Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

readTiff Index Out Of Bounds #38

Closed
raminfp opened this issue Jul 4, 2021 · 2 comments
Closed

readTiff Index Out Of Bounds #38

raminfp opened this issue Jul 4, 2021 · 2 comments
Labels
bug Something isn't working

Comments

@raminfp
Copy link

raminfp commented Jul 4, 2021

Hi,

There is bug in the TiffReader.readTiff(input);

Version Information:

  • TIFF Java Version: 2.0.3

Output:

 Exception in thread "main" java.lang.IndexOutOfBoundsException
	at java.nio.ByteBuffer.wrap(ByteBuffer.java:375)
	at mil.nga.tiff.io.ByteReader.readShort(ByteReader.java:266)
	at mil.nga.tiff.io.ByteReader.readUnsignedShort(ByteReader.java:290)
	at mil.nga.tiff.io.ByteReader.readUnsignedShort(ByteReader.java:277)
	at mil.nga.tiff.TiffReader.parseTIFFImage(TiffReader.java:199)
	at mil.nga.tiff.TiffReader.readTiff(TiffReader.java:167)
	at mil.nga.tiff.TiffReader.readTiff(TiffReader.java:109)
	at mil.nga.tiff.TiffReader.readTiff(TiffReader.java:95)
	at com.example.demo.DemoApplication.main(DemoApplication.java:17)

Steps to Reproduce:

  • Discover with jazzer fuzzer
        String base64Bytes = "TU0AKoAAAAAAAAAAAAAAAQAAKgAAGABNAA==";

        byte[] input = java.util.Base64.getDecoder().decode(base64Bytes);
        try {

            TiffReader.readTiff(input);
        } catch (IllegalStateException | TiffException ignored) {
        }

Additional Information:

INFO: Analyzed target //examples:TiffFuzzer (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
Target //examples:TiffFuzzer up-to-date:
  bazel-bin/examples/TiffFuzzer
INFO: Elapsed time: 0.146s, Critical Path: 0.00s
INFO: 1 process: 1 internal.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
exec ${PAGER:-/usr/bin/less} "$0" || exit 1
Executing tests from //examples:TiffFuzzer
-----------------------------------------------------------------------------
Java HotSpot(TM) 64-Bit Server VM warning: Sharing is only supported for boot loader classes because bootstrap classpath has been appended
INFO: Loaded 8 hooks from com.code_intelligence.jazzer.sanitizers.Deserialization
INFO: Loaded 1 hooks from com.code_intelligence.jazzer.sanitizers.ReflectiveCall
INFO: Loaded 8649 no-throw method signatures
INFO: Instrumented com.example.TiffFuzzer (took 43 ms, size +48%)
INFO: Instrumented mil.nga.tiff.util.TiffException (took 3 ms, size +36%)
INFO: libFuzzer ignores flags that start with '--'
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2735196724
INFO: Loaded 1 modules   (512 inline 8-bit counters): 512 [0x7f67be7a6010, 0x7f67be7a6210), 
INFO: Loaded 1 PC tables (512 PCs): 512 [0x7f67bd3a4010,0x7f67bd3a6010), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: Instrumented mil.nga.tiff.TiffReader (took 16 ms, size +56%)
INFO: Instrumented mil.nga.tiff.io.ByteReader (took 6 ms, size +43%)
INFO: A corpus is not provided, starting from an empty corpus
#2      INITED cov: 8 ft: 8 corp: 1/1b exec/s: 0 rss: 109Mb
#3      NEW    cov: 21 ft: 21 corp: 2/3b lim: 4 exec/s: 0 rss: 109Mb L: 2/2 MS: 1 CopyPart-
INFO: Instrumented mil.nga.tiff.TIFFImage (took 5 ms, size +36%)
#6573   NEW    cov: 36 ft: 37 corp: 3/36b lim: 68 exec/s: 0 rss: 117Mb L: 33/33 MS: 5 ChangeByte-ChangeByte-InsertRepeatedBytes-EraseBytes-InsertRepeatedBytes-
#6586   REDUCE cov: 36 ft: 37 corp: 3/32b lim: 68 exec/s: 0 rss: 117Mb L: 29/29 MS: 3 ChangeBinInt-ChangeBinInt-EraseBytes-
#6609   REDUCE cov: 36 ft: 37 corp: 3/26b lim: 68 exec/s: 0 rss: 117Mb L: 23/23 MS: 3 ShuffleBytes-ChangeByte-EraseBytes-
#6635   REDUCE cov: 36 ft: 37 corp: 3/20b lim: 68 exec/s: 0 rss: 117Mb L: 17/17 MS: 1 EraseBytes-
#6731   REDUCE cov: 36 ft: 37 corp: 3/17b lim: 68 exec/s: 0 rss: 117Mb L: 14/14 MS: 1 EraseBytes-
#6779   REDUCE cov: 36 ft: 37 corp: 3/14b lim: 68 exec/s: 0 rss: 117Mb L: 11/11 MS: 3 ChangeBit-InsertByte-EraseBytes-
#6806   REDUCE cov: 36 ft: 37 corp: 3/13b lim: 68 exec/s: 0 rss: 117Mb L: 10/10 MS: 2 ChangeBinInt-EraseBytes-
#6892   REDUCE cov: 36 ft: 37 corp: 3/12b lim: 68 exec/s: 0 rss: 117Mb L: 9/9 MS: 1 EraseBytes-
#6968   REDUCE cov: 36 ft: 37 corp: 3/11b lim: 68 exec/s: 0 rss: 117Mb L: 8/8 MS: 1 EraseBytes-
#7204   REDUCE cov: 36 ft: 37 corp: 3/7b lim: 68 exec/s: 0 rss: 117Mb L: 4/4 MS: 1 EraseBytes-
#13441  NEW    cov: 38 ft: 39 corp: 4/59b lim: 128 exec/s: 0 rss: 117Mb L: 52/52 MS: 2 CopyPart-InsertRepeatedBytes-
#13463  REDUCE cov: 38 ft: 39 corp: 4/46b lim: 128 exec/s: 0 rss: 117Mb L: 39/39 MS: 2 CrossOver-EraseBytes-
#13476  REDUCE cov: 38 ft: 39 corp: 4/34b lim: 128 exec/s: 0 rss: 117Mb L: 27/27 MS: 3 ShuffleBytes-CopyPart-EraseBytes-
#13494  REDUCE cov: 38 ft: 39 corp: 4/31b lim: 128 exec/s: 0 rss: 117Mb L: 24/24 MS: 3 ChangeByte-ChangeBit-EraseBytes-
#13540  REDUCE cov: 38 ft: 39 corp: 4/20b lim: 128 exec/s: 0 rss: 117Mb L: 13/13 MS: 1 EraseBytes-
#13566  REDUCE cov: 38 ft: 39 corp: 4/14b lim: 128 exec/s: 0 rss: 117Mb L: 7/7 MS: 1 CrossOver-
#13584  REDUCE cov: 38 ft: 39 corp: 4/12b lim: 128 exec/s: 0 rss: 117Mb L: 5/5 MS: 3 ChangeBit-ShuffleBytes-EraseBytes-
#14070  REDUCE cov: 38 ft: 39 corp: 4/10b lim: 128 exec/s: 0 rss: 117Mb L: 3/4 MS: 1 EraseBytes-
#14141  REDUCE cov: 38 ft: 39 corp: 4/9b lim: 128 exec/s: 0 rss: 117Mb L: 2/4 MS: 1 EraseBytes-
#18758  NEW    cov: 39 ft: 40 corp: 5/11b lim: 170 exec/s: 0 rss: 119Mb L: 2/4 MS: 2 ChangeBit-ChangeBit-
#136232 NEW    cov: 40 ft: 41 corp: 6/16b lim: 1330 exec/s: 0 rss: 124Mb L: 5/5 MS: 4 EraseBytes-InsertByte-CopyPart-InsertByte-
#136389 REDUCE cov: 40 ft: 41 corp: 6/14b lim: 1330 exec/s: 0 rss: 124Mb L: 3/4 MS: 2 ChangeBit-EraseBytes-
#139806 REDUCE cov: 40 ft: 41 corp: 6/13b lim: 1360 exec/s: 0 rss: 124Mb L: 2/4 MS: 2 CrossOver-EraseBytes-
#206414 REDUCE cov: 54 ft: 56 corp: 7/23b lim: 2020 exec/s: 0 rss: 128Mb L: 10/10 MS: 3 CopyPart-CrossOver-ShuffleBytes-
#206750 REDUCE cov: 54 ft: 56 corp: 7/21b lim: 2020 exec/s: 0 rss: 128Mb L: 8/8 MS: 1 EraseBytes-
#209061 REDUCE cov: 63 ft: 65 corp: 8/121b lim: 2040 exec/s: 0 rss: 130Mb L: 100/100 MS: 1 InsertRepeatedBytes-
#209180 REDUCE cov: 63 ft: 65 corp: 8/101b lim: 2040 exec/s: 0 rss: 130Mb L: 80/80 MS: 4 ChangeBit-CrossOver-InsertRepeatedBytes-EraseBytes-
#209415 REDUCE cov: 63 ft: 65 corp: 8/83b lim: 2040 exec/s: 0 rss: 130Mb L: 62/62 MS: 5 ChangeByte-ShuffleBytes-ChangeByte-ChangeBit-EraseBytes-
#209417 REDUCE cov: 63 ft: 65 corp: 8/75b lim: 2040 exec/s: 0 rss: 130Mb L: 54/54 MS: 2 ChangeASCIIInt-EraseBytes-
#209464 REDUCE cov: 63 ft: 65 corp: 8/61b lim: 2040 exec/s: 0 rss: 130Mb L: 40/40 MS: 2 ChangeBinInt-EraseBytes-
#209592 REDUCE cov: 63 ft: 65 corp: 8/48b lim: 2040 exec/s: 0 rss: 130Mb L: 27/27 MS: 3 ChangeBit-ChangeBit-EraseBytes-
#209828 REDUCE cov: 63 ft: 65 corp: 8/44b lim: 2040 exec/s: 0 rss: 130Mb L: 23/23 MS: 1 EraseBytes-

== Java Exception: java.lang.IndexOutOfBoundsException
        at java.base/java.nio.ByteBuffer.wrap(ByteBuffer.java:408)
        at mil.nga.tiff.io.ByteReader.readShort(ByteReader.java:266)
        at mil.nga.tiff.io.ByteReader.readUnsignedShort(ByteReader.java:290)
        at mil.nga.tiff.io.ByteReader.readUnsignedShort(ByteReader.java:277)
        at mil.nga.tiff.TiffReader.parseTIFFImage(TiffReader.java:199)
        at mil.nga.tiff.TiffReader.readTiff(TiffReader.java:167)
        at mil.nga.tiff.TiffReader.readTiff(TiffReader.java:109)
        at mil.nga.tiff.TiffReader.readTiff(TiffReader.java:95)
        at com.example.TiffFuzzer.fuzzerTestOneInput(TiffFuzzer.java:26)
DEDUP_TOKEN: 048fbe8202221b42
== libFuzzer crashing input ==
MS: 4 InsertByte-ChangeBinInt-CrossOver-ChangeByte-; base unit: f5a7ae8d7048e5febb25530c8ed3c945e6a26a6c
0x4d,0x4d,0x0,0x2a,0x80,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x2a,0x0,0x0,0x18,0x0,0x4d,0x0,
MM\x00*\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00*\x00\x00\x18\x00M\x00
artifact_prefix='/root/.cache/bazel/_bazel_root/c82b104c68f93e19e57160becd18f8f0/execroot/jazzer/bazel-out/k8-opt/testlogs/examples/TiffFuzzer/test.outputs/'; Test unit written to /root/.cache/bazel/_bazel_root/c82b104c68f93e19e57160becd18f8f0/execroot/jazzer/bazel-out/k8-opt/testlogs/examples/TiffFuzzer/test.outputs/crash-50f8becafa5d99f91a81e1002f5883ac0947916d
Base64: TU0AKoAAAAAAAAAAAAAAAQAAKgAAGABNAA==
reproducer_path='/root/.cache/bazel/_bazel_root/c82b104c68f93e19e57160becd18f8f0/execroot/jazzer/bazel-out/k8-opt/testlogs/examples/TiffFuzzer/test.outputs'; Java reproducer written to /root/.cache/bazel/_bazel_root/c82b104c68f93e19e57160becd18f8f0/execroot/jazzer/bazel-out/k8-opt/testlogs/examples/TiffFuzzer/test.outputs/Crash_50f8becafa5d99f91a81e1002f5883ac0947916d.java

Thanks,
Ramin
@raminfp raminfp added the bug Something isn't working label Jul 4, 2021
@bosborn
Copy link
Contributor

bosborn commented Jul 6, 2021

Your tiff "file" bytes are invalid. Specifies a -2147483648 offset in bytes of the first image file directory.

gdalinfo's error

ERROR 1: TIFFFetchDirectory:test.tiff: Can not read TIFF directory count
ERROR 1: TIFFReadDirectory:Failed to read directory at offset 2147483648

The index out of bounds exception occurs trying to read the specified bytes outside of the total provided bytes. Not really a "security" issue.

@bosborn bosborn closed this as completed Jul 6, 2021
@bosborn
Copy link
Contributor

bosborn commented Jul 6, 2021

These changes on the develop branch will give you a better error message.

mil.nga.tiff.util.TiffException: Byte offset out of range. Total Bytes: 25, Byte offset: 2147483648

@raminfp raminfp changed the title SECURITY: readTiff Index Out Of Bounds readTiff Index Out Of Bounds Jul 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@raminfp @bosborn