| 설명 | A vulnerability exists in tiffcrop in libtiff v4.5.1, where improper handling of negative return values from TIFFReadEncodedStrip and lack of validation of margin calculations could lead to incorrect memory access or logic errors. Specifically, failing to check for negative values returned by strip reading and improper clamping of margins may allow a crafted TIFF file to trigger denial of service through memory mismanagement or application crashes.
./tools/tiffcrop -D 'debug:1,format:txt,level:2,input:/tmp/a.txt' poc /tmp/output.tif
==856169==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff862bf4a0 at pc 0x0000004f94d1 bp 0x7fff862bf050 sp 0x7fff862bf048
READ of size 8 at 0x7fff862bf4a0 thread T0
#0 0x4f94d0 in combineSeparateSamplesBytes /src/tools/tiffcrop.c:4375:29
#1 0x4f94d0 in readSeparateStripsIntoBuffer /src/tools/tiffcrop.c:5596:17
#2 0x4f94d0 in loadImage /src/tools/tiffcrop.c:7147:23
#3 0x4f94d0 in main /src/tools/tiffcrop.c:2785:17
#4 0x7fe0c70e0082 in __libc_start_main /build/glibc-FcRMwW/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x41e8dd in _start (/src/sspocgen_workspace/cffd285/build_carpetfuzz/tools/tiffcrop+0x41e8dd)
Address 0x7fff862bf4a0 is located in stack of thread T0 at offset 1088 in frame
#0 0x4d1d0f in main /src/tools/tiffcrop.c:2593
This frame has 125 object(s):
[32, 36) ''
[48, 56) ''
[80, 84) 'rps.i851' (line 4310)
[96, 104) 'data.addr.i350.i.i' (line 3124)
[128, 208) 'dump_array.i351.i.i' (line 3092)
[240, 248) 'data.addr.i314.i.i' (line 3124)
[272, 352) 'dump_array.i315.i.i' (line 3092)
[384, 392) 'data.addr.i.i449.i' (line 3124)
[416, 496) 'dump_array.i.i450.i' (line 3092)
[528, 536) 'action.i451.i' (line 4782)
[560, 564) 'data.addr.i335.i.i' (line 3087)
[576, 616) 'dump_array.i336.i.i' (line 3056)
[656, 660) 'data.addr.i301.i.i' (line 3087)
[672, 712) 'dump_array.i302.i.i' (line 3056)
[752, 756) 'data.addr.i.i.i' (line 3087)
[768, 808) 'dump_array.i.i.i' (line 3056)
[848, 856) 'action.i426.i' (line 4645)
[880, 888) 'action.i368.i' (line 4527)
[912, 944) 'action.i.i' (line 4419)
[976, 978) 'bps.i761' (line 5481)
[992, 994) 'planar.i762' (line 5481)
[1008, 1012) 'rps.i' (line 5484)
[1024, 1088) 'srcbuffs.i763' (line 5490) <== Memory access at offset 1088 overflows this variable
[1120, 1184) 'srcbuffs.i' (line 1158)
[1216, 1220) 'longv.i.i' (line 1745)
[1232, 1234) 'shortv.i508.i' (line 1723)
[1248, 1256) 'stringv.i500.i' (line 1763)
[1280, 1288) 'stringv.i485.i' (line 1763)
[1312, 1320) 'stringv.i470.i' (line 1763)
[1344, 1352) 'stringv.i455.i' (line 1763)
[1376, 1378) 'shortv.i429.i' (line 1723)
[1392, 1394) 'shortv.i410.i' (line 1723)
[1408, 1412) 'floatv.i399.i' (line 1752)
[1424, 1428) 'floatv.i383.i' (line 1752)
[1440, 1448) 'stringv.i370.i' (line 1763)
[1472, 1476) 'floatv.i352.i' (line 1752)
[1488, 1492) 'floatv.i.i' (line 1752)
[1504, 1506) 'shortv.i319.i' (line 1723)
[1520, 1528) 'stringv.i311.i' (line 1763)
[1552, 1560) 'stringv.i297.i' (line 1763)
[1584, 1592) 'stringv.i283.i' (line 1763)
[1616, 1624) 'stringv.i269.i' (line 1763)
[1648, 1656) 'floatav.i254.i' (line 1757)
[1680, 1688) 'floatav.i240.i' (line 1757)
[1712, 1714) 'shortv1.i218.i' (line 1728)
[1728, 1730) 'shortv2.i219.i' (line 1728)
[1744, 1746) 'shortv.i199.i' (line 1723)
[1760, 1762) 'shortv1.i182.i' (line 1728)
[1776, 1778) 'shortv2.i183.i' (line 1728)
[1792, 1800) 'stringv.i.i' (line 1763)
[1824, 1826) 'shortv.i155.i' (line 1723)
[1840, 1848) 'floatav.i147.i' (line 1757)
[1872, 1874) 'shortv1.i.i' (line 1728)
[1888, 1890) 'shortv2.i.i' (line 1728)
[1904, 1906) 'shortv.i.i' (line 1723)
[1920, 1928) 'floatav.i.i' (line 1757)
[1952, 1954) 'shortv137.i.i' (line 1738)
[1968, 1976) 'shortav.i.i' (line 1739)
[2000, 2008) 'doublev.i103.i' (line 1770)
[2032, 2040) 'doublev.i96.i' (line 1770)
[2064, 2072) 'doublev.i.i' (line 1770)
[2096, 2100) 'rowsperstrip.i.i.i' (line 1304)
[2112, 2120) 'stringv.i.i.i' (line 1763)
[2144, 2148) 'longv.i507.i.i' (line 1745)
[2160, 2164) 'longv.i496.i.i' (line 1745)
[2176, 2180) 'longv.i485.i.i' (line 1745)
[2192, 2196) 'longv.i474.i.i' (line 1745)
[2208, 2212) 'longv.i463.i.i' (line 1745)
[2224, 2228) 'longv.i.i.i' (line 1745)
[2240, 2248) 'tr.i443.i.i' (line 1733)
[2272, 2280) 'tg.i444.i.i' (line 1733)
[2304, 2312) 'tb.i445.i.i' (line 1733)
[2336, 2344) 'ta.i446.i.i' (line 1733)
[2368, 2376) 'tr.i.i.i' (line 1733)
[2400, 2408) 'tg.i.i.i' (line 1733)
[2432, 2440) 'tb.i.i.i' (line 1733)
[2464, 2472) 'ta.i.i.i' (line 1733)
[2496, 2498) 'shortv.i.i.i' (line 1723)
[2512, 2514) 'input_planar.i.i' (line 8181)
[2528, 2532) 'len32.i.i' (line 8404)
[2544, 2552) 'data.i.i' (line 8405)
[2576, 2578) 'ninks.i.i' (line 8410)
[2592, 2600) 'inknames.i.i' (line 8411)
[2624, 2626) 'pg0.i.i' (line 8434)
[2640, 2642) 'pg1.i.i' (line 8434)
[2656, 2664) 'crop_buff.i' (line 8540)
[2688, 2696) 'rot_buf_size.i' (line 8649)
[2720, 2728) 'rot_buf_size201.i' (line 8775)
[2752, 2756) 'width46.i' (line 7251)
[2768, 2772) 'length48.i' (line 7252)
[2784, 2788) 'xres.i' (line 6763)
[2800, 2804) 'yres.i' (line 6763)
[2816, 2818) 'planar.i' (line 6765)
[2832, 2834) 'bps.i406' (line 6766)
[2848, 2850) 'spp.i' (line 6766)
[2864, 2866) 'res_unit.i407' (line 6766)
[2880, 2882) 'orientation.i' (line 6767)
[2896, 2898) 'input_compression.i' (line 6768)
[2912, 2914) 'input_photometric.i' (line 6768)
[2928, 2930) 'subsampling_horiz.i' (line 6769)
[2944, 2946) 'subsampling_vert.i' (line 6769)
[2960, 2964) 'width.i408' (line 6770)
[2976, 2980) 'length.i' (line 6770)
[2992, 2996) 'tw.i' (line 6773)
[3008, 3012) 'tl.i' (line 6773)
[3024, 3026) 'defconfig' (line 2598)
[3040, 3042) 'deffillorder' (line 2599)
[3056, 3060) 'deftilewidth' (line 2600)
[3072, 3076) 'deftilelength' (line 2601)
[3088, 3092) 'defrowsperstrip' (line 2602)
[3104, 3108) 'dirnum' (line 2603)
[3120, 3128) 'out' (line 2606)
[3152, 3162) 'mode' (line 2607)
[3184, 3216) 'image' (line 2611)
[3248, 3888) 'crop' (line 2612)
[4016, 4104) 'page' (line 2613)
[4144, 5040) 'sections' (line 2614)
[5168, 5680) 'seg_buffs' (line 2615)
[5744, 13976) 'dump' (line 2617)
[14240, 14248) 'read_buff' (line 2618)
[14272, 14280) 'crop_buff' (line 2619)
[14304, 22500) 'imagelist' (line 2622)
[22768, 22772) 'image_count' (line 2623)
[22784, 22788) 'next_page' (line 2626)
[22800, 26912) 'temp_filename' (line 2632)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /src/tools/tiffcrop.c:4375:29 in combineSeparateSamplesBytes
Shadow bytes around the buggy address:
0x100070c4fe40: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2
0x100070c4fe50: f2 f2 f8 f2 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f8 f2
0x100070c4fe60: f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f8 f2 f8 f8 f8 f8
0x100070c4fe70: f8 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f8
0x100070c4fe80: f8 f8 f2 f2 f2 f2 02 f2 02 f2 04 f2 00 00 00 00
=>0x100070c4fe90: 00 00 00 00[f2]f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8
0x100070c4fea0: f2 f2 f2 f2 f8 f2 f8 f2 f8 f2 f2 f2 f8 f2 f2 f2
0x100070c4feb0: f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f8 f2 f8 f2 f8 f2
0x100070c4fec0: f8 f2 f2 f2 f8 f2 f8 f2 f8 f2 f8 f2 f2 f2 f8 f2
0x100070c4fed0: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2
0x100070c4fee0: f2 f2 f8 f2 f8 f2 f8 f2 f8 f2 f8 f2 f8 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==856169==ABORTING |
|---|