gdal: Crash in inflateSync

2017-07-02T12:48:28

Description

Project: https://github.com/OSGeo/gdal.git Detailed report: https://oss-fuzz.com/testcase?key=5670186587783168 Project: gdal Fuzzer: libFuzzer_gdal_gtiff_fuzzer Fuzz target binary: gtiff_fuzzer Job Type: libfuzzer_asan_gdal Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x622000010000 Crash State: inflateSync ZIPDecode TIFFReadEncodedTile Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_gdal&range=201706300456:201707020459 Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=5670186587783168 Issue filed automatically. See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without an upstream patch, then the bug report will automatically become visible to the public. When you fix this bug, please * mention the fix revision(s). * state whether the bug was a short-lived regression or an old bug in any stable releases. * add any other useful information. This information can help downstream consumers. If you have questions for the OSS-Fuzz team, please file an issue at https://github.com/google/oss-fuzz/issues.

Affected Software

CPE Name	Name	Version
	gdal	unknown

{"id": "OSSFUZZ-2454", "type": "ossfuzz", "bulletinFamily": "software", "title": "gdal: Crash in inflateSync", "description": "Project:\nhttps://github.com/OSGeo/gdal.git\n\nDetailed report: https://oss-fuzz.com/testcase?key=5670186587783168\n\nProject: gdal\nFuzzer: libFuzzer_gdal_gtiff_fuzzer\nFuzz target binary: gtiff_fuzzer\nJob Type: libfuzzer_asan_gdal\nPlatform Id: linux\n\nCrash Type: UNKNOWN READ\nCrash Address: 0x622000010000\nCrash State:\n inflateSync\n ZIPDecode\n TIFFReadEncodedTile\n \nSanitizer: address (ASAN)\n\nRecommended Security Severity: Medium\n\nRegressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_gdal&range=201706300456:201707020459\n\nReproducer Testcase: https://oss-fuzz.com/download?testcase_id=5670186587783168\n\n\nIssue filed automatically.\n\nSee https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.\n\nThis bug is subject to a 90 day disclosure deadline. If 90 days elapse\nwithout an upstream patch, then the bug report will automatically\nbecome visible to the public.\n\nWhen you fix this bug, please\n * mention the fix revision(s).\n * state whether the bug was a short-lived regression or an old bug in any stable releases.\n * add any other useful information.\nThis information can help downstream consumers.\n\nIf you have questions for the OSS-Fuzz team, please file an issue at https://github.com/google/oss-fuzz/issues.", "published": "2017-07-02T12:48:28", "modified": "2017-08-02T13:05:01", "cvss": {}, "href": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2454", "reporter": "Google", "references": [], "cvelist": [], "lastseen": "2020-04-03T14:04:38", "viewCount": 4, "enchantments": {"dependencies": {}, "score": {"value": -0.8, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.8}, "ossfuzz": {"issue": 2454, "status": "Verified", "project": "gdal", "ref": "https://oss-fuzz.com/revisions?job=libfuzzer_asan_gdal&range=201707020459:201707030503", "crashType": "UNKNOWN READ", "revisions": ["5bb37f084ee5cb3d2a04e835bfea3dddc905eabe:90473be9d7dfd4197558421cfd692a53b44a9df5"], "project_repos": ["https://github.com/OSGeo/gdal.git"], "error": "no_commits"}, "affectedSoftware": [{"name": "gdal", "version": "unknown", "operator": "eq"}], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645452131, "score": 1659818015, "affected_software_major_version": 1677286885, "epss": 1678893030}, "_internal": {"score_hash": "0a740c6ae9bbc7aeea7b8bdfa4ff175b"}}