2019.08.19 08:27 "[Tiff] Possible Bug in Libtiff (tiff2pdf) when PLANARCONFIG in the Input is not PLANARCONFIG_CONTIG", by Hendra Gunadi
On my machine when triaging a fuzzing result on ASAN built 32-bit (v. 4.0.9) I encountered this error:
==9771==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf580027f at pc 0x080ea1dd bp 0xffffc948 sp 0xffffc520 READ of size 18 at 0xf580027f thread T0
#0 0x80ea1dc in fwrite /home/hengunadi/building_llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1105
#1 0x8178f78 in t2p_writeproc /tiff-4.0.9/tools/tiff2pdf.c:405:21
#2 0xf7f776d5 in TIFFAppendToStrip /tiff-4.0.9/libtiff/tif_write.c:771:7
#3 0xf7f75c07 in TIFFWriteEncodedStrip /tiff-4.0.9/libtiff/tif_write.c:273:14
#4 0x8195e20 in t2p_readwrite_pdf_image_tile /tiff-4.0.9/tools/tiff2pdf.c:3192:17
#5 0x817b89e in t2p_write_pdf /tiff-4.0.9/tools/tiff2pdf.c:5544:16
#6 0x8177eaf in main /tiff-4.0.9/tools/tiff2pdf.c:808:2
#7 0xf7afae80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)
#8 0x80619a1 in _start (/home/hendrag/llvm_asan/tiff409c710_debug_llvm_norm/debugbuild/bin/tiff2pdf+0x80619a1)
0xf580027f is located 0 bytes to the right of 15-byte region [0xf5800270,0xf580027f)
allocated by thread T0 here:
#0 0x81320ef in malloc /home/hengunadi/building_llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:146
#1 0xf7f7d17f in _TIFFmalloc /tiff-4.0.9/libtiff/tif_unix.c:316:10
#2 0x8193a56 in t2p_readwrite_pdf_image_tile /tiff-4.0.9/tools/tiff2pdf.c:2973:30
#3 0x817b89e in t2p_write_pdf /tiff-4.0.9/tools/tiff2pdf.c:5544:16
#4 0x8177eaf in main /tiff-4.0.9/tools/tiff2pdf.c:808:2
#5 0xf7afae80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)
Upon debugging, I suspect it is due to the fact that the input PLANARCONFIG is not PLANARCONFIG_CONTIG,
hence, there is a mismatch in the buffer allocated to be written in the t2p_readwrite_pdf_image_tile, leading to heap-buffer-overread.
I'm aware that this is not triggered in the latest build, however, I still see there is a problematic line at tiff2pdf.c:3178.
The problem is that the PLANARCONFIG of the output is set to PLANARCONFIG_CONTIG regardless of the input's.
FYI the latest build meaning commit ea2e933b17078a6517f1ee888ea4da72fa1104b1
As such, I want to confirm whether this is a bug.
Let me elaborate what happened on my machine:
- tiff_datasize is assigned the size of the tile (TIFFVTileSize64). As PLANARCONFIG is not PLANARCONFIG_CONTIG, the branch is not hit and the return value is 5.
- When allocating the buffer in tiff2pdf.c:3020, it is based on the size of the tiff_datasize, which is 15 (derived from (1) )
- This buffer is then used to be an input to function TIFFWriteEncodedStrip on tiff2pdf.c:3247
- As an argument to TIFFWriteEncodedStrip, it calculates the size of the output strip (TIFFVStripSize64). As PLANARCONFIG is PLANARCONFIG_CONTIG, the branch is hit and the return value is 6.
- The derived size value is 18, which does not match 15 allocated. Hence, buffer-over-read when trying to copy the 18 bytes from 15 bytes of input.