Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

Another round of fuzzing shows that a crafted image causes an invalid memory read.

The complete ASan output:

# imginfo -f $FILE
==22872==ERROR: AddressSanitizer: SEGV on unknown address 0x7f8a4a950800 (pc 0x7f8e4a543b93 bp 0x7ffe29bfdcd0 sp 0x7ffe29bfdb80 T0)
==22872==The signal is caused by a READ memory access.
    #0 0x7f8e4a543b92 in jpc_undo_roi /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1925:10
    #1 0x7f8e4a543b92 in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1104
    #2 0x7f8e4a534cdf in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:658:7
    #3 0x7f8e4a53e6b3 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:425:10
    #4 0x7f8e4a53e6b3 in jpc_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:262
    #5 0x7f8e4a4a0b84 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_image.c:444:16
    #6 0x509eed in main /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/appl/imginfo.c:219:16
    #7 0x7f8e495a861f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #8 0x419978 in _init (/usr/bin/imginfo+0x419978)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1925:10 in jpc_undo_roi
==22872==ABORTING

Affected version:
1.900.27

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5504

Reproducer:
https://github.com/asarubbo/poc/blob/master/00054-jasper-invalidread-jpc_undo_roi

Timeline:
2016-11-20: bug discovered and reported upstream
2017-01-16: blog post about the issue
2017-01-17: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: invalid memory read in jpc_undo_roi (jpc_dec.c)

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

Another round of fuzzing shows that a crafted image causes an invalid memory write.

The complete ASan output:

# imginfo -f $FILE
==24746==ERROR: AddressSanitizer: SEGV on unknown address 0x7ef94fe46c88 (pc 0x7efd4faa510d bp 0x7ffde2235af0 sp 0x7ffde2235900 T0)
==24746==The signal is caused by a WRITE memory access.
    #0 0x7efd4faa510c in dec_clnpass /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_t1dec.c:869:4
    #1 0x7efd4faa510c in jpc_dec_decodecblk /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_t1dec.c:283
    #2 0x7efd4fa9ef89 in jpc_dec_decodecblks /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_t1dec.c:177:11
    #3 0x7efd4fa394f1 in jpc_dec_tiledecode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1085:6
    #4 0x7efd4fa2acdf in jpc_dec_process_sod /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:658:7
    #5 0x7efd4fa346b3 in jpc_dec_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:425:10
    #6 0x7efd4fa346b3 in jpc_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:262
    #7 0x7efd4f996b84 in jas_image_decode /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_image.c:444:16
    #8 0x509eed in main /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/appl/imginfo.c:219:16
    #9 0x7efd4ea9e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #10 0x419978 in _init (/usr/bin/imginfo+0x419978)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_t1dec.c:869:4 in dec_clnpass
==24746==ABORTING

Affected version:
1.900.27

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5503

Reproducer:
https://github.com/asarubbo/poc/blob/master/00055-jasper-invalidwrite-dec_clnpass

Timeline:
2016-11-20: bug discovered and reported upstream
2017-01-16: blog post about the issue
2017-01-17: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

jasper: invalid memory write in dec_clnpass (jpc_t1dec.c)

Description:
jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard.

With the undefined behavior sanitizer enabled, jasper crashes showing some left shift and some signed integer overflow.

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00017-jasper-leftshift-jas_math_h
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/include/jasper/jas_math.h:156:11: runtime error: left shift of negative value -185

CVE:
CVE-2017-5498

#################################################

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00018-jasper-signedintoverflow-jpc_dec_c
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1838:9: runtime error: signed integer overflow: -64356352 * 6359082673847140352 cannot be represented in type 'long'

CVE:
CVE-2017-5499

#################################################

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00019-jasper-leftshift-jpc_dec_c
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_dec.c:1819:40: runtime error: shift exponent 117 is too large for 64-bit type 'jpc_fix_t' (aka 'long')

CVE:
CVE-2017-5500

#################################################

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00022-jasper-signedintoverflow-jpc_tsfb_c
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jpc/jpc_tsfb.c:233:35: runtime error: signed integer overflow: 2013306369 + 251691968 cannot be represented in type 'int'

CVE:
CVE-2017-5501

#################################################

Affected version / Tested on:
1.900.17
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00030-jasper-leftshift-jp2_dec_c
Relevant part of the stacktrace:

# imginfo -f $FILE
/tmp/portage/media-libs/jasper-1.900.17/work/jasper-1.900.17/src/libjasper/jp2/jp2_dec.c:485:49: runtime error: left shift of negative value -26

CVE:
CVE-2017-5502

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-10-28: bug discovered and reported to upstream
2017-01-16: blog post about the issues
2017-01-17: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

jasper: multiple crashes with UBSAN

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

A crafted tiff file revealed a NULL pointer access.

The complete ASan output:

# tiffinfo -Dijr $FILE

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 384 (0x180) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1093 (0x445) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFFetchNormalTag: Warning, Incorrect count for "JpegProc"; tag ignored.
TIFFReadDirectory: Warning, Photometric tag value assumed incorrect, assuming data is YCbCr instead of RGB.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3.
_TIFFVSetField: Warning, SamplesPerPixel tag value is changing, but SMinSampleValue tag was read with a different value. Cancelling it.
ASAN:DEADLYSIGNAL
=================================================================
==15897==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000050d8ad bp 0x7ffc4a3eaf90 sp 0x7ffc4a3eaec0 T0)
==15897==The signal is caused by a READ memory access.
==15897==Hint: address points to the zero page.
    #0 0x50d8ac in TIFFReadRawData /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:421:29
    #1 0x50b2de in tiffinfo /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:473:4
    #2 0x50a999 in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:152:6
    #3 0x7f6258f0961f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #4 0x419f38 in _init (/usr/bin/tiffinfo+0x419f38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:421:29 in TIFFReadRawData
==15897==ABORTING
TIFF Directory at offset 0xc (12)
  Image Width: 128 Image Length: 1
  Bits/Sample: 32189
  Compression Scheme: Old-style JPEG
  Photometric Interpretation: YCbCr
  YCbCr Subsampling: 2, 2
  Samples/Pixel: 3
  Rows/Strip: 2048
  Planar Configuration: single image plane
  DocumentName: 
  Tag 384: 16779264

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/c2f931bb558b9db41cb3516a6df3aa600fd85744

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00056-libtiff-nullptr-TIFFReadRawData

Timeline:
2016-11-22: bug discovered and reported to upstream
2016-12-03: upstream released a patch
2017-01-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libtiff: NULL pointer dereference in TIFFReadRawData (tiffinfo.c)

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

A crafted tiff file revealed an assertion failure.

The complete output:

# tiffcp -i $FILE /tmp/foo
tiffcp: /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1390:
int readSeparateTilesIntoBuffer(TIFF *, uint8 *, uint32, uint32, tsample_t):
Assertion `bps % 8 == 0' failed.

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/7ff9652da2eec4c65279dcbc7e55c0418e87bbc8

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00072-libtiff-assert-readSeparateTilesIntoBuffer

Timeline:
2016-11-23: bug discovered and reported to upstream
2016-12-03: upstream released a patch
2017-01-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libtiff: assertion failure in readSeparateTilesIntoBuffer (tiffcp.c)

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

A crafted tiff file revealed a stack buffer overflow.

The complete ASan output:

# tiffsplit $FILE
TIFFReadDirectory: Warning, Unknown field with tag 317 (0x13d) encountered.
=================================================================
==10362==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f3824f00090 at pc 0x7f3829624fbb bp 0x7fffe0eb1da0 sp 0x7fffe0eb1d98
WRITE of size 4 at 0x7f3824f00090 thread T0
    #0 0x7f3829624fba in _TIFFVGetField /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_dir.c:1077:29
    #1 0x7f382960f202 in TIFFVGetField /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_dir.c:1198:6
    #2 0x7f382960f202 in TIFFGetField /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_dir.c:1182
    #3 0x50a719 in tiffcp /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffsplit.c:183:2
    #4 0x50a719 in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffsplit.c:89
    #5 0x7f382871561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x419a78 in _init (/usr/bin/tiffsplit+0x419a78)

Address 0x7f3824f00090 is located in stack of thread T0 at offset 144 in frame
    #0 0x5099cf in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffsplit.c:59

  This frame has 18 object(s):
    [32, 40) 'bytecounts.i263.i'
    [64, 72) 'bytecounts.i.i'
    [96, 98) 'bitspersample.i'
    [112, 114) 'samplesperpixel.i'
    [128, 130) 'compression.i'
    [144, 146) 'shortv.i' 0x0fe7849d8010: 02 f2[02]f2 00 f2 f2 f2 04 f2 04 f2 04 f2 00 f2
  0x0fe7849d8020: f2 f2 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2
  0x0fe7849d8030: f2 f2 00 f2 f2 f2 02 f3 00 00 00 00 00 00 00 00
  0x0fe7849d8040: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0fe7849d8050: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0fe7849d8060: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10362==ABORTING

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-10095

Reproducer:
https://github.com/asarubbo/poc/blob/master/00104-libtiff-stackoverflow-_TIFFVGetField

Timeline:
2016-12-04: bug discovered and reported to upstream
2017-01-01: blog post about the issue
2017-01-01: CVE assigned
2017-06-01: upstream released a fix

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libtiff: stack-based buffer overflow in _TIFFVGetField (tif_dir.c)

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

A crafted tiff file revealed a memcpy-param-overlap.

The complete ASan output:

# tiff2pdf $FILE -o foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
1006.crashes: Warning, Nonstandard tile width 769, convert file.
TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFAdvanceDirectory: Error fetching directory count.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
1006.crashes: Warning, Nonstandard tile width 769, convert file.
TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
1006.crashes: Warning, Nonstandard tile width 769, convert file.
TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
1006.crashes: Warning, Nonstandard tile width 769, convert file.
TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
Fax3Decode2D: Warning, Premature EOL at line 0 of tile 0 (got 768, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 1 of tile 0 (got 35, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 2 of tile 0 (got 0, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 3 of tile 0 (got 0, expected 769).
Fax3Decode2D: Uncompressed data (not supported) at line 4 of tile 0 (x 0).
Fax3Decode2D: Warning, Premature EOL at line 4 of tile 0 (got 0, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 5 of tile 0 (got 0, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 7 of tile 0 (got 0, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 8 of tile 0 (got 0, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 9 of tile 0 (got 0, expected 769).
Fax3Decode2D: Warning, Line length mismatch at line 10 of tile 0 (got 1792, expected 769).
Fax3Decode2D: Warning, Premature EOL at line 11 of tile 0 (got 0, expected 769).
=================================================================
==29687==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7f2dcce0b85d,0x7f2dcce0b8ba) and [0x7f2dcce0b861, 0x7f2dcce0b8be) overlap
    #0 0x4bbee1 in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413
    #1 0x7f2dccb87f0d in _TIFFmemcpy /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2
    #2 0x52ac36 in t2p_tile_collapse_left /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:3596:3
    #3 0x52ac36 in t2p_readwrite_pdf_image_tile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:3073
    #4 0x50f1dc in t2p_write_pdf /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16
    #5 0x50bfee in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2
    #6 0x7f2dcbb4361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #7 0x41a298 in _init (/usr/bin/tiff2pdf+0x41a298)

0x7f2dcce0b85d is located 93 bytes inside of 968448-byte region [0x7f2dcce0b800,0x7f2dccef7f00)
allocated by thread T0 here:
    #0 0x4d3058 in malloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f2dccb87d7e in _TIFFmalloc /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:316:10
    #2 0x5294e8 in t2p_readwrite_pdf_image_tile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:2933:29
    #3 0x50f1dc in t2p_write_pdf /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16
    #4 0x50bfee in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2
    #5 0x7f2dcbb4361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

0x7f2dcce0b861 is located 97 bytes inside of 968448-byte region [0x7f2dcce0b800,0x7f2dccef7f00)
allocated by thread T0 here:
    #0 0x4d3058 in malloc /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f2dccb87d7e in _TIFFmalloc /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:316:10
    #2 0x5294e8 in t2p_readwrite_pdf_image_tile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:2933:29
    #3 0x50f1dc in t2p_write_pdf /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16
    #4 0x50bfee in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2
    #5 0x7f2dcbb4361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: memcpy-param-overlap /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413 in __asan_memcpy
==29687==ABORTING

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/ad2fccbf5c23da10c5859114a6018a37fdd05095

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00110-libtiff-memcpy-param-overlap-_TIFFmemcpy

Timeline:
2016-12-20: bug discovered and reported to upstream
2016-12-20: upstream released a patch
2017-01-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libtiff: memcpy-param-overlap in t2p_tile_collapse_left (tiff2pdf.c)

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

Some crafted images, through a fuzzing revealed multiple overflow. Since the number of the issues, I will post the relevant part of the stacktrace.

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df
Reproducer:
https://github.com/asarubbo/poc/blob/master/00068-libtiff-heapoverflow-_tiffWriteProc
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==16440==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000e861 at pc 0x0000004531de bp 0x7ffd2aba5c30 sp 0x7ffd2aba53e0
READ of size 78490 at 0x62500000e861 thread T0
    #1 0x7f280456d37b in _tiffWriteProc /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:115:23

CVE:
CVE-2016-10268

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df
Reproducer:
https://github.com/asarubbo/poc/blob/master/00066-libtiff-heapoverflow-TIFFReverseBits
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==14332==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000f4f0 at pc 0x7f95e90c11ad bp 0x7ffd74ba5ca0 sp 0x7ffd74ba5c98
READ of size 1 at 0x63000000f4f0 thread T0
    #0 0x7f95e90c11ac in TIFFReverseBits /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_swab.c:289:27

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
Reproducer:
https://github.com/asarubbo/poc/blob/master/00071-libtiff-heapoverflow-_TIFFmemcpy
Relevant part of the stacktrace:

#tiffcp -i $FILE /tmp/foo
==10398==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eef4 at pc 0x0000004bc235 bp 0x7fff3ebfa700 sp 0x7fff3ebf9eb0
READ of size 512 at 0x60200000eef4 thread T0
     #1 0x7fcaf590cf0d in _TIFFmemcpy /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2

CVE:
CVE-2016-10269

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018
Reproducer:
https://github.com/asarubbo/poc/blob/master/00074-libtiff-heapoverflow-TIFFFillStrip
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==15106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000edd8 at pc 0x7f33918c5de3 bp 0x7ffc5abe6ba0 sp 0x7ffc5abe6b98
READ of size 8 at 0x60200000edd8 thread T0
    #0 0x7f33918c5de2 in TIFFFillStrip /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_read.c:523:22

CVE:
CVE-2016-10270

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
Reproducer:
https://github.com/asarubbo/poc/blob/master/00100-libtiff-heapoverflow-_TIFFFax3fillruns
Relevant part of the stacktrace:

# tiffcrop -i $FILE /tmp/foo
==9181==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd3b2e277f8 at pc 0x7fd3b7a762cc bp 0x7ffffd6e2550 sp 0x7ffffd6e2548
READ of size 1 at 0x7fd3b2e277f8 thread T0
    #0 0x7fd3b7a762cb in _TIFFFax3fillruns /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_fax3.c:413:13

CVE:
CVE-2016-10271

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
Reproducer:
https://github.com/asarubbo/poc/blob/master/00102-libtiff-heapoverflow-_TIFFmemcpy
Relevant part of the stacktrace:

# tiffcrop -i $FILE /tmp/foo
==988==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001ccff at pc 0x0000004bc00c bp 0x7fff920da690 sp 0x7fff920d9e40
WRITE of size 1 at 0x62100001ccff thread T0
    #1 0x7f49edd6af0d in _TIFFmemcpy /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2

CVE:
CVE-2016-10092

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/b4b41925115059b49f97432bda0613411df2f686
Reproducer:
https://github.com/asarubbo/poc/blob/master/00067-libtiff-heapoverflow-tiffcp
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==7788==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000edd3 at pc 0x0000004629ac bp 0x7ffe4adf8df0 sp 0x7ffe4adf85a0
READ of size 1 at 0x60200000edd3 thread T0
    #1 0x50d6a5 in tiffcp /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:784:57

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
Upstream said that the previous changes, fixes this too. It needs to be bisected.
UPDATE:
A test on master showed that it isn’t fixed.
Reproducer:
https://github.com/asarubbo/poc/blob/master/00079-libtiff-heapoverflow-cpSeparateBufToContigBuf
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==25645==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f651cc3b800 at pc 0x00000051ef24 bp 0x7ffec0573a70 sp 0x7ffec0573a68
READ of size 16 at 0x7f651cc3b800 thread T0
    #0 0x51ef23 in cpSeparateBufToContigBuf /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1209:14

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec
Reproducer:
https://github.com/asarubbo/poc/blob/master/00082-libtiff-heap-overflow-cpStripToTile
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==20438==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fef2adde803 at pc 0x00000051befa bp 0x7ffd3ee26b50 sp 0x7ffd3ee26b48
WRITE of size 16 at 0x7fef2adde803 thread T0
    #0 0x51bef9 in cpStripToTile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1171:11

CVE:
CVE-2016-10093

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
Upstream said that the previous changes, fixes this too. It needs to be bisected.
From the bisect the fix is:
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
Reproducer:
https://github.com/asarubbo/poc/blob/master/00103-libtiff-heapoverflow-NeXTDecode
Relevant part of the stacktrace:

# tiffcrop -i $FILE /tmp/foo
==29649==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00000a3fc at pc 0x0000004bc48c bp 0x7ffd6f23c680 sp 0x7ffd6f23be30
WRITE of size 2048 at 0x62d00000a3fc thread T0
      #1 0x7fcac5ac0033 in NeXTDecode /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_next.c:64:9

CVE:
CVE-2016-10272

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
Upstream said that the previous changes, fixes this too. It needs to be bisected.
From the bisect the fix is:
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
Reproducer:
https://github.com/asarubbo/poc/blob/master/00102-libtiff-heapoverflow-_TIFFmemcpy
Relevant part of the stacktrace:

# tiffcrop -i $FILE /tmp/foo
==23091==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eed2 at pc 0x0000004629dc bp 0x7fff8d1e2950 sp 0x7fff8d1e2100
READ of size 1 at 0x60200000eed2 thread T0
   #1 0x53277f in writeCroppedImage /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcrop.c:7940:23

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/5ed9fea523316c2f5cec4d393e4d5d671c2dbc33
Reproducer:
https://github.com/asarubbo/poc/blob/master/00108-libtiff-heapoverflow-PSDataBW
Relevant part of the stacktrace:

# tiff2ps $FILE
==32416==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee91 at pc 0x00000051ea78 bp 0x7ffd76b73dd0 sp 0x7ffd76b73dc8
READ of size 1 at 0x60200000ee91 thread T0
    #0 0x51ea77 in PSDataBW /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2ps.c:2703:21

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/5ed9fea523316c2f5cec4d393e4d5d671c2dbc33
Reproducer:
https://github.com/asarubbo/poc/blob/master/00107-libtiff-heapoverflow-PSDataColorContig
Relevant part of the stacktrace:

# tiff2ps $FILE
==31384==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee54 at pc 0x000000518b75 bp 0x7fff437bfdb0 sp 0x7fff437bfda8
READ of size 1 at 0x60200000ee54 thread T0
    #0 0x518b74 in PSDataColorContig /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2ps.c:2470:2

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/bd9d7670d0224412b3bd146e221658211ece876e
Reproducer:
https://github.com/asarubbo/poc/blob/master/00101-libtiff-heapoverflow-combineSeparateSamples16bits
Relevant part of the stacktrace:

# tiffcrop -i $FILE /tmp/foo
==8016==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eef1 at pc 0x000000530805 bp 0x7ffeb0d41770 sp 0x7ffeb0d41768
READ of size 1 at 0x60200000eef1 thread T0
    #0 0x530804 in combineSeparateSamples16bits /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcrop.c:3913:20

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76b0969235c
Reproducer:
https://github.com/asarubbo/poc/blob/master/00112-libtiff-heapoverflow-_TIFFmemcpy
Relevant part of the stacktrace:

# tiff2pdf $FILE -o foo
==31315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ea11 at pc 0x0000004bc10c bp 0x7fffd59abc40 sp 0x7fffd59ab3f0
WRITE of size 2 at 0x60200000ea11 thread T0
    #1 0x7fd49c1adf0d in _TIFFmemcpy /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2

CVE:
CVE-2016-10094

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00109-libtiff-heapoverflow-putcontig8bitYCbCr44tile
Relevant part of the stacktrace:

# tiff2rgba $FILE /tmp/foo
==20699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000ed12 at pc 0x7f49ab2c134c bp 0x7ffc7e4eda30 sp 0x7ffc7e4eda28                                                                                                                                      
READ of size 1 at 0x62500000ed12 thread T0                                                                                                                                                                                                                                     
    #0 0x7f49ab2c134b in putcontig8bitYCbCr44tile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_getimage.c:1885:28

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-11-20: started to post the issues to upstream
2017-01-01: blog post about the issue
2017-01-01: CVE assigned
2017-03-24: bisect done, all issues have a commit fix reference

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

libtiff: multiple heap-based buffer overflow

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

Some crafted images, through a fuzzing revealed multiple division by zero. Since the number of the issues, I will post the relevant part of the stacktrace.

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1
Reproducer:
https://github.com/asarubbo/poc/blob/master/00064-libtiff-fpe-TIFFReadEncodedStrip
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==12079==ERROR: AddressSanitizer: FPE on unknown address 0x7fd319436251 (pc 0x7fd319436251 bp 0x7fff851e3d80 sp 0x7fff851e3d30 T0)
    #0 0x7fd319436250 in TIFFReadEncodedStrip /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_read.c:351:22

CVE:
CVE-2016-10266

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec
Reproducer:
https://github.com/asarubbo/poc/blob/master/00083-libtiff-fpe-OJPEGDecodeRaw
Relevant part of the stacktrace:

# tiffmedian $FILE /tmp/foo
==28106==ERROR: AddressSanitizer: FPE on unknown address 0x7faeae7f744e (pc 0x7faeae7f744e bp 0x7ffceab45e40 sp 0x7ffceab45ce0 T0)
    #0 0x7faeae7f744d in OJPEGDecodeRaw /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_ojpeg.c:816:8

CVE:
CVE-2016-10267

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/d3c5426395dc53e3345712ac7246c29db9fed8fa
Reproducer:
https://github.com/asarubbo/poc/blob/master/00099-libtiff-fpe-readSeparateStripsIntoBuffer
Relevant part of the stacktrace:

# tiffcrop $FILE /tmp/foo
==19098==ERROR: AddressSanitizer: FPE on unknown address 0x000000523acf (pc 0x000000523acf bp 0x7ffcb22ada30 sp 0x7ffcb22ad780 T0)
    #0 0x523ace in readSeparateStripsIntoBuffer /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcrop.c:4841:36

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/a87eb62049f446204ed62c939f965eb76bd98001
Reproducer:
https://github.com/asarubbo/poc/blob/master/00065-libtiff-fpe-readSeparateTilesIntoBuffer
Relevant part of the stacktrace:

# tiffcp $FILE /tmp/foo
==13262==ERROR: AddressSanitizer: FPE on unknown address 0x00000051c43b (pc 0x00000051c43b bp 0x7ffdc8d81d70 sp 0x7ffdc8d81b20 T0)
    #0 0x51c43a in readSeparateTilesIntoBuffer /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1434:9

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/296803e79542f5523be1009d64574507b9acc239
Reproducer:
https://github.com/asarubbo/poc/blob/master/00073-libtiff-fpe-writeBufferToSeparateTiles
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==3614==ERROR: AddressSanitizer: FPE on unknown address 0x00000051650a (pc 0x00000051650a bp 0x7fff41587d30 sp 0x7fff41587b00 T0)
    #0 0x516509 in writeBufferToSeparateTiles /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1591:13

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-11-20: started to post the issues to upstream
2017-01-01: blog post about the issue

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

libtiff: multiple divide-by-zero