oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request libtiff: out-of-bounds read in CIE Lab image format

From: Solar Designer <solar () openwall com>
Date: Fri, 25 Dec 2015 13:30:48 +0300
Hi,

Unfortunately, the text/plain version of zzf's message was badly
misformatted.  I've included below the result of processing of the
text/html portion, which is actually readable.

Alexander

zuozhi.fzz () alibaba-inc com wrote:

If the data of image is packed(e.g., TIFFDirectory.td_samplesperpixel == 1,
TIFFDirectory.td_bitspersample == 8), a pixel only owns one byte. But in the
implementation of putcontig8bitCIELab, it eats 3 bytes per pixel. This will
lead to an out-of-bounds read vulnerability.

vuln code in tif_getimage.c, libtiff v4.0.6

1699 DECLAREContigPutFunc(putcontig8bitCIELab)
1700 {
1701         float X, Y, Z;
1702         uint32 r, g, b;
1703         (void) y;
1704         fromskew *= 3;
1705         while (h-- > 0) {
1706                 for (x = w; x-- > 0;) {
1707                         TIFFCIELabToXYZ(img->cielab,
1708                                         (unsigned char)pp[0],
1709                                         (signed char)pp[1],
1710                                         (signed char)pp[2],
1711                                         &X, &Y, &Z);
1712                         TIFFXYZToRGB(img->cielab, X, Y, Z, &r, &g, &b);
1713                         *cp++ = PACK(r, g, b);
1714                         pp += 3;
1715                 }
1716                 cp += toskew;
1717                 pp += fromskew;
1718         }
1719 }

I use the tutorial code from http://www.remotesensing.org/libtiff/libtiff.html
to test that, and poc is in the attachment.

    #include "tiffio.h"
    main(int argc, char* argv[])
    {
        TIFF* tif = TIFFOpen(argv[1], "r");
        if (tif) {
            TIFFRGBAImage img;
            char emsg[1024];

            if (TIFFRGBAImageBegin(&img, tif, 0, emsg)) {
                size_t npixels;
                uint32* raster;

                npixels = img.width * img.height;
                raster = (uint32*) _TIFFmalloc(npixels * sizeof (uint32));
                if (raster != NULL) {
                    if (TIFFRGBAImageGet(&img, raster, img.width, img.height)) {
                        ...process raster data...
                    }
                    _TIFFfree(raster);
                }
                TIFFRGBAImageEnd(&img);
            } else
                TIFFError(argv[1], emsg);
            TIFFClose(tif);
        }
        exit(0);
    }

If it would be assigned a CVE, please credit it for: zzf of Alibaba.
Previous By Date Next
Previous By Thread Next

Current thread: