Submit #630499: LibTIFF TIFFCROP 4.7.0 (the newest master) Double Freeinfo

TitleLibTIFF TIFFCROP 4.7.0 (the newest master) Double Free
Description# TIFFCROP Double Free Vulnerability with Previous Block Corruption ## Vulnerability Summary During fuzzing of the TIFFCROP utility from LibTIFF, a critical double free vulnerability has been discovered that causes heap corruption with previous block pointer corruption. The vulnerability occurs when the program attempts to free memory that has already been freed, triggering the glibc memory allocator's corruption detection mechanism with the error "double free or corruption (!prev)". ## Technical Details - **Vulnerability Type**: Double Free / Heap Corruption - **Affected Function**: `main` (cleanup path) - **Source File**: `tiffcrop.c` - **Line Number**: 2931 - **Signal**: SIGABRT (6) - **Detection Point**: `_int_free` at `malloc.c:4591` - **Affected Crashes**: 14 out of 135 total crashes (10.4%) ## Vulnerability Mechanism and Root Cause This double free vulnerability is caused by improper memory lifecycle management in the error handling paths of tiffcrop. The root issue lies in the cleanup logic where the same memory region gets freed multiple times, leading to heap metadata corruption. The vulnerability occurs when: 1. The tiffcrop program processes a malformed TIFF image with color inversion parameters 2. Image inversion fails due to unsupported multi-sample pixel format 3. Error handling triggers cleanup operations that attempt to free the same memory multiple times 4. The glibc memory allocator detects the double free condition at `_int_free` line 4591 5. The corruption specifically affects the previous block pointer ("!prev"), indicating backward link corruption The memory allocator's integrity checks detect that: - Memory block 0x55555578a120 has been freed previously - The previous block pointer in the heap metadata has been corrupted - This triggers malloc_printerr() with "double free or corruption (!prev)" message ## GDB Debugging Report ``` === PROGRAM_EXECUTION_START === [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGABRT, Aborted. __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737348006464) at ./nptl/pthread_kill.c:44 === PROGRAM_EXECUTION_END === === PRIMARY_CRASH_DETECTION === Program status from 'info program': Using the running image of child Thread 0x7ffff7a27240 (LWP 1752325). Program stopped at 0x7ffff7abe9fc. It stopped with signal SIGABRT, Aborted. === SIGNAL_CRASH_DETECTED === Program terminated by signal - this is a genuine crash === FRAME_ANALYSIS === Valid frame found - program stopped at signal === BACKTRACE_ANALYSIS === #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737348006464) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737348006464) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737348006464, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff7a6a476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff7a507f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff7ab1677 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7c03b77 "%s\n") at ../sysdeps/posix/libc_fatal.c:156 #6 0x00007ffff7ac8cfc in malloc_printerr (str=str@entry=0x7ffff7c067b0 "double free or corruption (!prev)") at ./malloc/malloc.c:5664 #7 0x00007ffff7acae7c in _int_free (av=0x7ffff7c42c80 <main_arena>, p=0x55555578a120, have_lock=<optimized out>) at ./malloc/malloc.c:4591 #8 0x00007ffff7acd453 in __GI___libc_free (mem=<optimized out>) at ./malloc/malloc.c:3391 #9 0x000055555556cedc in main (argc=<optimized out>, argv=0x7fffffffe3f8) at tiffcrop.c:2931 === FINAL_STATUS_DETERMINATION === CONCLUSION: Program crashed due to signal This is a genuine crash requiring investigation ``` ## Program Output Before Crash ``` invertImage: Image inversion not supported for more than one sample per pixel. createCroppedImage: Failed to invert colorspace for image or cropped selection. main: Unable to create output image. double free or corruption (!prev) Aborted (core dumped) ``` ## Proof of Concept The proof of concept file is available at: [POC_tiffcrop_double_free_corruption_prev](https://drive.google.com/file/d/19OMrM7pQ1nggJiLV1zGAM4mqfe9NHZqT/view?usp=sharing) ## Reproduction Steps 1. Compile LibTIFF with debugging symbols 2. Execute the following command with the provided POC file: ```bash ./tiffcrop -I both POC_tiffcrop_double_free_corruption_prev /dev/null ``` 3. The program will crash with SIGABRT due to double free detection at malloc.c:4591 ## Affected Versions - **LibTIFF Version**: 4.7.0 (the newest master) - **Build Configuration**: Standard build with debugging symbols - **Platform**: Linux x86_64 ## Credit **Discovered by**: Xudong Cao (UCAS), Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Source⚠️ https://gitlab.com/libtiff/libtiff/-/issues/722
User
 HeureuxBuilding (UID 88810)
Submission08/07/2025 21:24 (8 months ago)
Moderation08/23/2025 17:11 (16 days later)
StatusDuplicate
VulDB entry319955 [LibTIFF 4.7.0 tiffcrop tiffcrop.c main memory corruption]
Points0

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!