Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-25435: heap-buffer-overflow in extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753 (SIGSEGV) (#518) · Issues · libtiff / libtiff · GitLab

libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753.

CVE
Open in Source
#windows#ubuntu#linux#git#c++#buffer_overflow#ssh

Skip to content

Open Issue created Jan 27, 2023 by Tseng Szu Wei@13579and24680

heap-buffer-overflow in extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753 (SIGSEGV)

Summary

An SIGSEGV caused when using tiffcrop.

AddressSanitizer reports it as heap-buffer-overflow.

Version

$ ./tools/tiffcrop  -v
Library Release: LIBTIFF, Version 4.5.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
           : Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde

$ git log --oneline -1
a63e18ca (HEAD -> master, origin/master, origin/HEAD) Merge branch 'add_windows_DLL_versioninfo' into 'master'

Steps to reproduce****make

git clone https://gitlab.com/libtiff/libtiff.git
cd libtiff
./autogen.sh
./configure
make

run

./tools/tiffcrop -E l -Z 12:50,12:99 -e divided  -R 270  poc  /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 16658 (0x4112) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 512 (0x200) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 32256 (0x7e00) encountered.
poc: Warning, Nonstandard tile width 1, convert file.
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFReadDirectory: Warning, Invalid data type for tag StripOffsets.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16658"; tag ignored.
_TIFFVSetField: poc: Null count for "Tag 32256" (type 1, writecount -3, passcount 1).
TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts.
TIFFAdvanceDirectory: Error fetching directory count.
Fax4Decode: Bad code word at line 1 of tile 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 1 of tile 0 (got 0, expected 1).
Fax4Decode: Bad code word at line 1 of tile 1 (x 0).
Fax4Decode: Warning, Premature EOL at line 1 of tile 1 (got 0, expected 1).
Fax4Decode: Warning, Premature EOL at line 2 of tile 1 (got 0, expected 1).
Fax4Decode: Uncompressed data (not supported) at line 0 of tile 2 (x 0).
Fax4Decode: Warning, Premature EOL at line 0 of tile 2 (got 0, expected 1).
Fax4Decode: Uncompressed data (not supported) at line 2 of tile 2 (x 0).
Fax4Decode: Warning, Premature EOL at line 2 of tile 2 (got 0, expected 1).
Fax4Decode: Warning, Premature EOL at line 3 of tile 2 (got 0, expected 1).
Fax4Decode: Bad code word at line 1 of tile 3 (x 0).
Fax4Decode: Warning, Premature EOL at line 1 of tile 3 (got 0, expected 1).
Fax4Decode: Warning, Line length mismatch at line 0 of tile 4 (got 2, expected 1).
Fax4Decode: Warning, Premature EOF at line 14 of tile 4 (x 0).
Fax4Decode: Warning, Premature EOL at line 14 of tile 4 (got 0, expected 1).
Fax4Decode: Uncompressed data (not supported) at line 0 of tile 5 (x 0).
Fax4Decode: Warning, Premature EOL at line 0 of tile 5 (got 0, expected 1).
Fax4Decode: Uncompressed data (not supported) at line 2 of tile 5 (x 0).
Fax4Decode: Warning, Premature EOL at line 2 of tile 5 (got 0, expected 1).
Fax4Decode: Uncompressed data (not supported) at line 4 of tile 5 (x 0).
Fax4Decode: Warning, Premature EOL at line 4 of tile 5 (got 0, expected 1).
Fax4Decode: Warning, Premature EOF at line 6 of tile 5 (x 0).
(... too long ignore)

fish: Job 1, './tools/tiffcrop -E l -Z 12:50,…' terminated by signal SIGSEGV (Address boundary error)

Platform

$ uname -a
Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

$ gcc --version
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

ASAN report

=================================================================
==1821995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6330000188ec at pc 0x56501555da96 bp 0x7ffc6a94efd0 sp 0x7ffc6a94efc0
READ of size 1 at 0x6330000188ec thread T0
    #0 0x56501555da95 in extractContigSamplesShifted8bits /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3753
    #1 0x565015573ffe in extractSeparateRegion /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7605
    #2 0x565015577fd0 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8621
    #3 0x56501555a0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
    #4 0x7f9dc504e082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x565015550b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/.libs/tiffcrop+0x9b6d)

0x6330000188ec is located 233 bytes to the right of 98307-byte region [0x633000000800,0x633000018803)
allocated by thread T0 here:
    #0 0x7f9dc5703808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7f9dc558af03 in _TIFFmalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:326
    #2 0x565015550d00 in limitMalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:710
    #3 0x565015571998 in loadImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7087
    #4 0x565015559f86 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2783
    #5 0x7f9dc504e082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3753 in extractContigSamplesShifted8bits
Shadow bytes around the buggy address:
  0x0c667fffb0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c667fffb100: 03 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c667fffb110: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
  0x0c667fffb120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c667fffb160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1821995==ABORTING

poc

poc

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE