CVE-2016-5316: libtiff 4.0.6 tif_pixarlog.c: PixarLogCleanup() Segmentation fault

[张开翔 <zhangkaixiang () 360 cn>]

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: illegel read
Vendor URL: http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-5316
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360

Introduction
=======

Segmentation fault ocurrs in PixarLogCleanup() in tif_pixarlog.c when using rgb2ycbcr tool followed a crafted TIFF 
image. Attackers cound exploit this issue to cause denial-of-service.


Here is the stack info:
gdb –args ./rgb2ycbcr PixarLogCleanup.tif tmpout.tif
--- ---
Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x75757575) at malloc.c:2952
2952           if (chunk_is_mmapped (p))                       /* release mmapped memory. */
Missing separate debuginfos, use: dnf debuginfo-install libjpeg-turbo-1.4.1-2.fc23.i686 zlib-1.2.8-9.fc23.i686
(gdb) bt
#0  __GI___libc_free (mem=0x75757575) at malloc.c:2952
#1  0xb7df0a4c in zcfree () from /usr/lib/libz.so.1
#2  0xb7dedd3e in inflateEnd () from /usr/lib/libz.so.1
#3  0xb7f72044 in PixarLogCleanup (tif=0x804f148) at tif_pixarlog.c:1264
#4  0xb7ec29ae in TIFFReadDirectory (tif=0x804f148) at tif_dirread.c:3412
#5  0x0804942d in main (argc=3, argv=0xbffff3a4) at rgb2ycbcr.c:132


References:
[1] http://www.remotesensing.org/libtiff/

Thank you!
Best Regards,