| Titre | libtiff tiffcmp 4.7.0+ (latest master branch) Memory Leak |
|---|
| Description | ## Summary
During fuzzing of the TIFFCMP utility from LibTIFF, a memory leak vulnerability has been discovered that leads to program termination with SIGBUS (abort). The vulnerability occurs during TIFF file processing with malformed directory structures, causing significantly larger memory leaks than the illegal instruction variant.
## Technical Details
- **Vulnerability Type**: Memory Leak leading to Abort
- **Affected Function**: Multiple functions in TIFF processing chain including strip array allocation
- **Primary Functions**: `_TIFFmallocExt`, `allocChoppedUpStripArrays`, `_TIFFCreateAnonField`, `_TIFFCheckRealloc`
- **Signal**: SIGBUS (7) / Abort
- **Affected Program**: tiffcmp
## Vulnerability Mechanism and Root Cause
This memory leak vulnerability is caused by improper resource management during TIFF file processing with malformed directory structures and invalid tag configurations. The root issue lies in the strip array allocation and anonymous field creation processes where large memory blocks are allocated but not properly freed when encountering parsing errors.
The vulnerability occurs when:
1. The tiffcmp program processes a malformed TIFF file with invalid directory structure
2. TIFF parsing encounters various validation warnings:
- "Invalid TIFF directory; tags are not sorted in ascending order"
- "Bad value for ResolutionUnit tag"
- "Bogus StripByteCounts field"
- "ASCII value contains null byte"
3. Large memory allocations occur during processing:
- Strip array allocation via `allocChoppedUpStripArrays` (up to 19008 bytes × 2)
- Anonymous field creation via `_TIFFCreateAnonField` (240 bytes)
- Main TIFF structure allocation (1567 bytes)
4. Error handling paths fail to properly deallocate these large resources
5. AddressSanitizer detects significant memory leaks during program termination
6. The process terminates with SIGBUS due to the memory management violations
## Complete AddressSanitizer Report
```
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFFetchNormalTag: Warning, IO error during reading of "ImageDescription"; tag ignored.
TIFFFetchNormalTag: Defined set_get_field_type of custom tag 5632 (Tag 5632) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_get_field_type of custom tag 5888 (Tag 5888) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_get_field_type of custom tag 6656 (Tag 6656) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_get_field_type of custom tag 6912 (Tag 6912) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_get_field_type of custom tag 7168 (Tag 7168) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_get_field_type of custom tag 10240 (Tag 10240) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.
/dev/null: Cannot read TIFF header.
=================================================================
==1637016==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1567 byte(s) in 1 object(s) allocated from:
#0 0x558720e627be in __interceptor_malloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x558720f0874c in _TIFFmallocExt /libtiff/tif_open.c:197:12
#2 0x558720f0874c in TIFFClientOpenExt /libtiff/tif_open.c:366:19
#3 0x558720f21f78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#4 0x558720f21f78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#5 0x558720e9d635 in main /tools/tiffcmp.c:103:12
#6 0x7f21ba319d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 19008 byte(s) in 1 object(s) allocated from:
#0 0x558720e62be5 in __interceptor_realloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd9be5) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x558720f22d96 in _TIFFCheckRealloc /libtiff/tif_aux.c:107:14
#2 0x558720f22d96 in _TIFFCheckMalloc /libtiff/tif_aux.c:125:12
#3 0x558720f025c4 in allocChoppedUpStripArrays /libtiff/tif_dirread.c:7813:21
#4 0x558720ecdc85 in TIFFReadDirectory /libtiff/tif_dirread.c:5146:9
#5 0x558720f0a183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#6 0x558720f21f78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#7 0x558720f21f78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#8 0x558720e9d635 in main /tools/tiffcmp.c:103:12
#9 0x7f21ba319d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 19008 byte(s) in 1 object(s) allocated from:
#0 0x558720e62be5 in __interceptor_realloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd9be5) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x558720f22d96 in _TIFFCheckRealloc /libtiff/tif_aux.c:107:14
#2 0x558720f22d96 in _TIFFCheckMalloc /libtiff/tif_aux.c:125:12
#3 0x558720f025e2 in allocChoppedUpStripArrays /libtiff/tif_dirread.c:7815:30
#4 0x558720ecdc85 in TIFFReadDirectory /libtiff/tif_dirread.c:5146:9
#5 0x558720f0a183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#6 0x558720f21f78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#7 0x558720f21f78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#8 0x558720e9d635 in main /tools/tiffcmp.c:103:12
#9 0x7f21ba319d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 1272 byte(s) in 1 object(s) allocated from:
#0 0x558720e62be5 in __interceptor_realloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd9be5) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x558720f22bf6 in _TIFFCheckRealloc /libtiff/tif_aux.c:107:14
#2 0x558720ec4309 in _TIFFMergeFields /libtiff/tif_dirinfo.c:584:41
#3 0x558720eca1a2 in TIFFReadDirectory /libtiff/tif_dirread.c:4419:37
#4 0x558720f0a183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#5 0x558720f21f78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#6 0x558720f21f78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#7 0x558720e9d635 in main /tools/tiffcmp.c:103:12
#8 0x7f21ba319d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 510 byte(s) in 1 object(s) allocated from:
#0 0x558720e627be in __interceptor_malloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x558720ea88ee in setByteArray /libtiff/tif_dir.c:55:28
#2 0x558720ea88ee in _TIFFsetShortArrayExt /libtiff/tif_dir.c:81:5
#3 0x558720ecd77a in TIFFReadDirectory /libtiff/tif_dirread.c:4994:9
#4 0x558720f0a183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#5 0x558720f21f78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#6 0x558720f21f78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#7 0x558720e9d635 in main /tools/tiffcmp.c:103:12
#8 0x7f21ba319d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 424 byte(s) in 1 object(s) allocated from:
#0 0x558720e629a8 in __interceptor_calloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd99a8) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x558720f049d9 in TIFFHashSetNew /libtiff/tif_hash_set.c:149:34
#2 0x558720ecfa95 in _TIFFCheckDirNumberAndOffset /libtiff/tif_dirread.c:5685:45
#3 0x558720ec8ff5 in TIFFReadDirectory /libtiff/tif_dirread.c:4262:10
#4 0x558720f0a183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#5 0x558720f21f78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#6 0x558720f21f78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#7 0x558720e9d635 in main /tools/tiffcmp.c:103:12
#8 0x7f21ba319d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 424 byte(s) in 1 object(s) allocated from:
#0 0x558720e629a8 in __interceptor_calloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd99a8) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x558720f049d9 in TIFFHashSetNew /libtiff/tif_hash_set.c:149:34
#2 0x558720ecf9d1 in _TIFFCheckDirNumberAndOffset /libtiff/tif_dirread.c:5671:45
#3 0x558720ec8ff5 in TIFFReadDirectory /libtiff/tif_dirread.c:4262:10
#4 0x558720f0a183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#5 0x558720f21f78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#6 0x558720f21f78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#7 0x558720e9d635 in main /tools/tiffcmp.c:103:12
#8 0x7f21ba319d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 272 byte(s) in 1 object(s) allocated from:
#0 0x558720e627be in __interceptor_malloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x558720ec9551 in TIFFReadDirectory /libtiff/tif_dirread.c:4327:37
#2 0x558720f0a183 in TIFFClientOpenExt /libtiff/tif_open.c:769:17
#3 0x558720f21f78 in TIFFFdOpenExt /libtiff/tif_unix.c:221:11
#4 0x558720f21f78 in TIFFOpenExt /libtiff/tif_unix.c:267:11
#5 0x558720e9d635 in main /tools/tiffcmp.c:103:12
#6 0x7f21ba319d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 240 byte(s) in 6 object(s) allocated from:
#0 0x558720e627be in __interceptor_malloc (/fuzzdir/fz-tiffcmp/tiffcmp+0xd97be) (BuildId: 04ac6561bc9fdd8bf2962f31ac1c1af41d5c40bb)
#1 0x558720ec703f in _TIFFCreateAnonFiel |
|---|
| La source | ⚠️ https://gitlab.com/libtiff/libtiff/-/issues/729 |
|---|
| Utilisateur | HeureuxBuilding (UID 88810) |
|---|
| Soumission | 07/08/2025 21:29 (il y a 10 mois) |
|---|
| Modérer | 19/08/2025 15:24 (12 days later) |
|---|
| Statut | Dupliqué |
|---|
| Entrée VulDB | 320543 [LibTIFF 4.7.0 tiffcmp tools/tiffcmp.c déni de service] |
|---|
| Points | 0 |
|---|