oss-sec mailing list archives
Re: CVE request libtiff: out-of-bounds read in CIE Lab image format
From: Solar Designer <solar () openwall com>
Date: Fri, 25 Dec 2015 13:30:48 +0300
Hi, Unfortunately, the text/plain version of zzf's message was badly misformatted. I've included below the result of processing of the text/html portion, which is actually readable. Alexander zuozhi.fzz () alibaba-inc com wrote:
If the data of image is packed(e.g., TIFFDirectory.td_samplesperpixel == 1, TIFFDirectory.td_bitspersample == 8), a pixel only owns one byte. But in the implementation of putcontig8bitCIELab, it eats 3 bytes per pixel. This will lead to an out-of-bounds read vulnerability. vuln code in tif_getimage.c, libtiff v4.0.6 1699 DECLAREContigPutFunc(putcontig8bitCIELab) 1700 { 1701 float X, Y, Z; 1702 uint32 r, g, b; 1703 (void) y; 1704 fromskew *= 3; 1705 while (h-- > 0) { 1706 for (x = w; x-- > 0;) { 1707 TIFFCIELabToXYZ(img->cielab, 1708 (unsigned char)pp[0], 1709 (signed char)pp[1], 1710 (signed char)pp[2], 1711 &X, &Y, &Z); 1712 TIFFXYZToRGB(img->cielab, X, Y, Z, &r, &g, &b); 1713 *cp++ = PACK(r, g, b); 1714 pp += 3; 1715 } 1716 cp += toskew; 1717 pp += fromskew; 1718 } 1719 } I use the tutorial code from http://www.remotesensing.org/libtiff/libtiff.html to test that, and poc is in the attachment. #include "tiffio.h" main(int argc, char* argv[]) { TIFF* tif = TIFFOpen(argv[1], "r"); if (tif) { TIFFRGBAImage img; char emsg[1024]; if (TIFFRGBAImageBegin(&img, tif, 0, emsg)) { size_t npixels; uint32* raster; npixels = img.width * img.height; raster = (uint32*) _TIFFmalloc(npixels * sizeof (uint32)); if (raster != NULL) { if (TIFFRGBAImageGet(&img, raster, img.width, img.height)) { ...process raster data... } _TIFFfree(raster); } TIFFRGBAImageEnd(&img); } else TIFFError(argv[1], emsg); TIFFClose(tif); } exit(0); } If it would be assigned a CVE, please credit it for: zzf of Alibaba.
Current thread:
- CVE request libtiff: out-of-bounds read in CIE Lab image format 范祚至(库特) (Dec 25)
- Re: CVE request libtiff: out-of-bounds read in CIE Lab image format Solar Designer (Dec 25)
- Re: CVE request libtiff: out-of-bounds read in CIE Lab image format cve-assign (Dec 25)