Headline
CVE-2023-25434: heap-buffer-overflow in extractContigSamplesBytes() at /libtiff/tools/tiffcrop.c:3215 (SIGSEGV) (#519) · Issues · libtiff / libtiff · GitLab
libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesBytes() at /libtiff/tools/tiffcrop.c:3215.
Skip to content
Open Issue created Jan 27, 2023 by Tseng Szu Wei@13579and24680
heap-buffer-overflow in extractContigSamplesBytes() at /libtiff/tools/tiffcrop.c:3215 (SIGSEGV)
Summary
An SIGSEGV caused when using tiffcrop.
AddressSanitizer reports it as heap-buffer-overflow.
Version
$ ./tools/tiffcrop -v
Library Release: LIBTIFF, Version 4.5.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
: Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
$ git log --oneline -1
a63e18ca (HEAD -> master, origin/master, origin/HEAD) Merge branch 'add_windows_DLL_versioninfo' into 'master'
Steps to reproduce****make
git clone https://gitlab.com/libtiff/libtiff.git
cd libtiff
./autogen.sh
./configure
make
run
$ ./tools/tiffcrop -E l -Z 12:50,12:99 -e divided -R 90 poc /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
TIFFAdvanceDirectory: Error fetching directory count.
OJPEGSetupDecode: Warning, Deprecated and troublesome old-style JPEG compression mode, please convert to new-style JPEG compression and notify vendor of writing software.
LibJpeg: Warning, Corrupt JPEG data: bad Huffman code.
fish: Job 1, './tools/tiffcrop -E l -Z 12:50,…' terminated by signal SIGSEGV (Address boundary error)
Platform
$ uname -a
Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ gcc --version
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
ASAN report
../libtiff_asan/libtiff/tools/tiffcrop -E l -Z 12:50,12:99 -e divided -R 90 poc /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per sample.
TIFFAdvanceDirectory: Error fetching directory count.
OJPEGSetupDecode: Warning, Deprecated and troublesome old-style JPEG compression mode, please convert to new-style JPEG compression and notify vendor of writing software.
LibJpeg: Warning, Corrupt JPEG data: bad Huffman code.
=================================================================
==2323018==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x627000006160 at pc 0x7fa1008f3490 bp 0x7ffcb8bf9ab0 sp 0x7ffcb8bf9258
READ of size 1 at 0x627000006160 thread T0
#0 0x7fa1008f348f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
#1 0x7fa1007ecfe9 in _TIFFmemcpy /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:345
#2 0x556b1b674244 in extractContigSamplesBytes /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3215
#3 0x556b1b68bf83 in extractSeparateRegion /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7593
#4 0x556b1b68ffd0 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8621
#5 0x556b1b6720e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
#6 0x7fa1002b0082 in __libc_start_main ../csu/libc-start.c:308
#7 0x556b1b668b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/.libs/tiffcrop+0x9b6d)
Address 0x627000006160 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0c4e7fff8bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fff8be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fff8bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fff8c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fff8c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4e7fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
0x0c4e7fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2323018==ABORTING
poc
poc