Soumettre #621796: LibTIFF v4.7.0 Use After Freeinformation

TitreLibTIFF v4.7.0 Use After Free
DescriptionA heap-use-after-free vulnerability was discovered in tiffmedian (part of libtiff tools), triggered when processing a malformed TIFF file. Execute the following command using the crafted PoC file: ./tools/tiffmedian -C 256 -c lzw:2 -f poc /tmp/output.tif Observe the ASan output, which includes: TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Incorrect count for "ColorMap"; tag ignored. TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored. TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag ignored. TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples.. DumpModeDecode: Not enough data for scanline 1, expected a request for at most 24 bytes, got a request for 192 bytes. ================================================================= ==1477694==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00000b480 at pc 0x0000004d75d1 bp 0x7ffc11bdded0 sp 0x7ffc11bddec8 READ of size 4 at 0x61d00000b480 thread T0 #0 0x4d75d0 in quant_fsdither /home/libtiff/tools/tiffmedian.c #1 0x4d75d0 in main /home/libtiff/tools/tiffmedian.c:311:9 #2 0x7f319db05082 in __libc_start_main /build/glibc-FcRMwW/glibc-2.31/csu/../csu/libc-start.c:308:16 #3 0x41e89d in _start (/home/libtiff/tools/tiffmedian+0x41e89d) 0x61d00000b480 is located 0 bytes inside of 2052-byte region [0x61d00000b480,0x61d00000bc84) freed by thread T0 here: #0 0x49ade2 in __interceptor_free (/home/libtiff/tools/tiffmedian+0x49ade2) #1 0x4d458f in map_colortable /home/libtiff/tools/tiffmedian.c:831:5 #2 0x4d458f in main /home/libtiff/tools/tiffmedian.c:266:5 #3 0x7f319db05082 in __libc_start_main /build/glibc-FcRMwW/glibc-2.31/csu/../csu/libc-start.c:308:16 previously allocated by thread T0 here: #0 0x49b04d in malloc (/home/libtiff/tools/tiffmedian+0x49b04d) #1 0x4d8ec1 in create_colorcell /home/libtiff/tools/tiffmedian.c:707:21 SUMMARY: AddressSanitizer: heap-use-after-free /home/libtiff/tools/tiffmedian.c in quant_fsdither Shadow bytes around the buggy address: 0x0c3a7fff9640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff9650: 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c3a7fff9690:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a7fff96a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a7fff96b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a7fff96c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a7fff96d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3a7fff96e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1477694==ABORTING
La source⚠️ https://gitlab.com/libtiff/libtiff/-/issues/707
Utilisateur
 arthurx (UID 87796)
Soumission24/07/2025 10:57 (il y a 9 mois)
Modérer25/07/2025 10:11 (23 hours later)
StatutAccepté
Entrée VulDB317590 [LibTIFF jusqu’à 4.7.0 tools/tiffmedian.c get_histogram buffer overflow]
Points20

PrécédentAperçuSuivant

Interested in the pricing of exploits?

See the underground prices here!