Cool, yet another one crash with radamsa.

thestig@, could you please help to find an owner?

So we have a bunch of libtiff bugs in general. Do we have a contact in the libtiff organization that we can talk to to get some of these bugs upstream?

For this bug in particular, the attached patch fixes it for me. Toggling debug mode (I forget which direction) also avoids the bug. The problem being libtiff is assigning large uint32 values to int32 variables. The variables are then used as offsets, and they underflow a buffer.

My patch changes everything to uint32s and that seems to work for this test case. Maybe libtiff should put some limit checks on the input values instead? I don't really understand TIFF, so I have no idea.

Deleted: bug_656621.diff 3.3 KB

bug_656621.diff 3.3 KB Download

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

TIFF is XFA only.

Punting PDF security-ish bugs.

ClusterFuzz has detected this issue as fixed in range 442985:443138.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4963248468393984

Fuzzer: libfuzzer_radamsa_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x7f6333eb7813
Crash State:
  put1bitbwtile
  gtTileContig
  TIFFReadRGBAImageOriented
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=422880:422991
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=442985:443138

Minimized Testcase (0.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956RJ18r64nwREqZVJGzff9R9b4utAb7B1Bcjs_ST6YV5-6Fj-IAaYKs4TEBeCyOpV20YUok05oIuuKzpq991jIBMXqmOgV2i9aALrfYzmkpjpir6LUN1VMFgiPZZXIaSF3-xt-8vsOzgeZXlymcRs06NltWQ?testcase_id=4963248468393984

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4963248468393984 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot