| Titre | LibTIFF TIFFCROP 4.7.0 (the newest master) Heap Corruption |
|---|
| Description | # TIFFCROP Heap Corruption Vulnerability During Block Consolidation
## Vulnerability Summary
During fuzzing of the TIFFCROP utility from LibTIFF, a critical heap corruption vulnerability has been discovered that occurs during heap block consolidation operations. The vulnerability manifests as a size inconsistency between the current block size and the previous block's size field, triggering the glibc memory allocator's corruption detection with the error "corrupted size vs. prev_size while consolidating".
## Technical Details
- **Vulnerability Type**: Heap Corruption / Block Consolidation Error
- **Affected Function**: `main` (cleanup path)
- **Source File**: `tiffcrop.c`
- **Line Number**: 2931
- **Signal**: SIGABRT (6)
- **Detection Point**: `_int_free` at `malloc.c:4606`
- **Affected Crashes**: 7 out of 135 total crashes (5.2%)
## Vulnerability Mechanism and Root Cause
This heap corruption vulnerability is caused by inconsistent heap metadata during the block consolidation process in glibc's memory allocator. The root issue lies in the corruption of heap block size information, where the current block's size field does not match the previous block's prev_size field, indicating heap metadata corruption.
The vulnerability occurs when:
1. The tiffcrop program processes a malformed TIFF image with color inversion parameters
2. Image inversion fails due to unsupported multi-sample pixel format
3. Memory allocation and deallocation operations corrupt heap metadata
4. During cleanup, when `_int_free` attempts to consolidate adjacent free blocks at line 4606
5. The consolidation process detects that the size fields are inconsistent
6. This indicates either buffer overflow corruption or use-after-free corruption of heap metadata
The heap consolidation process in glibc merges adjacent free blocks to reduce fragmentation. During this process, it verifies that:
- The current block's size matches the next block's prev_size field
- The previous block's size matches the current block's prev_size field
- When these consistency checks fail, it indicates heap corruption
## GDB Debugging Report
```
=== PROGRAM_EXECUTION_START ===
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140737348006464) at ./nptl/pthread_kill.c:44
=== PROGRAM_EXECUTION_END ===
=== PRIMARY_CRASH_DETECTION ===
Program status from 'info program':
Using the running image of child Thread 0x7ffff7a27240 (LWP 1756669).
Program stopped at 0x7ffff7abe9fc.
It stopped with signal SIGABRT, Aborted.
=== SIGNAL_CRASH_DETECTED ===
Program terminated by signal - this is a genuine crash
=== FRAME_ANALYSIS ===
Valid frame found - program stopped at signal
=== BACKTRACE_ANALYSIS ===
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737348006464) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140737348006464) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140737348006464, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff7a6a476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff7a507f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff7ab1677 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7c03b77 "%s\n") at ../sysdeps/posix/libc_fatal.c:156
#6 0x00007ffff7ac8cfc in malloc_printerr (str=str@entry=0x7ffff7c06800 "corrupted size vs. prev_size while consolidating") at ./malloc/malloc.c:5664
#7 0x00007ffff7acaf22 in _int_free (av=0x7ffff7c42c80 <main_arena>, p=0x555555788950, have_lock=<optimized out>) at ./malloc/malloc.c:4606
#8 0x00007ffff7acd453 in __GI___libc_free (mem=<optimized out>) at ./malloc/malloc.c:3391
#9 0x000055555556cedc in main (argc=<optimized out>, argv=0x7fffffffe3f8) at tiffcrop.c:2931
=== FINAL_STATUS_DETERMINATION ===
CONCLUSION: Program crashed due to signal
This is a genuine crash requiring investigation
```
## Program Output Before Crash
```
invertImage: Image inversion not supported for more than one sample per pixel.
createCroppedImage: Failed to invert colorspace for image or cropped selection.
main: Unable to create output image.
corrupted size vs. prev_size while consolidating
Aborted (core dumped)
```
## Proof of Concept
The proof of concept file is available at: [POC_tiffcrop_heap_corruption_consolidating](https://drive.google.com/file/d/1dh_PRjaAJfwbxKYJCSoNd9HgrUrfAQSt/view?usp=sharing)
## Reproduction Steps
1. Compile LibTIFF with debugging symbols
2. Execute the following command with the provided POC file:
```bash
./tiffcrop -I both POC_tiffcrop_heap_corruption_consolidating /dev/null
```
3. The program will crash with SIGABRT due to heap corruption detection at malloc.c:4606
## Affected Versions
- **LibTIFF Version**: 4.7.0 (the newest master)
- **Build Configuration**: Standard build with debugging symbols
- **Platform**: Linux x86_64
## Credit
**Discovered by**: Xudong Cao (UCAS), Yuqing Zhang (UCAS, Zhongguancun Laboratory) |
|---|
| La source | ⚠️ https://gitlab.com/libtiff/libtiff/-/issues/725 |
|---|
| Utilisateur | HeureuxBuilding (UID 88810) |
|---|
| Soumission | 07/08/2025 21:26 (il y a 10 mois) |
|---|
| Modérer | 23/08/2025 17:12 (16 days later) |
|---|
| Statut | Dupliqué |
|---|
| Entrée VulDB | 319955 [LibTIFF 4.7.0 tiffcrop tiffcrop.c main buffer overflow] |
|---|
| Points | 0 |
|---|