oss-sec mailing list archives

libtiff: Missing return value check in ppm2tiff leading to heap-buffer overflow when reading a tiff file

From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Fri, 02 Nov 2012 15:53:07 +0530

Hi All,

A flaw was found in the way ppm2tiff, a tool to create a TIFF file from
PPM, PGM and PBM image files, did not check the return value of
TIFFScanlineSize() function. When TIFFScanlineSize encountered an
integer-overflow and returned zero, this value was not checked. A
remote attacker could provide a specially-crafted PPM image format
file, that when processed by ppm2tiff would lead to ppm2tiff executable
crash or, potentially, arbitrary code execution with the privileges of
the user running the ppm2tiff binary.

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=871700


--
Huzaifa Sidhpurwala / Red Hat Security Response Team

Current thread:

libtiff: Missing return value check in ppm2tiff leading to heap-buffer overflow when reading a tiff file Huzaifa Sidhpurwala (Nov 02)
- Re: libtiff: Missing return value check in ppm2tiff leading to heap-buffer overflow when reading a tiff file Kurt Seifried (Nov 02)