| Title | libtiff tiffcrop 4.7.0 (the newest master) Segmentation Fault |
|---|
| Description | # TIFFCROP Segmentation Fault Vulnerability in main Function
## Vulnerability Summary
During fuzzing of the TIFFCROP utility from LibTIFF, a critical segmentation fault vulnerability has been discovered in the main function. The vulnerability occurs in the `main` function within `tiffcrop.c` at line 2931, where the program attempts to access invalid memory addresses during the free operation, leading to immediate program termination with SIGSEGV.
## Technical Details
- **Vulnerability Type**: Segmentation Fault (Invalid Memory Access)
- **Affected Function**: `main`
- **Source File**: `tiffcrop.c`
- **Line Number**: 2931
- **Signal**: SIGSEGV (11)
- **Affected Crashes**: 76 out of 135 total crashes (56.3%)
## Vulnerability Mechanism and Root Cause
This segmentation fault vulnerability is caused by accessing invalid or corrupted memory addresses during memory deallocation operations. The root issue lies in the cleanup logic of the main function where the program attempts to free memory that has been corrupted or points to an invalid memory region.
The vulnerability occurs when:
1. The tiffcrop program processes a malformed TIFF image with invalid parameters (e.g., unsupported bit depth 84)
2. Error handling and cleanup operations are triggered after image processing failures
3. The program reaches line 2931 in main function and calls `__GI___libc_free` with a corrupted memory pointer (0x7ffff799c010)
4. The memory management system detects the invalid memory access and triggers SIGSEGV
This creates a direct memory access violation where the program attempts to free memory that either:
- Points to an unmapped memory region
- Contains corrupted heap metadata
- Has already been freed (use-after-free condition)
## GDB Debugging Report
```
=== PROGRAM_EXECUTION_START ===
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7acd3fe in __GI___libc_free (mem=0x7ffff799c010) at ./malloc/malloc.c:3368
=== PROGRAM_EXECUTION_END ===
=== PRIMARY_CRASH_DETECTION ===
Program status from 'info program':
Using the running image of child Thread 0x7ffff7a27240 (LWP 1751968).
Program stopped at 0x7ffff7acd3fe.
It stopped with signal SIGSEGV, Segmentation fault.
=== SIGNAL_CRASH_DETECTED ===
Program terminated by signal - this is a genuine crash
=== FRAME_ANALYSIS ===
Valid frame found - program stopped at signal
=== BACKTRACE_ANALYSIS ===
#0 0x00007ffff7acd3fe in __GI___libc_free (mem=0x7ffff799c010) at ./malloc/malloc.c:3368
#1 0x000055555556cedc in main (argc=<optimized out>, argv=0x7fffffffe3f8) at tiffcrop.c:2931
=== FINAL_STATUS_DETERMINATION ===
CONCLUSION: Program crashed due to signal
This is a genuine crash requiring investigation
```
## Program Output Before Crash
```
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFFetchNormalTag: Warning, Incorrect count for "ResolutionUnit"; tag ignored.
OJPEGSetupDecode: Warning, Deprecated and troublesome old-style JPEG compression mode, please convert to new-style JPEG compression and notify vendor of writing software.
OJPEGSubsamplingCorrect: Warning, Subsampling tag not appropriate for this Photometric and/or SamplesPerPixel.
LibJpeg: Warning, Application transferred too many scanlines.
readContigTilesIntoBuffer: Unsupported bit depth 84.
rotateImage: Unsupported bit depth 84.
createCroppedImage: Failed to rotate image or cropped selection by 270 degrees.
main: Unable to create output image.
Segmentation fault (core dumped)
```
## Proof of Concept
The proof of concept file is available at: [POC_tiffcrop_segmentation_fault_main_line_2931](https://drive.google.com/file/d/15L4q2eD8GX3Aj3z6SWC3_FbqaM1ChUx2/view?usp=sharing)
## Reproduction Steps
1. Compile LibTIFF with debugging symbols
2. Execute the following command with the provided POC file:
```bash
./tiffcrop -R 270 POC_tiffcrop_segmentation_fault_main_line_2931 /dev/null
```
3. The program will crash with SIGSEGV at tiffcrop.c:2931
## Affected Versions
- **LibTIFF Version**: 4.7.0 (the newest master)
- **Build Configuration**: Standard build with debugging symbols
- **Platform**: Linux x86_64
## Credit
**Discovered by**: Xudong Cao (UCAS), Yuqing Zhang (UCAS, Zhongguancun Laboratory) |
|---|
| Source | ⚠️ https://gitlab.com/libtiff/libtiff/-/issues/721 |
|---|
| User | ucas-xd (UID 88505) |
|---|
| Submission | 08/03/2025 21:20 (8 months ago) |
|---|
| Moderation | 08/13/2025 18:01 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 319955 [LibTIFF 4.7.0 tiffcrop tiffcrop.c main memory corruption] |
|---|
| Points | 20 |
|---|