oss-sec mailing list archives
CVE-2016-3620 libtiff: Out-of-bounds Read in the bmp2tiff tool
From: 王梅 <wangmei () 360 cn>
Date: Thu, 7 Apr 2016 07:36:20 +0000
Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Out-of-bounds Read Vendor URL: http://www.libtiff.org/ CVE ID: CVE-2016-3620 Credit: Mei Wang of the Cloud Security Team, Qihoo 360 Introduction ============ ZIPEncode function in tif_zip.c in bmp2tiff allows attackers to cause a denial of service (Out-of-bounds Read) via a crafted bmp image with param -c zip. ./bmp2tiff -c zip ./sample/bmp2tiff_zip.bmp 1.tif ================================================================= ==14228== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f563bf05800 at pc 0x7f5638d8eb3f bp 0x7fffca413bb0 sp 0x7fffca413358 READ of size 32768 at 0x7f563bf05800 thread T0 #0 0x7f5638d8eb3e (/lib64/libasan.so.0+0xeb3e) #1 0x7f5638b6a136 in fill_window (/lib64/libz.so.1+0x3136) #2 0x7f5638b6abbf in deflate_slow (/lib64/libz.so.1+0x3bbf) #3 0x7f5638b6bc6f in deflate (/lib64/libz.so.1+0x4c6f) #4 0x49cfed in ZIPEncode /home/dazhuang/asan/libtiff-master/libtiff/tif_zip.c:277 #5 0x45665e in TIFFWriteScanline /home/dazhuang/asan/libtiff-master/libtiff/tif_write.c:173 #6 0x40450f in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:775 #7 0x7f56384c5af4 in __libc_start_main (/lib64/libc.so.6+0x21af4) #8 0x4019a8 in _start (/home/dazhuang/asan/libtiff-master/tools/bmp2tiff+0x4019a8) 0x7f563bf05800 is located 0 bytes to the right of 1114112-byte region [0x7f563bdf5800,0x7f563bf05800) allocated by thread T0 here: #0 0x7f5638d96129 (/lib64/libasan.so.0+0x16129) #1 0x45b761 in _TIFFmalloc /home/dazhuang/asan/libtiff-master/libtiff/tif_unix.c:316 #2 0x4037c3 in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:678 #3 0x7f56384c5af4 in __libc_start_main (/lib64/libc.so.6+0x21af4) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0feb477d8ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0feb477d8ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0feb477d8ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0feb477d8ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0feb477d8af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0feb477d8b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0feb477d8b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0feb477d8b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0feb477d8b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0feb477d8b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0feb477d8b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==14228== ABORTING References: [1] http://www.remotesensing.org/libtiff/ [2] http://bugzilla.maptools.org/buglist.cgi?product=libtiff Thank you! Best Regards, Mei
Current thread:
- CVE-2016-3620 libtiff: Out-of-bounds Read in the bmp2tiff tool 王梅 (Apr 07)