2019.08.19 08:27 "[Tiff] Possible Bug in Libtiff (tiff2pdf) when PLANARCONFIG in the Input is not PLANARCONFIG_CONTIG", by Hendra Gunadi


On my machine when triaging a fuzzing result on ASAN built 32-bit (v. 4.0.9) I encountered this error:


==9771==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf580027f at pc 0x080ea1dd bp 0xffffc948 sp 0xffffc520 READ of size 18 at 0xf580027f thread T0

    #0 0x80ea1dc in fwrite /home/hengunadi/building_llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1105
    #1 0x8178f78 in t2p_writeproc /tiff-4.0.9/tools/tiff2pdf.c:405:21
    #2 0xf7f776d5 in TIFFAppendToStrip /tiff-4.0.9/libtiff/tif_write.c:771:7
    #3 0xf7f75c07 in TIFFWriteEncodedStrip /tiff-4.0.9/libtiff/tif_write.c:273:14
    #4 0x8195e20 in t2p_readwrite_pdf_image_tile /tiff-4.0.9/tools/tiff2pdf.c:3192:17
    #5 0x817b89e in t2p_write_pdf /tiff-4.0.9/tools/tiff2pdf.c:5544:16
    #6 0x8177eaf in main /tiff-4.0.9/tools/tiff2pdf.c:808:2
    #7 0xf7afae80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)
    #8 0x80619a1 in _start (/home/hendrag/llvm_asan/tiff409c710_debug_llvm_norm/debugbuild/bin/tiff2pdf+0x80619a1)

0xf580027f is located 0 bytes to the right of 15-byte region [0xf5800270,0xf580027f)
allocated by thread T0 here:
    #0 0x81320ef in malloc /home/hengunadi/building_llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cc:146
    #1 0xf7f7d17f in _TIFFmalloc /tiff-4.0.9/libtiff/tif_unix.c:316:10
    #2 0x8193a56 in t2p_readwrite_pdf_image_tile /tiff-4.0.9/tools/tiff2pdf.c:2973:30
    #3 0x817b89e in t2p_write_pdf /tiff-4.0.9/tools/tiff2pdf.c:5544:16
    #4 0x8177eaf in main /tiff-4.0.9/tools/tiff2pdf.c:808:2
    #5 0xf7afae80 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18e80)

Upon debugging, I suspect it is due to the fact that the input PLANARCONFIG is not PLANARCONFIG_CONTIG,

hence, there is a mismatch in the buffer allocated to be written in the t2p_readwrite_pdf_image_tile, leading to heap-buffer-overread.

I'm aware that this is not triggered in the latest build, however, I still see there is a problematic line at tiff2pdf.c:3178.

The problem is that the PLANARCONFIG of the output is set to PLANARCONFIG_CONTIG regardless of the input's.

FYI the latest build meaning commit ea2e933b17078a6517f1ee888ea4da72fa1104b1

As such, I want to confirm whether this is a bug.

Let me elaborate what happened on my machine:

  1. tiff_datasize is assigned the size of the tile (TIFFVTileSize64). As PLANARCONFIG is not PLANARCONFIG_CONTIG, the branch is not hit and the return value is 5.
  2. When allocating the buffer in tiff2pdf.c:3020, it is based on the size of the tiff_datasize, which is 15 (derived from (1) )
  3. This buffer is then used to be an input to function TIFFWriteEncodedStrip on tiff2pdf.c:3247
  4. As an argument to TIFFWriteEncodedStrip, it calculates the size of the output strip (TIFFVStripSize64). As PLANARCONFIG is PLANARCONFIG_CONTIG, the branch is hit and the return value is 6.
  5. The derived size value is 18, which does not match 15 allocated. Hence, buffer-over-read when trying to copy the 18 bytes from 15 bytes of input.