Headline
CVE-2023-1916: tiffcrop: heap-buffer-overflow in file tiffcrop.c, line 7874 (#537) · Issues · libtiff / libtiff · GitLab
A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.
Skip to content
Open Issue created Mar 18, 2023 by xiaoxiaoafeifei@xiaoxiaoafeifeiContributor
tiffcrop: heap-buffer-overflow in file tiffcrop.c, line 7874
Summary I found heap-buffer-overflow in file tiffcrop.c, line 7874
ASAN:
==3365046==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000000583 at pc 0x000000507b20 bp 0x7ffdca4c66a0 sp 0x7ffdca4c6698
READ of size 1 at 0x616000000583 thread T0
#0 0x507b1f in extractImageSection /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:7874:33
#1 0x4e8f7c in writeImageSections /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:8124:13
#2 0x4cee30 in main /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:2868:21
#3 0x7fc2381e2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41d6ad in _start (/usr/local/bin/tiffcrop+0x41d6ad)
0x616000000583 is located 0 bytes to the right of 515-byte region [0x616000000380,0x616000000583)
allocated by thread T0 here:
#0 0x495ded in malloc (/usr/local/bin/tiffcrop+0x495ded)
#1 0x5f0086 in _TIFFmalloc /root/gitlab/commit/libtiff_test/libtiff/tif_unix.c:326:13
#2 0x4ed440 in limitMalloc /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:709:12
#3 0x4d4b50 in loadImage /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:7113:26
#4 0x4ce28d in main /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:2782:17
#5 0x7fc2381e2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/gitlab/commit/libtiff_test/tools/tiffcrop.c:7874:33 in extractImageSection
Shadow bytes around the buggy address:
0x0c2c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fff80b0:[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3365046==ABORTING
Version: LIBTIFF, Version 4.5
Steps to reproduce
CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-g -O0 -fsanitize=address,leak -fno-omit-frame-pointer" CXXFLAGS="-g -O0 -fsanitize=address,leak -fno-omit-frame-pointer" ./configure --disable-shared
make & make install
/usr/local/bin/tiffcrop -R 270 -S 8:4 -O landscape -E b -e divided -F hor -w 10 -U cm -m 1,2,3,4 -i poc /tmp/foo
Platform ubuntu20, x86
POC: poc0
Edited Mar 18, 2023 by xiaoxiaoafeifei
Related news
Ubuntu Security Notice 6428-1 - It was discovered that LibTIFF could be made to read out of bounds when processing certain malformed image files with the tiffcrop utility. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service.