Soumettre #621797: LibTIFF v4.7.0 Buffer Overflowinformation

TitreLibTIFF v4.7.0 Buffer Overflow
DescriptionA crafted TIFF file triggers a global buffer overflow in thumbnail due to out-of-bounds access in the setrow() function. Execute the following command using the crafted PoC file: ./tools/thumbnail -c linear -h 274 -w 216 /home/poc /tmp/output.tif Observe the ASan output, which includes: TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. _TIFFVSetField: /home/poc: Bad value 65282 for "FillOrder" tag. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFReadDirectory: Warning, Invalid data type for tag StripOffsets. TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored. TIFFFetchNormalTag: Defined set_get_field_type of custom tag 37008 (Tag 37008) is TIFF_SETGET_UNDEFINED and thus tag is not read from file. TIFFFetchNormalTag: Defined set_get_field_type of custom tag 144 (Tag 144) is TIFF_SETGET_UNDEFINED and thus tag is not read from file. TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 0"; tag ignored. TIFFFetchNormalTag: Warning, IO error during reading of "Tag 3840"; tag ignored. rastersize=16512 Fax4Decode: Warning, Line length mismatch at line 0 of strip 0 (got 4129, expected 4128). Fax4Decode: Warning, Line length mismatch at line 2 of strip 0 (got 4129, expected 4128). Fax4Decode: Uncompressed data (not supported) at line 4 of strip 0 (x 587). Fax4Decode: Warning, Premature EOL at line 4 of strip 0 (got 587, expected 4128). Fax4Decode: Uncompressed data (not supported) at line 5 of strip 0 (x 127). Fax4Decode: Warning, Premature EOL at line 5 of strip 0 (got 127, expected 4128). Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 125, expected 4128). bpr=516, sy=0, bpr*sy=0 bpr=516, sy=0, bpr*sy=0 bpr=516, sy=0, bpr*sy=0 bpr=516, sy=0, bpr*sy=0 bpr=516, sy=0, bpr*sy=0 bpr=516, sy=0, bpr*sy=0 bpr=516, sy=0, bpr*sy=0 bpr=516, sy=0, bpr*sy=0 bpr=516, sy=0, bpr*sy=0 bpr=516, sy=1, bpr*sy=516 ================================================================= ==179828==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000fe862b at pc 0x0000004d45b2 bp 0x7fffcdd5f5f0 sp 0x7fffcdd5f5e8 READ of size 1 at 0x000000fe862b thread T0 #0 0x4d45b1 in setrow /home/libtiff/tools/thumbnail.c:623:18 #1 0x4d45b1 in setImage1 /home/libtiff/tools/thumbnail.c:663:9 #2 0x4d45b1 in setImage /home/libtiff/tools/thumbnail.c:672:5 #3 0x4d45b1 in generateThumbnail /home/libtiff/tools/thumbnail.c:714:5 #4 0x4d45b1 in main /home/libtiff/tools/thumbnail.c:132:18 #5 0x7fe869acd082 in __libc_start_main /build/glibc-FcRMwW/glibc-2.31/csu/../csu/libc-start.c:308:16 #6 0x41e8bd in _start (/home/libtiff/tools/thumbnail+0x41e8bd) 0x000000fe862b is located 53 bytes to the left of global variable '_TIFFextender' defined in '/home/libtiff/libtiff/tif_dir.c:1673:23' (0xfe8660) of size 8 0x000000fe862b is located 11 bytes to the right of global variable 'cmap' defined in '/home/libtiff/tools/thumbnail.c:438:16' (0xfe8520) of size 256 SUMMARY: AddressSanitizer: global-buffer-overflow /home/libtiff/tools/thumbnail.c:623:18 in setrow Shadow bytes around the buggy address: 0x0000801f5070: 04 f9 f9 f9 04 f9 f9 f9 00 00 00 00 00 00 00 00 0x0000801f5080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000801f5090: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 0x0000801f50a0: 02 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0000801f50b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0000801f50c0: 00 00 00 00 f9[f9]f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x0000801f50d0: 00 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9 00 00 00 00 0x0000801f50e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000801f50f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000801f5100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 0x0000801f5110: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==179828==ABORTING
La source⚠️ https://gitlab.com/libtiff/libtiff/-/issues/715
Utilisateur
 arthurx (UID 87796)
Soumission24/07/2025 11:01 (il y a 9 mois)
Modérer25/07/2025 10:11 (23 hours later)
StatutAccepté
Entrée VulDB317591 [LibTIFF jusqu’à 4.7.0 tools/thumbnail.c setrow buffer overflow]
Points20

PrécédentAperçuSuivant

Want to know what is going to be exploited?

We predict KEV entries!