Buffer overflow in libtiff in Imagemagick

[zgmzgm () mail ustc edu cn]

--Credits:
zgmzgm[at]mail.ustc.edu.cn

-- Disclosure Timeline:
3-17-2011

-- Affected Vendor:
Imagemagick 6.6.8-5
Libtiff 6.9.4

-- Problem Description:
A buffer overflow is triggered by displaying a malformed tiff image by the Imagemagick.The error information is 
followed:

display: malformed.tif: Wrong "StripByteCounts" field, ignoring and calculating from imagelength. `TIFFReadDirectory' @ 
warning/tiff.c/TIFFWarnings/706.
display: malformed.tif: Read error on strip 0; got 46128 bytes, expected 80624532. `TIFFFillStrip' @ 
error/tiff.c/TIFFErrors/496.
Segmentation fault

We use flayer to trace the malformed tiff image and the flayer gives the following suggestions:

==1812== Warning: client syscall shmdt tried to modify addresses 0xFFFFFFFF-0xFFFFFFFF
==1812== Warning: set address range perms: large range 325120064 (defined)
==1812== Stack overflow in thread 1: can't grow stack to 0xBE394FAC
==1812== 
==1812== Process terminating with default action of signal 11 (SIGSEGV)
==1812==  Access not within mapped region at address 0xBE394FAC
==1812==    at 0x484D407: (within /usr/lib/libX11.so.6.3.0)
==1812== Stack overflow in thread 1: can't grow stack to 0xBE394FA8
==1812== 
==1812== Process terminating with default action of signal 11 (SIGSEGV)
==1812==  Access not within mapped region at address 0xBE394FA8
==1812==    at 0x401F2C1: _vgnU_freeres (vg_preloaded.c:56)

The flayer suggest that a stack overflow occurred in thread 1.This may allow remote attackers to execute arbitrary code.

You can download the malformed tiff image which lead to the application collapse: 
http://home.ustc.edu.cn/~zgmzgm/malformed.tif