<sys-libs/zlib-1.2.11 – possible data corruption

I don’t know if a news will be sent. A possibile data corruption was found on zlib 1.2.10.
Please update your zlib to 1.2.11 and make sure you restart all services that are linked to zlib (a reboot may be an easy way).

Gentoo bug:
https://bugs.gentoo.org/show_bug.cgi?id=605888

Upstream bug:
https://github.com/madler/zlib/issues/198

Upstream commit:
https://github.com/madler/zlib/commit/4c7c90768308587884fab6159d93a4695a5ab1f0</a

Posted in gentoo | Leave a comment

jasper: invalid memory read in jas_matrix_asl (jas_seq.c)

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

Another round of fuzzing shows that a crafted image causes an invalid memory read.

The complete ASan output:

# imginfo -f $FILE
==26941==ERROR: AddressSanitizer: SEGV on unknown address 0x62c80000a400 (pc 0x7f28c74e48ee bp 0x7ffcececdb70 sp 0x7ffcececdaf0 T0)
==26941==The signal is caused by a READ memory access.
    #0 0x7f28c74e48ed in jas_matrix_asl /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_seq.c:376:11
    #1 0x7f28c7545f0e in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1107:6
    #2 0x7f28c7536cdf in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:658:7
    #3 0x7f28c75406b3 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:425:10
    #4 0x7f28c75406b3 in jpc_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:262
    #5 0x7f28c74a2b84 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_image.c:444:16
    #6 0x509eed in main /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/appl/imginfo.c:219:16
    #7 0x7f28c65aa61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #8 0x419978 in _init (/usr/bin/imginfo+0x419978)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_seq.c:376:11 in jas_matrix_asl
==26941==ABORTING

Affected version:
1.900.27

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00053-jasper-invalidread-jas_matrix_asl

Timeline:
2016-11-20: bug discovered and reported upstream
2017-01-16: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: invalid memory read in jas_matrix_asl (jas_seq.c)

Posted in advisories, security | Leave a comment

jasper: invalid memory read in jpc_undo_roi (jpc_dec.c)

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

Another round of fuzzing shows that a crafted image causes an invalid memory read.

The complete ASan output:

# imginfo -f $FILE
==22872==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8a4a950800 (pc 0x7f8e4a543b93 bp 0x7ffe29bfdcd0 sp 0x7ffe29bfdb80 T0)
==22872==The signal is caused by a READ memory access.
    #0 0x7f8e4a543b92 in jpc_undo_roi /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1925:10
    #1 0x7f8e4a543b92 in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1104
    #2 0x7f8e4a534cdf in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:658:7
    #3 0x7f8e4a53e6b3 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:425:10
    #4 0x7f8e4a53e6b3 in jpc_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:262
    #5 0x7f8e4a4a0b84 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_image.c:444:16
    #6 0x509eed in main /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/appl/imginfo.c:219:16
    #7 0x7f8e495a861f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #8 0x419978 in _init (/usr/bin/imginfo+0x419978)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1925:10 in jpc_undo_roi
==22872==ABORTING

Affected version:
1.900.27

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00054-jasper-invalidread-jpc_undo_roi

Timeline:
2016-11-20: bug discovered and reported upstream
2017-01-16: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: invalid memory read in jpc_undo_roi (jpc_dec.c)

Posted in advisories, security | Leave a comment

jasper: invalid memory write in dec_clnpass (jpc_t1dec.c)

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

Another round of fuzzing shows that a crafted image causes an invalid memory write.

The complete ASan output:

# imginfo -f $FILE
==24746==ERROR: AddressSanitizer: SEGV on unknown address 0x7ef94fe46c88 (pc 0x7efd4faa510d bp 0x7ffde2235af0 sp 0x7ffde2235900 T0)
==24746==The signal is caused by a WRITE memory access.
    #0 0x7efd4faa510c in dec_clnpass /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_t1dec.c:869:4
    #1 0x7efd4faa510c in jpc_dec_decodecblk /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_t1dec.c:283
    #2 0x7efd4fa9ef89 in jpc_dec_decodecblks /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_t1dec.c:177:11
    #3 0x7efd4fa394f1 in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1085:6
    #4 0x7efd4fa2acdf in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:658:7
    #5 0x7efd4fa346b3 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:425:10
    #6 0x7efd4fa346b3 in jpc_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:262
    #7 0x7efd4f996b84 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_image.c:444:16
    #8 0x509eed in main /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/appl/imginfo.c:219:16
    #9 0x7efd4ea9e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #10 0x419978 in _init (/usr/bin/imginfo+0x419978)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_t1dec.c:869:4 in dec_clnpass
==24746==ABORTING

Affected version:
1.900.27

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00055-jasper-invalidwrite-dec_clnpass

Timeline:
2016-11-20: bug discovered and reported upstream
2017-01-16: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: invalid memory write in dec_clnpass (jpc_t1dec.c)

Posted in advisories, security | Leave a comment

jasper: multiple crashes with UBSAN

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

With the undefined behavior sanitizer enabled, jasper crashes showing some left shift and some signed integer overflow.

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00017-jasper-leftshift-jas_math_h
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/include/jasper/jas_math.h:156:11: runtime error: left shift of negative value -185

#################################################

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00018-jasper-signedintoverflow-jpc_dec_c
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1838:9: runtime error: signed integer overflow: -64356352 * 6359082673847140352 cannot be represented in type 'long'

#################################################

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00019-jasper-leftshift-jpc_dec_c
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1819:40: runtime error: shift exponent 117 is too large for 64-bit type 'jpc_fix_t' (aka 'long')

#################################################

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00022-jasper-signedintoverflow-jpc_tsfb_c
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_tsfb.c:233:35: runtime error: signed integer overflow: 2013306369 + 251691968 cannot be represented in type 'int'

#################################################

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00030-jasper-leftshift-jp2_dec_c
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jp2/jp2_dec.c:485:49: runtime error: left shift of negative value -26

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-10-28: bug discovered and reported to upstream
2017-01-16: blog post about the issues

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

jasper: multiple crashes with UBSAN

Posted in advisories, security | Leave a comment

libtiff: NULL pointer dereference in TIFFReadRawData (tiffinfo.c)

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

A crafted tiff file revealed a NULL pointer access.

The complete ASan output:

# tiffinfo -Dijr $FILE

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 384 (0x180) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1093 (0x445) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFFetchNormalTag: Warning, Incorrect count for "JpegProc"; tag ignored.
TIFFReadDirectory: Warning, Photometric tag value assumed incorrect, assuming data is YCbCr instead of RGB.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3.
_TIFFVSetField: Warning, SamplesPerPixel tag value is changing, but SMinSampleValue tag was read with a different value. Cancelling it.
ASAN:DEADLYSIGNAL
=================================================================
==15897==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000050d8ad bp 0x7ffc4a3eaf90 sp 0x7ffc4a3eaec0 T0)
==15897==The signal is caused by a READ memory access.
==15897==Hint: address points to the zero page.
    #0 0x50d8ac in TIFFReadRawData /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:421:29
    #1 0x50b2de in tiffinfo /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:473:4
    #2 0x50a999 in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:152:6
    #3 0x7f6258f0961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #4 0x419f38 in _init (/usr/bin/tiffinfo+0x419f38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:421:29 in TIFFReadRawData
==15897==ABORTING
TIFF Directory at offset 0xc (12)
  Image Width: 128 Image Length: 1
  Bits/Sample: 32189
  Compression Scheme: Old-style JPEG
  Photometric Interpretation: YCbCr
  YCbCr Subsampling: 2, 2
  Samples/Pixel: 3
  Rows/Strip: 2048
  Planar Configuration: single image plane
  DocumentName: 
  Tag 384: 16779264

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/c2f931bb558b9db41cb3516a6df3aa600fd85744

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00056-libtiff-nullptr-TIFFReadRawData

Timeline:
2016-11-22: bug discovered and reported to upstream
2016-12-03: upstream released a patch
2017-01-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libtiff: NULL pointer dereference in TIFFReadRawData (tiffinfo.c)

Posted in advisories, security | Leave a comment

libtiff: assertion failure in readSeparateTilesIntoBuffer (tiffcp.c)

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

A crafted tiff file revealed an assertion failure.

The complete output:

# tiffcp -i $FILE /tmp/foo
tiffcp: /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1390:
int readSeparateTilesIntoBuffer(TIFF *, uint8 *, uint32, uint32, tsample_t):
Assertion `bps % 8 == 0' failed.

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/7ff9652da2eec4c65279dcbc7e55c0418e87bbc8

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00072-libtiff-assert-readSeparateTilesIntoBuffer

Timeline:
2016-11-23: bug discovered and reported to upstream
2016-12-03: upstream released a patch
2017-01-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libtiff: assertion failure in readSeparateTilesIntoBuffer (tiffcp.c)

Posted in advisories, security | Leave a comment

libtiff: stack-based buffer overflow in _TIFFVGetField (tif_dir.c)

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

A crafted tiff file revealed a stack buffer overflow.

The complete ASan output:

# tiffsplit $FILE
TIFFReadDirectory: Warning, Unknown field with tag 317 (0x13d) encountered.
=================================================================
==10362==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f3824f00090 at pc 0x7f3829624fbb bp 0x7fffe0eb1da0 sp 0x7fffe0eb1d98
WRITE of size 4 at 0x7f3824f00090 thread T0
    #0 0x7f3829624fba in _TIFFVGetField /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_dir.c:1077:29
    #1 0x7f382960f202 in TIFFVGetField /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_dir.c:1198:6
    #2 0x7f382960f202 in TIFFGetField /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_dir.c:1182
    #3 0x50a719 in tiffcp /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffsplit.c:183:2
    #4 0x50a719 in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffsplit.c:89
    #5 0x7f382871561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x419a78 in _init (/usr/bin/tiffsplit+0x419a78)

Address 0x7f3824f00090 is located in stack of thread T0 at offset 144 in frame
    #0 0x5099cf in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffsplit.c:59

  This frame has 18 object(s):
    [32, 40) 'bytecounts.i263.i'
    [64, 72) 'bytecounts.i.i'
    [96, 98) 'bitspersample.i'
    [112, 114) 'samplesperpixel.i'
    [128, 130) 'compression.i'
    [144, 146) 'shortv.i' 0x0fe7849d8010: 02 f2[02]f2 00 f2 f2 f2 04 f2 04 f2 04 f2 00 f2
  0x0fe7849d8020: f2 f2 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
  0x0fe7849d8030: f2 f2 00 f2 f2 f2 02 f3 00 00 00 00 00 00 00 00
  0x0fe7849d8040: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0fe7849d8050: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0fe7849d8060: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10362==ABORTING

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-10095

Reproducer:
https://github.com/asarubbo/poc/blob/master/00104-libtiff-stackoverflow-_TIFFVGetField

Timeline:
2016-12-04: bug discovered and reported to upstream
2017-01-01: blog post about the issue
2017-01-01: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libtiff: stack-based buffer overflow in _TIFFVGetField (tif_dir.c)

Posted in advisories, security | Leave a comment

libtiff: memcpy-param-overlap in t2p_tile_collapse_left (tiff2pdf.c)

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

A crafted tiff file revealed a memcpy-param-overlap.

The complete ASan output:

# tiff2pdf $FILE -o foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
1006.crashes: Warning, Nonstandard tile width 769, convert file.
TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFAdvanceDirectory: Error fetching directory count.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
1006.crashes: Warning, Nonstandard tile width 769, convert file.
TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
1006.crashes: Warning, Nonstandard tile width 769, convert file.
TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
1006.crashes: Warning, Nonstandard tile width 769, convert file.
TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
Fax3Decode2D: Warning, Premature EOL at line 0 of tile 0 (got 768, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 1 of tile 0 (got 35, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 2 of tile 0 (got 0, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 3 of tile 0 (got 0, expected 769).
Fax3Decode2D: Uncompressed data (not supported) at line 4 of tile 0 (x 0).
Fax3Decode2D: Warning, Premature EOL at line 4 of tile 0 (got 0, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 5 of tile 0 (got 0, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 7 of tile 0 (got 0, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 8 of tile 0 (got 0, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 9 of tile 0 (got 0, expected 769).
Fax3Decode2D: Warning, Line length mismatch at line 10 of tile 0 (got 1792, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 11 of tile 0 (got 0, expected 769).
=================================================================
==29687==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7f2dcce0b85d,0x7f2dcce0b8ba) and [0x7f2dcce0b861, 0x7f2dcce0b8be) overlap
    #0 0x4bbee1 in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413
    #1 0x7f2dccb87f0d in _TIFFmemcpy /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2
    #2 0x52ac36 in t2p_tile_collapse_left /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:3596:3
    #3 0x52ac36 in t2p_readwrite_pdf_image_tile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:3073
    #4 0x50f1dc in t2p_write_pdf /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16
    #5 0x50bfee in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2
    #6 0x7f2dcbb4361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #7 0x41a298 in _init (/usr/bin/tiff2pdf+0x41a298)

0x7f2dcce0b85d is located 93 bytes inside of 968448-byte region [0x7f2dcce0b800,0x7f2dccef7f00)
allocated by thread T0 here:
    #0 0x4d3058 in malloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f2dccb87d7e in _TIFFmalloc /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:316:10
    #2 0x5294e8 in t2p_readwrite_pdf_image_tile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:2933:29
    #3 0x50f1dc in t2p_write_pdf /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16
    #4 0x50bfee in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2
    #5 0x7f2dcbb4361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

0x7f2dcce0b861 is located 97 bytes inside of 968448-byte region [0x7f2dcce0b800,0x7f2dccef7f00)
allocated by thread T0 here:
    #0 0x4d3058 in malloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f2dccb87d7e in _TIFFmalloc /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:316:10
    #2 0x5294e8 in t2p_readwrite_pdf_image_tile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:2933:29
    #3 0x50f1dc in t2p_write_pdf /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16
    #4 0x50bfee in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2
    #5 0x7f2dcbb4361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: memcpy-param-overlap /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413 in __asan_memcpy
==29687==ABORTING

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/ad2fccbf5c23da10c5859114a6018a37fdd05095

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00110-libtiff-memcpy-param-overlap-_TIFFmemcpy

Timeline:
2016-12-20: bug discovered and reported to upstream
2016-12-20: upstream released a patch
2017-01-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libtiff: memcpy-param-overlap in t2p_tile_collapse_left (tiff2pdf.c)

Posted in advisories, security | Leave a comment

libtiff: invalid memory READ in t2p_writeproc (tiff2pdf.c)

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

A crafted tiff file revealed an invalid memory read.

The complete ASan output:

# tiff2pdf $FILE -o foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
111.crashes: Warning, Nonstandard tile length 3, convert file.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFAdvanceDirectory: Error fetching directory count.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
111.crashes: Warning, Nonstandard tile length 3, convert file.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
111.crashes: Warning, Nonstandard tile length 3, convert file.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
111.crashes: Warning, Nonstandard tile length 3, convert file.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "Software" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
tiff2pdf: Warning, RGB image 111.crashes has 4 samples per pixel, assuming RGBA.
TIFFReadRawTile: Read error at row 4294967295, col 4294967295, tile 0; got 0 bytes, expected 23297.
TIFFReadRawTile: Read error at row 4294967295, col 4294967295, tile 1; got 0 bytes, expected 513.
TIFFReadRawTile: Read error at row 4294967295, col 4294967295, tile 2; got 512 bytes, expected 65285.
TIFFReadRawTile: Read error at row 4294967295, col 4294967295, tile 3; got 512 bytes, expected 1535.
ASAN:DEADLYSIGNAL
=================================================================
==19864==ERROR: AddressSanitizer: SEGV on unknown address 0x61b000020000 (pc 0x7fc86d4a320b bp 0x000000000efc sp 0x7fff06650bf8 T0)
==19864==The signal is caused by a READ memory access.
    #0 0x7fc86d4a320a  /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/string/../sysdeps/x86_64/memcpy.S:270
    #1 0x7fc86d491f79 in _IO_file_xsputn /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/libio/fileops.c:1319
    #2 0x7fc86d487828 in fwrite /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/libio/iofwrite.c:43
    #3 0x50cdff in t2p_writeproc /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:405:21
    #4 0x52baea in t2pWriteFile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:379:10
    #5 0x52baea in t2p_readwrite_pdf_image_tile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:2924
    #6 0x50f1dc in t2p_write_pdf /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16
    #7 0x50bfee in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2
    #8 0x7fc86d43e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #9 0x41a298 in _init (/usr/bin/tiff2pdf+0x41a298)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/string/../sysdeps/x86_64/memcpy.S:270 
==19864==ABORTING

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/891b1b908eb92a0e91e9012a8d32ade7088b5a3f

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00111-libtiff-invalidread-t2p_writeproc

Timeline:
2016-12-20: bug discovered and reported to upstream
2016-12-20: upstream released a patch
2017-01-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libtiff: invalid memory READ in t2p_writeproc (tiff2pdf.c)

Posted in advisories, arch testing | Leave a comment