Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.
A crafted tiff file revealed a memcpy-param-overlap.
The complete ASan output:
# tiff2pdf $FILE -o foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. 1006.crashes: Warning, Nonstandard tile width 769, convert file. TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored. TIFFAdvanceDirectory: Error fetching directory count. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. 1006.crashes: Warning, Nonstandard tile width 769, convert file. TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. 1006.crashes: Warning, Nonstandard tile width 769, convert file. TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. 1006.crashes: Warning, Nonstandard tile width 769, convert file. TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored. Fax3Decode2D: Warning, Premature EOL at line 0 of tile 0 (got 768, expected 769). Fax3Decode2D: Warning, Premature EOL at line 1 of tile 0 (got 35, expected 769). Fax3Decode2D: Warning, Premature EOL at line 2 of tile 0 (got 0, expected 769). Fax3Decode2D: Warning, Premature EOL at line 3 of tile 0 (got 0, expected 769). Fax3Decode2D: Uncompressed data (not supported) at line 4 of tile 0 (x 0). Fax3Decode2D: Warning, Premature EOL at line 4 of tile 0 (got 0, expected 769). Fax3Decode2D: Warning, Premature EOL at line 5 of tile 0 (got 0, expected 769). Fax3Decode2D: Warning, Premature EOL at line 7 of tile 0 (got 0, expected 769). Fax3Decode2D: Warning, Premature EOL at line 8 of tile 0 (got 0, expected 769). Fax3Decode2D: Warning, Premature EOL at line 9 of tile 0 (got 0, expected 769). Fax3Decode2D: Warning, Line length mismatch at line 10 of tile 0 (got 1792, expected 769). Fax3Decode2D: Warning, Premature EOL at line 11 of tile 0 (got 0, expected 769). ================================================================= ==29687==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7f2dcce0b85d,0x7f2dcce0b8ba) and [0x7f2dcce0b861, 0x7f2dcce0b8be) overlap #0 0x4bbee1 in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413 #1 0x7f2dccb87f0d in _TIFFmemcpy /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2 #2 0x52ac36 in t2p_tile_collapse_left /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:3596:3 #3 0x52ac36 in t2p_readwrite_pdf_image_tile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:3073 #4 0x50f1dc in t2p_write_pdf /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16 #5 0x50bfee in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2 #6 0x7f2dcbb4361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #7 0x41a298 in _init (/usr/bin/tiff2pdf+0x41a298) 0x7f2dcce0b85d is located 93 bytes inside of 968448-byte region [0x7f2dcce0b800,0x7f2dccef7f00) allocated by thread T0 here: #0 0x4d3058 in malloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 #1 0x7f2dccb87d7e in _TIFFmalloc /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:316:10 #2 0x5294e8 in t2p_readwrite_pdf_image_tile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:2933:29 #3 0x50f1dc in t2p_write_pdf /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16 #4 0x50bfee in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2 #5 0x7f2dcbb4361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 0x7f2dcce0b861 is located 97 bytes inside of 968448-byte region [0x7f2dcce0b800,0x7f2dccef7f00) allocated by thread T0 here: #0 0x4d3058 in malloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 #1 0x7f2dccb87d7e in _TIFFmalloc /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:316:10 #2 0x5294e8 in t2p_readwrite_pdf_image_tile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:2933:29 #3 0x50f1dc in t2p_write_pdf /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16 #4 0x50bfee in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2 #5 0x7f2dcbb4361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 SUMMARY: AddressSanitizer: memcpy-param-overlap /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413 in __asan_memcpy ==29687==ABORTING
Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/ad2fccbf5c23da10c5859114a6018a37fdd05095
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00110-libtiff-memcpy-param-overlap-_TIFFmemcpy
Timeline:
2016-12-20: bug discovered and reported to upstream
2016-12-20: upstream released a patch
2017-01-01: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
libtiff: memcpy-param-overlap in t2p_tile_collapse_left (tiff2pdf.c)