559b8e in TIFFFetchStripThing /root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c:5604:6 #3 0x539642 in TIFFReadDirectory /root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c #4 0x569e40 in TIFFClientOpen /root/fuzz/tiff-4.0.10/libtiff/tif_open.c:464:8 #5 0x57e0ff in TIFFFdOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:209:8 #6 0x57e0ff in TIFFOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:248 Indirect leak of 8 byte(s) in 1 object(s) allocated from: #0 0x4e2280 in malloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2280) #1 0x57e329 in _TIFFmalloc /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:314:10 #2 0x51a626 in TIFFVSetField /root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:852:6 #3 0x51a626 in TIFFSetField /root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:796 #4 0x539554 in TIFFReadDirectory /root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c:3862:10 #5 0x569e40 in TIFFClientOpen /root/fuzz/tiff-4.0.10/libtiff/tif_open.c:464:8 #6 0x57e0ff in TIFFFdOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:209:8 #7 0x57e0ff in TIFFOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:248 Indirect leak of 6 byte(s) in 2 object(s) allocated from: #0 0x4e2700 in realloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2700) #1 0x57eab1 in _TIFFCheckRealloc /root/fuzz/tiff-4.0.10/libtiff/tif_aux.c:71:8 #2 0x57eab1 in _TIFFCheckMalloc /root/fuzz/tiff-4.0.10/libtiff/tif_aux.c:86 Indirect leak of 2 byte(s) in 1 object(s) allocated from: #0 0x4e2280 in malloc (/root/fuzz/tiff-4.0.10/tools/pal2rgb+0x4e2280) #1 0x57e329 in _TIFFmalloc /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:314:10 #2 0x51a626 in TIFFVSetField /root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:852:6 #3 0x51a626 in TIFFSetField /root/fuzz/tiff-4.0.10/libtiff/tif_dir.c:796 #4 0x543295 in TIFFFetchNormalTag /root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c:5210:9 #5 0x53937a in TIFFReadDirectory /root/fuzz/tiff-4.0.10/libtiff/tif_dirread.c:3985:12 #6 0x569e40 in TIFFClientOpen /root/fuzz/tiff-4.0.10/libtiff/tif_open.c:464:8 #7 0x57e0ff in TIFFFdOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:209:8 #8 0x57e0ff in TIFFOpen /root/fuzz/tiff-4.0.10/libtiff/tif_unix.c:248 SUMMARY: AddressSanitizer: 2540 byte(s) leaked in 12 allocation(s).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6128 got assigned for this issue.
I submitted a change request that I believe fixes this issue: https://gitlab.com/sgayou/libtiff/commit/0c74a9f49b8d7a36b17b54a7428b3526d20f88a8 This doesn't actually seem security relevant -- it's just a simple memory leak where a developer didn't free in the case of errors. Let me know if I missed anything.
Here's my valgrind run before and after the fix: ``` valgrind --leak-check=full pal2rgb tiff /dev/null ==10055== Memcheck, a memory error detector ==10055== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==10055== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==10055== Command: pal2rgb tiff /dev/null ==10055== TIFFReadDirectory: Warning, Unknown field with tag 2056 (0x808) encountered. tiff: Expecting a palette image. ==10055== ==10055== HEAP SUMMARY: ==10055== in use at exit: 2,485 bytes in 12 blocks ==10055== total heap usage: 24 allocs, 12 frees, 6,775 bytes allocated ==10055== ==10055== 2,485 (1,085 direct, 1,400 indirect) bytes in 1 blocks are definitely lost in loss record 11 of 11 ==10055== at 0x483880B: malloc (vg_replace_malloc.c:309) ==10055== by 0x4880201: TIFFClientOpen (tif_open.c:117) ==10055== by 0x488D9C4: TIFFFdOpen (tif_unix.c:209) ==10055== by 0x488DA26: TIFFOpen (tif_unix.c:248) ==10055== by 0x4013C0: main (pal2rgb.c:114) ==10055== ==10055== LEAK SUMMARY: ==10055== definitely lost: 1,085 bytes in 1 blocks ==10055== indirectly lost: 1,400 bytes in 11 blocks ==10055== possibly lost: 0 bytes in 0 blocks ==10055== still reachable: 0 bytes in 0 blocks ==10055== suppressed: 0 bytes in 0 blocks ==10055== ==10055== For counts of detected and suppressed errors, rerun with: -v ==10055== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ``` After fix: ``` valgrind --leak-check=full pal2rgb tiff /dev/null ==10894== Memcheck, a memory error detector ==10894== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==10894== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==10894== Command: pal2rgb tiff /dev/null ==10894== TIFFReadDirectory: Warning, Unknown field with tag 2056 (0x808) encountered. tiff: Expecting a palette image. ==10894== ==10894== HEAP SUMMARY: ==10894== in use at exit: 0 bytes in 0 blocks ==10894== total heap usage: 24 allocs, 24 frees, 6,775 bytes allocated ==10894== ==10894== All heap blocks were freed -- no leaks are possible ==10894== ==10894== For counts of detected and suppressed errors, rerun with: -v ==10894== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) ```
Fixed per https://gitlab.com/libtiff/libtiff/commit/ae0bed1fe530a82faf2e9ea1775109dbf301a971