[Bug 1017691] New: VUL-0: libtiff: memcpy-param-overlap in t2p_tile_collapse_left (tiff2pdf.c)
http://bugzilla.opensuse.org/show_bug.cgi?id=1017691 Bug ID: 1017691 Summary: VUL-0: libtiff: memcpy-param-overlap in t2p_tile_collapse_left (tiff2pdf.c) Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/5 ============================================ Description: Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. A crafted tiff file revealed a memcpy-param-overlap. The complete ASan output: # tiff2pdf $FILE -o foo TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. 1006.crashes: Warning, Nonstandard tile width 769, convert file. TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored. TIFFAdvanceDirectory: Error fetching directory count. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. 1006.crashes: Warning, Nonstandard tile width 769, convert file. TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. 1006.crashes: Warning, Nonstandard tile width 769, convert file. TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. 1006.crashes: Warning, Nonstandard tile width 769, convert file. TIFFReadDirectory: Warning, Unknown field with tag 7710 (0x1e1e) encountered. TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored. Fax3Decode2D: Warning, Premature EOL at line 0 of tile 0 (got 768, expected 769). Fax3Decode2D: Warning, Premature EOL at line 1 of tile 0 (got 35, expected 769). Fax3Decode2D: Warning, Premature EOL at line 2 of tile 0 (got 0, expected 769). Fax3Decode2D: Warning, Premature EOL at line 3 of tile 0 (got 0, expected 769). Fax3Decode2D: Uncompressed data (not supported) at line 4 of tile 0 (x 0). Fax3Decode2D: Warning, Premature EOL at line 4 of tile 0 (got 0, expected 769). Fax3Decode2D: Warning, Premature EOL at line 5 of tile 0 (got 0, expected 769). Fax3Decode2D: Warning, Premature EOL at line 7 of tile 0 (got 0, expected 769). Fax3Decode2D: Warning, Premature EOL at line 8 of tile 0 (got 0, expected 769). Fax3Decode2D: Warning, Premature EOL at line 9 of tile 0 (got 0, expected 769). Fax3Decode2D: Warning, Line length mismatch at line 10 of tile 0 (got 1792, expected 769). Fax3Decode2D: Warning, Premature EOL at line 11 of tile 0 (got 0, expected 769). ================================================================= ==29687==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7f2dcce0b85d,0x7f2dcce0b8ba) and [0x7f2dcce0b861, 0x7f2dcce0b8be) overlap #0 0x4bbee1 in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.0- r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413 #1 0x7f2dccb87f0d in _TIFFmemcpy /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2 #2 0x52ac36 in t2p_tile_collapse_left /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:3596:3 #3 0x52ac36 in t2p_readwrite_pdf_image_tile /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:3073 #4 0x50f1dc in t2p_write_pdf /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16 #5 0x50bfee in main /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2 #6 0x7f2dcbb4361f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #7 0x41a298 in _init (/usr/bin/tiff2pdf+0x41a298) 0x7f2dcce0b85d is located 93 bytes inside of 968448-byte region [0x7f2dcce0b800,0x7f2dccef7f00) allocated by thread T0 here: #0 0x4d3058 in malloc /tmp/portage/sys-devel/llvm-3.9.0- r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 #1 0x7f2dccb87d7e in _TIFFmalloc /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:316:10 #2 0x5294e8 in t2p_readwrite_pdf_image_tile /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:2933:29 #3 0x50f1dc in t2p_write_pdf /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16 #4 0x50bfee in main /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2 #5 0x7f2dcbb4361f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 0x7f2dcce0b861 is located 97 bytes inside of 968448-byte region [0x7f2dcce0b800,0x7f2dccef7f00) allocated by thread T0 here: #0 0x4d3058 in malloc /tmp/portage/sys-devel/llvm-3.9.0- r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 #1 0x7f2dccb87d7e in _TIFFmalloc /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:316:10 #2 0x5294e8 in t2p_readwrite_pdf_image_tile /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:2933:29 #3 0x50f1dc in t2p_write_pdf /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:5526:16 #4 0x50bfee in main /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2pdf.c:808:2 #5 0x7f2dcbb4361f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 SUMMARY: AddressSanitizer: memcpy-param-overlap /tmp/portage/sys- devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler- rt/lib/asan/asan_interceptors.cc:413 in __asan_memcpy ==29687==ABORTING Affected version: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/ad2fccbf5c23da10c5859114a6018a37fdd05... Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00110-libtiff-memcpy-param-overl... Timeline: 2016-12-20: bug discovered and reported to upstream 2016-12-20: upstream released a patch 2017-01-01: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/01/01/libtiff-memcpy-param-overlap-in-_tif... -- Agostino Sarubbo Gentoo Linux Developer ============================================ https://software.opensuse.org/package/libtiff5 TW: 4.0.7 42.2: 4.0.6 42.1: 4.0.6 13.2: 4.0.7 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com