Created attachment 1416303 [details] The vulnerability is triggered by ./tiff2pdf $FILE Description of problem: In LibTIFF 4.0.9, there is a Use-After-Free(UAF) bug in the t2p_writeproc function in tools/tiff2pdf.c. This UAF bug can lead to harmful damages. For example, a crafted TIFF document can trigger an out-of-bounds write in t2pWriteFile, an invalid free in TIFFFreeDirectory, memory corruption in t2p_writeproc. It probably could cause arbitrary code execution. Version-Release number of selected component (if applicable): LibTIFF 4.0.9 How reproducible: The vulnerability is triggered by ./tiff2pdf $FILE Steps to Reproduce: 1. Build the LibTIFF 4.0.9 source code with ASAN(AddressSanitizer) 2. Run tiff2pdf file with the attached POC file 3. Crashed :^( Actual results: ==48156==ERROR: AddressSanitizer: heap-use-after-free on address 0xf47024d0 at pc 0x080e3ebd bp 0xffa85548 sp 0xffa85120 READ of size 32 at 0xf47024d0 thread T0 #0 0x80e3ebc in fwrite (/home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf+0x80e3ebc) #1 0x8165c8c in t2p_writeproc /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:405:21 #2 0x8167fd3 in t2pWriteFile /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:379:10 #3 0x8167fd3 in t2p_write_pdf_stream /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:3989 #4 0x8167fd3 in t2p_write_pdf_transfer_stream /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:5017 #5 0x8167fd3 in t2p_write_pdf /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:5497 #6 0x81639fb in main /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:808:2 #7 0xf74ab636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #8 0x8062d57 in _start (/home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf+0x8062d57) 0xf47024d0 is located 0 bytes inside of 32-byte region [0xf47024d0,0xf47024f0) freed by thread T0 here: #0 0x812627c in __interceptor_cfree.localalias.1 (/home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf+0x812627c) #1 0x81b0dad in TIFFFreeDirectory /home/zdi/dataset/libtiff-Release-v4-0-9/libtiff/tif_dir.c:1266:2 #2 0x81cc9ba in TIFFSetDirectory /home/zdi/dataset/libtiff-Release-v4-0-9/libtiff/tif_dir.c:1622:10 #3 0x816f7a3 in t2p_read_tiff_data /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:1274:2 #4 0x8166dd0 in t2p_write_pdf /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:5463:3 #5 0x81639fb in main /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:808:2 previously allocated by thread T0 here: #0 0x8126444 in malloc (/home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf+0x8126444) #1 0x81b7eca in setByteArray /home/zdi/dataset/libtiff-Release-v4-0-9/libtiff/tif_dir.c:54:19 #2 0x81b7eca in _TIFFsetShortArray /home/zdi/dataset/libtiff-Release-v4-0-9/libtiff/tif_dir.c:66 #3 0x81b7eca in _TIFFVSetField /home/zdi/dataset/libtiff-Release-v4-0-9/libtiff/tif_dir.c:457 #4 0x81aee29 in TIFFVSetField /home/zdi/dataset/libtiff-Release-v4-0-9/libtiff/tif_dir.c:854:6 #5 0x81aee29 in TIFFSetField /home/zdi/dataset/libtiff-Release-v4-0-9/libtiff/tif_dir.c:798 #6 0x81d917c in TIFFReadDirectory /home/zdi/dataset/libtiff-Release-v4-0-9/libtiff/tif_dirread.c:3931:7 #7 0x81cc9ba in TIFFSetDirectory /home/zdi/dataset/libtiff-Release-v4-0-9/libtiff/tif_dir.c:1622:10 #8 0x816d204 in t2p_read_tiff_init /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:1131:3 #9 0x81661ec in t2p_write_pdf /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:5431:2 #10 0x81639fb in main /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:808:2 SUMMARY: AddressSanitizer: heap-use-after-free (/home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf+0x80e3ebc) in fwrite Shadow bytes around the buggy address: 0x3e8e0440: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x3e8e0450: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fa fa 0x3e8e0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e8e0470: fa fa fa fa fa fa 00 00 00 00 fa fa fd fd fd fa 0x3e8e0480: fa fa 00 00 00 00 fa fa 00 00 00 07 fa fa fd fd =>0x3e8e0490: fd fa fa fa fd fd fd fd fa fa[fd]fd fd fd fa fa 0x3e8e04a0: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd 0x3e8e04b0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x3e8e04c0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x3e8e04d0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x3e8e04e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==48156==ABORTING Expected results: Arbitrary Code Execution Additional info: This vulnerability is detected by team SFT@ADD, with our custom fuzzer hybridAFL. Please contact develacker if you need more info about the vulnerability. :^)
Hi Hwiwon, I'm unable to reproduce this with ASAN nor afl. Could you please provide more info on how to reproduce this. Thanks
Hello Laura, I tested on Ubuntu 16.04 64bit Server Download URL : https://download.osgeo.org/libtiff/tiff-4.0.9.tar.gz (in tiff source code dir) $ export CC=~/afl/afl-clang $ export CXX=~/afl/afl-clang++ $ export CFLAGS="-fsanitize=address -g" (also -m32 option is possible) $ export CXXFLAGS="-fsanitize=address -g" (also -m32 option is possible) $ ./configure $ make -j$(nproc) clean all $ ./tools/tiff2pdf POC1 TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 387 (0x183) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" does not end in null byte. TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength. TIFFAdvanceDirectory: Error fetching directory count. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 387 (0x183) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" does not end in null byte. TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 98 (0x62) encountered. TIFFReadDirectory: Warning, Unknown field with tag 17420 (0x440c) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8832 (0x2280) encountered. TIFFReadDirectory: Warning, Unknown field with tag 24655 (0x604f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 62085 (0xf285) encountered. TIFFReadDirectory: Warning, Unknown field with tag 51248 (0xc830) encountered. TIFFReadDirectory: Warning, Unknown field with tag 31350 (0x7a76) encountered. TIFFReadDirectory: Warning, Unknown field with tag 59310 (0xe7ae) encountered. TIFFReadDirectory: Warning, Unknown field with tag 387 (0x183) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. TIFFReadDirectory: Warning, Unknown field with tag 31820 (0x7c4c) encountered. TIFFReadDirectory: Warning, Unknown field with tag 7034 (0x1b7a) encountered. TIFFReadDirectory: Warning, Unknown field with tag 89 (0x59) encountered. TIFFReadDirectory: Warning, Unknown field with tag 58960 (0xe650) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" does not end in null byte. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 3"; tag ignored. TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4 (0x4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5 (0x5) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 34895 (0x884f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 64512 (0xfc00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 58624 (0xe500) encountered. TIFFReadDirectory: Warning, Unknown field with tag 769 (0x301) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2048 (0x800) encountered. TIFFReadDirectory: Warning, Unknown field with tag 544 (0x220) encountered. TIFFReadDirectory: Warning, Unknown field with tag 17420 (0x440c) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8832 (0x2280) encountered. TIFFReadDirectory: Warning, Unknown field with tag 24655 (0x604f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 62085 (0xf285) encountered. TIFFReadDirectory: Warning, Unknown field with tag 51248 (0xc830) encountered. TIFFReadDirectory: Warning, Unknown field with tag 118 (0x76) encountered. TIFFReadDirectory: Warning, Unknown field with tag 20804 (0x5144) encountered. TIFFReadDirectory: Warning, Unknown field with tag 64290 (0xfb22) encountered. TIFFReadDirectory: Warning, Unknown field with tag 45232 (0xb0b0) encountered. TIFFReadDirectory: Warning, Unknown field with tag 24841 (0x6109) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3263 (0xcbf) encountered. TIFFReadDirectory: Warning, Unknown field with tag 19518 (0x4c3e) encountered. TIFFReadDirectory: Warning, Unknown field with tag 43103 (0xa85f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 59005 (0xe67d) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8 (0x8) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65280 (0xff00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2400 (0x960) encountered. TIFFReadDirectory: Warning, Unknown field with tag 49138 (0xbff2) encountered. TIFFReadDirectory: Warning, Unknown field with tag 16072 (0x3ec8) encountered. TIFFReadDirectory: Warning, Unknown field with tag 24442 (0x5f7a) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32231 (0x7de7) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4608 (0x1200) encountered. TIFFReadDirectory: Warning, Unknown field with tag 25443 (0x6363) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered. TIFFReadDirectory: Warning, Unknown field with tag 31820 (0x7c4c) encountered. TIFFReadDirectory: Warning, Unknown field with tag 168 (0xa8) encountered. TIFFReadDirectory: Warning, Unknown field with tag 89 (0x59) encountered. TIFFReadDirectory: Warning, Unknown field with tag 58960 (0xe650) encountered. TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered. TIFFReadDirectory: Warning, Unknown field with tag 100 (0x64) encountered. TIFFReadDirectory: Warning, Unknown field with tag 23901 (0x5d5d) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8384 (0x20c0) encountered. TIFFReadDirectory: Warning, Unknown field with tag 24132 (0x5e44) encountered. TIFFReadDirectory: Warning, Unknown field with tag 30692 (0x77e4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 39803 (0x9b7b) encountered. TIFFReadDirectory: Warning, Unknown field with tag 20932 (0x51c4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 25503 (0x639f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3104 (0xc20) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32862 (0x805e) encountered. TIFFReadDirectory: Warning, Unknown field with tag 31350 (0x7a76) encountered. TIFFReadDirectory: Warning, Unknown field with tag 59310 (0xe7ae) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8192 (0x2000) encountered. TIFFReadDirectory: Warning, Unknown field with tag 20343 (0x4f77) encountered. TIFFReadDirectory: Warning, Unknown field with tag 34203 (0x859b) encountered. TIFFReadDirectory: Warning, Unknown field with tag 12369 (0x3051) encountered. TIFFReadDirectory: Warning, Unknown field with tag 30307 (0x7663) encountered. TIFFReadDirectory: Warning, Unknown field with tag 44559 (0xae0f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65024 (0xfe00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32768 (0x8000) encountered. TIFFReadDirectory: Warning, Unknown field with tag 213 (0xd5) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1280 (0x500) encountered. TIFFReadDirectory: Warning, Unknown field with tag 13824 (0x3600) encountered. TIFFReadDirectory: Warning, Unknown field with tag 16384 (0x4000) encountered. TIFFReadDirectory: Warning, Unknown field with tag 56832 (0xde00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 50183 (0xc407) encountered. TIFFReadDirectory: Warning, Unknown field with tag 40840 (0x9f88) encountered. TIFFReadDirectory: Warning, Unknown field with tag 17 (0x11) encountered. TIFFReadDirectory: Warning, Unknown field with tag 38573 (0x96ad) encountered. TIFFReadDirectory: Warning, Unknown field with tag 7936 (0x1f00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 48 (0x30) encountered. TIFFReadDirectory: Warning, Unknown field with tag 9984 (0x2700) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65285 (0xff05) encountered. TIFFReadDirectory: Warning, Unknown field with tag 64447 (0xfbbf) encountered. TIFFReadDirectory: Warning, Unknown field with tag 63486 (0xf7fe) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4096 (0x1000) encountered. TIFFReadDirectory: Warning, Unknown field with tag 18 (0x12) encountered. TIFFReadDirectory: Warning, Unknown field with tag 760 (0x2f8) encountered. TIFFReadDirectory: Warning, Unknown field with tag 132 (0x84) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32 (0x20) encountered. TIFFReadDirectory: Warning, Unknown field with tag 54 (0x36) encountered. TIFFReadDirectory: Warning, Unknown field with tag 361 (0x169) encountered. TIFFReadDirectory: Warning, Unknown field with tag 352 (0x160) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4715 (0x126b) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5376 (0x1500) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5632 (0x1600) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5888 (0x1700) encountered. TIFFReadDirectory: Warning, Unknown field with tag 6912 (0x1b00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 7420 (0x1cfc) encountered. TIFFReadDirectory: Warning, Unknown field with tag 512 (0x200) encountered. TIFFReadDirectory: Warning, Unknown field with tag 12288 (0x3000) encountered. TIFFReadDirectory: Warning, Unknown field with tag 38415 (0x960f) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 3"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 4"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 5"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "SubfileType"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 65535"; tag ignored. _TIFFVSetField: POC1: Bad value 32513 for "FillOrder" tag. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" does not end in null byte. TIFFFetchNormalTag: Warning, ASCII value for tag "InkNames" does not end in null byte. Forcing it to be null. TIFFSetField: POC1: Invalid InkNames value; expecting 3 names, found 1. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 8192"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 32768"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 63486"; tag ignored. TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored. POC1: AdobeDeflate compression support is not configured. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 387 (0x183) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" does not end in null byte. TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 98 (0x62) encountered. TIFFReadDirectory: Warning, Unknown field with tag 17420 (0x440c) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8832 (0x2280) encountered. TIFFReadDirectory: Warning, Unknown field with tag 24655 (0x604f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 62085 (0xf285) encountered. TIFFReadDirectory: Warning, Unknown field with tag 51248 (0xc830) encountered. TIFFReadDirectory: Warning, Unknown field with tag 31350 (0x7a76) encountered. TIFFReadDirectory: Warning, Unknown field with tag 59310 (0xe7ae) encountered. TIFFReadDirectory: Warning, Unknown field with tag 387 (0x183) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. TIFFReadDirectory: Warning, Unknown field with tag 31820 (0x7c4c) encountered. TIFFReadDirectory: Warning, Unknown field with tag 7034 (0x1b7a) encountered. TIFFReadDirectory: Warning, Unknown field with tag 89 (0x59) encountered. TIFFReadDirectory: Warning, Unknown field with tag 58960 (0xe650) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" does not end in null byte. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 3"; tag ignored. TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength. TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4 (0x4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5 (0x5) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 34895 (0x884f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 64512 (0xfc00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 58624 (0xe500) encountered. TIFFReadDirectory: Warning, Unknown field with tag 769 (0x301) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2048 (0x800) encountered. TIFFReadDirectory: Warning, Unknown field with tag 544 (0x220) encountered. TIFFReadDirectory: Warning, Unknown field with tag 17420 (0x440c) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8832 (0x2280) encountered. TIFFReadDirectory: Warning, Unknown field with tag 24655 (0x604f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 62085 (0xf285) encountered. TIFFReadDirectory: Warning, Unknown field with tag 51248 (0xc830) encountered. TIFFReadDirectory: Warning, Unknown field with tag 118 (0x76) encountered. TIFFReadDirectory: Warning, Unknown field with tag 20804 (0x5144) encountered. TIFFReadDirectory: Warning, Unknown field with tag 64290 (0xfb22) encountered. TIFFReadDirectory: Warning, Unknown field with tag 45232 (0xb0b0) encountered. TIFFReadDirectory: Warning, Unknown field with tag 24841 (0x6109) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3263 (0xcbf) encountered. TIFFReadDirectory: Warning, Unknown field with tag 19518 (0x4c3e) encountered. TIFFReadDirectory: Warning, Unknown field with tag 43103 (0xa85f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 59005 (0xe67d) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8 (0x8) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65280 (0xff00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2400 (0x960) encountered. TIFFReadDirectory: Warning, Unknown field with tag 49138 (0xbff2) encountered. TIFFReadDirectory: Warning, Unknown field with tag 16072 (0x3ec8) encountered. TIFFReadDirectory: Warning, Unknown field with tag 24442 (0x5f7a) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32231 (0x7de7) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4608 (0x1200) encountered. TIFFReadDirectory: Warning, Unknown field with tag 25443 (0x6363) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered. TIFFReadDirectory: Warning, Unknown field with tag 31820 (0x7c4c) encountered. TIFFReadDirectory: Warning, Unknown field with tag 168 (0xa8) encountered. TIFFReadDirectory: Warning, Unknown field with tag 89 (0x59) encountered. TIFFReadDirectory: Warning, Unknown field with tag 58960 (0xe650) encountered. TIFFReadDirectory: Warning, Unknown field with tag 768 (0x300) encountered. TIFFReadDirectory: Warning, Unknown field with tag 100 (0x64) encountered. TIFFReadDirectory: Warning, Unknown field with tag 23901 (0x5d5d) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8384 (0x20c0) encountered. TIFFReadDirectory: Warning, Unknown field with tag 24132 (0x5e44) encountered. TIFFReadDirectory: Warning, Unknown field with tag 30692 (0x77e4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 39803 (0x9b7b) encountered. TIFFReadDirectory: Warning, Unknown field with tag 20932 (0x51c4) encountered. TIFFReadDirectory: Warning, Unknown field with tag 25503 (0x639f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3104 (0xc20) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32862 (0x805e) encountered. TIFFReadDirectory: Warning, Unknown field with tag 31350 (0x7a76) encountered. TIFFReadDirectory: Warning, Unknown field with tag 59310 (0xe7ae) encountered. TIFFReadDirectory: Warning, Unknown field with tag 8192 (0x2000) encountered. TIFFReadDirectory: Warning, Unknown field with tag 20343 (0x4f77) encountered. TIFFReadDirectory: Warning, Unknown field with tag 34203 (0x859b) encountered. TIFFReadDirectory: Warning, Unknown field with tag 12369 (0x3051) encountered. TIFFReadDirectory: Warning, Unknown field with tag 30307 (0x7663) encountered. TIFFReadDirectory: Warning, Unknown field with tag 44559 (0xae0f) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65024 (0xfe00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32768 (0x8000) encountered. TIFFReadDirectory: Warning, Unknown field with tag 213 (0xd5) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1280 (0x500) encountered. TIFFReadDirectory: Warning, Unknown field with tag 13824 (0x3600) encountered. TIFFReadDirectory: Warning, Unknown field with tag 16384 (0x4000) encountered. TIFFReadDirectory: Warning, Unknown field with tag 56832 (0xde00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 50183 (0xc407) encountered. TIFFReadDirectory: Warning, Unknown field with tag 40840 (0x9f88) encountered. TIFFReadDirectory: Warning, Unknown field with tag 17 (0x11) encountered. TIFFReadDirectory: Warning, Unknown field with tag 38573 (0x96ad) encountered. TIFFReadDirectory: Warning, Unknown field with tag 7936 (0x1f00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 48 (0x30) encountered. TIFFReadDirectory: Warning, Unknown field with tag 9984 (0x2700) encountered. TIFFReadDirectory: Warning, Unknown field with tag 65285 (0xff05) encountered. TIFFReadDirectory: Warning, Unknown field with tag 64447 (0xfbbf) encountered. TIFFReadDirectory: Warning, Unknown field with tag 63486 (0xf7fe) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4096 (0x1000) encountered. TIFFReadDirectory: Warning, Unknown field with tag 18 (0x12) encountered. TIFFReadDirectory: Warning, Unknown field with tag 760 (0x2f8) encountered. TIFFReadDirectory: Warning, Unknown field with tag 132 (0x84) encountered. TIFFReadDirectory: Warning, Unknown field with tag 32 (0x20) encountered. TIFFReadDirectory: Warning, Unknown field with tag 54 (0x36) encountered. TIFFReadDirectory: Warning, Unknown field with tag 361 (0x169) encountered. TIFFReadDirectory: Warning, Unknown field with tag 352 (0x160) encountered. TIFFReadDirectory: Warning, Unknown field with tag 4715 (0x126b) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5376 (0x1500) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5632 (0x1600) encountered. TIFFReadDirectory: Warning, Unknown field with tag 5888 (0x1700) encountered. TIFFReadDirectory: Warning, Unknown field with tag 6912 (0x1b00) encountered. TIFFReadDirectory: Warning, Unknown field with tag 7420 (0x1cfc) encountered. TIFFReadDirectory: Warning, Unknown field with tag 512 (0x200) encountered. TIFFReadDirectory: Warning, Unknown field with tag 12288 (0x3000) encountered. TIFFReadDirectory: Warning, Unknown field with tag 38415 (0x960f) encountered. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 3"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 4"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 5"; tag ignored. TIFFFetchNormalTag: Warning, Incorrect count for "SubfileType"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 65535"; tag ignored. _TIFFVSetField: POC1: Bad value 32513 for "FillOrder" tag. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" does not end in null byte. TIFFFetchNormalTag: Warning, ASCII value for tag "InkNames" does not end in null byte. Forcing it to be null. TIFFSetField: POC1: Invalid InkNames value; expecting 3 names, found 1. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 8192"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 32768"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 63486"; tag ignored. TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored. POC1: AdobeDeflate compression support is not configured. %PDF-1.2 %㤏 1 0 obj << /Type /Catalog /Pages 3 0 R >> endobj 2 0 obj << /CreationDate (D:20180407053609) /ModDate (D:20180407053609) /Producer (libtiff / tiff2pdf - 20171118) /Title (ll\007\304Q0\310>L|O\210mM\210) >> endobj 3 0 obj << /Type /Pages /Kids [ 4 0 R 11 0 R 18 0 R ] /Count 3 >> endobj TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 387 (0x183) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" does not end in null byte. TIFFReadDirectory: Warning, Bogus "StripByteCounts" field, ignoring and calculating from imagelength. 4 0 obj << /Type /Page /Parent 3 0 R /MediaBox [0.0000 0.0000 0.6552 0.0001] /Contents 5 0 R /Resources << /XObject << /Im1 9 0 R >> /ExtGState <</GS1 7 0 R >> /ProcSet [ /ImageC ] >> >> endobj 5 0 obj << /Length 6 0 R >> stream q /GS1 gs 0.6552 0.0000 0.0000 0.0001 0.0000 0.0000 cm /Im1 Do Q endstream endobj 6 0 obj 66 endobj 7 0 obj << /Type /ExtGState /TR [ 8 0 R 9 0 R 10 0 R /Identity ] >> endobj 8 0 obj << /FunctionType 0 /Domain [0.0 1.0] /Range [0.0 1.0] /Size [16] /BitsPerSample 16 /Length 32 >> stream YP罁X endstream endobj 9 0 obj << /FunctionType 0 /Domain [0.0 1.0] /Range [0.0 1.0] /Size [16] /BitsPerSample 16 /Length 32 >> stream ================================================================= ==89041==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000002c80 at pc 0x00000049e6ec bp 0x7fff50caab40 sp 0x7fff50caa2f0 READ of size 32 at 0x603000002c80 thread T0 Xshell #0 0x49e6eb in fwrite (/home/zdi/poc/tiff-4.0.9/tools/.libs/lt-tiff2pdf+0x49e6eb) #1 0x515f64 in t2p_writeproc /home/zdi/poc/tiff-4.0.9/tools/tiff2pdf.c:405:21 #2 0x518236 in t2pWriteFile /home/zdi/poc/tiff-4.0.9/tools/tiff2pdf.c:379:10 #3 0x518236 in t2p_write_pdf_stream /home/zdi/poc/tiff-4.0.9/tools/tiff2pdf.c:3989 #4 0x518236 in t2p_write_pdf_transfer_stream /home/zdi/poc/tiff-4.0.9/tools/tiff2pdf.c:5017 #5 0x518236 in t2p_write_pdf /home/zdi/poc/tiff-4.0.9/tools/tiff2pdf.c:5497 #6 0x513da6 in main /home/zdi/poc/tiff-4.0.9/tools/tiff2pdf.c:808:2 #7 0x7fe6c3e8f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #8 0x41a788 in _start (/home/zdi/poc/tiff-4.0.9/tools/.libs/lt-tiff2pdf+0x41a788) 0x603000002c80 is located 0 bytes inside of 32-byte region [0x603000002c80,0x603000002ca0) freed by thread T0 here: #0 0x4db0c0 in __interceptor_cfree.localalias.0 (/home/zdi/poc/tiff-4.0.9/tools/.libs/lt-tiff2pdf+0x4db0c0) #1 0x7fe6c4dc01c8 in TIFFFreeDirectory /home/zdi/poc/tiff-4.0.9/libtiff/tif_dir.c:1266:2 previously allocated by thread T0 here: #0 0x4db288 in __interceptor_malloc (/home/zdi/poc/tiff-4.0.9/tools/.libs/lt-tiff2pdf+0x4db288) #1 0x7fe6c4dc421e in setByteArray /home/zdi/poc/tiff-4.0.9/libtiff/tif_dir.c:54:19 #2 0x7fe6c4dc421e in _TIFFsetShortArray /home/zdi/poc/tiff-4.0.9/libtiff/tif_dir.c:66 #3 0x7fe6c4dc421e in _TIFFVSetField /home/zdi/poc/tiff-4.0.9/libtiff/tif_dir.c:457 #4 0x7fe6c4dbe414 in TIFFVSetField /home/zdi/poc/tiff-4.0.9/libtiff/tif_dir.c:854:6 #5 0x7fe6c4dbe414 in TIFFSetField /home/zdi/poc/tiff-4.0.9/libtiff/tif_dir.c:798 #6 0x7fe6c4defe1f in TIFFReadDirectory /home/zdi/poc/tiff-4.0.9/libtiff/tif_dirread.c:3931:7 #7 0x7fe6c4de41ba in TIFFSetDirectory /home/zdi/poc/tiff-4.0.9/libtiff/tif_dir.c:1622:10 #8 0x51cda6 in t2p_read_tiff_init /home/zdi/poc/tiff-4.0.9/tools/tiff2pdf.c:1131:3 #9 0x516380 in t2p_write_pdf /home/zdi/poc/tiff-4.0.9/tools/tiff2pdf.c:5431:2 #10 0x513da6 in main /home/zdi/poc/tiff-4.0.9/tools/tiff2pdf.c:808:2 SUMMARY: AddressSanitizer: heap-use-after-free (/home/zdi/poc/tiff-4.0.9/tools/.libs/lt-tiff2pdf+0x49e6eb) in fwrite Shadow bytes around the buggy address: 0x0c067fff8540: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c067fff8550: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa 0x0c067fff8560: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd 0x0c067fff8570: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c067fff8580: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa =>0x0c067fff8590:[fd]fd fd fd fa fa fd fd fd fd fa fa 00 00 04 fa 0x0c067fff85a0: fa fa 00 00 04 fa fa fa 00 00 04 fa fa fa 00 00 0x0c067fff85b0: 04 fa fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa 0x0c067fff85c0: fd fd fd fa fa fa 00 00 00 00 fa fa fa fa fa fa 0x0c067fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==89041==ABORTING Thank you :^)
I omitted the info of AFL and Clang :^) afl version : 2.52 clang version : 5.0.0-3~16.04.1 llvm-config : 5.0.0 llvm-symbolizer : 5.0.0 URL : http://lcamtuf.coredump.cx/afl/releases/afl-2.52b.tgz (in afl source code dir) $ make $ make -C llvm_mode
Thanks Hwiwon! I was able to reproduce this with your instructions. Our team will analyze this and define the next steps Regards!
Hi Hwiwon, Have you reported this upstream to libTIFF? Thank you.
Hello Scott, I don't understand what the reporting this upstream to libTIFF means exactly. Would you explain more in detail please?? Thank you.
Hi Hwiwon, Sure. Have you sent the details of your findings to the maintainers of libtiff? You can find more information here: http://www.simplesystems.org/libtiff/bugs.html. Thank you.
Hello Scott, Thank you for your kind explanation :) I just reported this upstream to libTIFF and the url is the following http://bugzilla.maptools.org/show_bug.cgi?id=2796 Thanks :^)
*** This bug has been marked as a duplicate of bug 1565166 ***