#351 Heap buffer overflow in tiff_read_iptc_profile

[Fedotov Andrey]

Hi!
While doing fuzzing with AFL++ & Sydr. I found heap buffer overflow in read_iptc_profile:

==376632==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000091 at pc 0x000000730e1d bp 0x7fffffffda90 sp 0x7fffffffda88                                                                         
READ of size 1 at 0x602000000091 thread T0                                                                                                                                                                         
[Detaching after fork from child process 376675]                                                                                                                                                                   
    #0 0x730e1c in read_iptc_profile /freeimage-svn/FreeImage/trunk/Source/Metadata/IPTC.cpp:74:7                                                                                                                  
    #1 0x654cae in tiff_read_iptc_profile(tiff*, FIBITMAP*) /freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginTIFF.cpp:790:10                                                                                  
    #2 0x654cae in ReadMetadata(FreeImageIO*, void*, tiff*, FIBITMAP*) /freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginTIFF.cpp:871:2                                                                        
    #3 0x64e5a2 in Load(FreeImageIO*, void*, int, int, void*) /freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginTIFF.cpp:2320:3                                                                                
    #4 0x508deb in FreeImage_LoadFromHandle /freeimage-svn/FreeImage/trunk/Source/FreeImage/Plugin.cpp:386:24                                                                                                      
    #5 0x4ff0bb in FreeImage_LoadFromMemory /freeimage-svn/FreeImage/trunk/Source/FreeImage/MemoryIO.cpp:88:10                                                                                                     
    #6 0x4e0505 in LLVMFuzzerTestOneInput /load_from_memory_tiff_fuzzer.cc:35:26                                                                                                                                   
    #7 0x4e00c4 in main /afl.cc:36:9                                                                                                                                                                               
    #8 0x7ffff7a730b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16                                                                                                           
    #9 0x425fbd in _start (/load_from_memory_tiff_afl+0x425fbd)

    In File /freeimage-svn/FreeImage/trunk/Source/Metadata/IPTC.cpp:74


    71         // find start of the BIM portion of the binary data
    72         size_t offset = 0;
    73          while(offset < length - 1) {
--->74                  if((profile[offset] == 0x1C) && (profile[offset+1] == 0x02))
    75                          break;
    76                  offset++;
    77          }
    78     
    79         // for each tag
    80         while (offset < length) {
    81     
    82             // identifies start of a tag

How to reporduce:
1. Build and run docker container from here https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/freeimage
2. Run fuzzer: /load_from_memory_tiff_afl < crash-7582b9a9b1f37e4af199f2a98c4bb287e0a811ce

[Santiago R.R.]

CVE-2024-9029 has been assigned to this issue.

The fix for this issue should also address #356 at the same time.