oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2016-3622 libtiff: Divide By Zero in the tiff2rgba tool

From: 王梅 <wangmei () 360 cn>
Date: Thu, 7 Apr 2016 07:43:32 +0000
Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Divide By Zero
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2016-3622
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Introduction
============

Division by zero occurs in the fpAcc function in tif_predict.c in tiff2rgba allows attackers to cause a denial of 
service via a crafted TIFF image.



libtiff-master/libtiff/tif_predict.c:381.

377 fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
378 {
379         tmsize_t stride = PredictorState(tif)->stride;
380         uint32 bps = tif->tif_dir.td_bitspersample / 8;
381         tmsize_t wc = cc / bps;
382         tmsize_t count = cc;
383         uint8 *cp = (uint8 *) cp0;
384         uint8 *tmp = (uint8 *)_TIFFmalloc(cc);


gdb tiff2rgba

(gdb) r sample/tiff2rgba_1.tif  1.tif
Starting program: /usr/local/bin/tiff2rgba sample/tiff2rgba_1.tif  1.tif
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
sample/tiff2rgba_1.tif: Warning, Nonstandard tile length 1, convert file.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.

Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7baffe0 in fpAcc (tif=0x604930, cp0=0x6056b0 "", cc=4) at tif_predict.c:381
381             tmsize_t wc = cc / bps;
(gdb) p bps
$1 = 0
(gdb) bt
#0  0x00007ffff7baffe0 in fpAcc (tif=0x604930, cp0=0x6056b0 "", cc=4) at tif_predict.c:381
#1  0x00007ffff7bb0457 in PredictorDecodeTile (tif=0x604930, op0=0x6056b0 "", occ0=4, s=0) at tif_predict.c:453
#2  0x00007ffff7bb4f9f in TIFFReadEncodedTile (tif=0x604930, tile=0, buf=0x6056b0, size=4) at tif_read.c:668
#3  0x00007ffff7bb4e87 in TIFFReadTile (tif=0x604930, buf=0x6056b0, x=0, y=0, z=0, s=0) at tif_read.c:641
#4  0x00007ffff7b972f1 in gtTileContig (img=0x7fffffffdd90, raster=0x605940, w=32, h=32) at tif_getimage.c:661
#5  0x00007ffff7b96ce7 in TIFFRGBAImageGet (img=0x7fffffffdd90, raster=0x605940, w=32, h=32) at tif_getimage.c:500
#6  0x00007ffff7b96ddd in TIFFReadRGBAImageOriented (tif=0x604930, rwidth=32, rheight=32, raster=0x605940, 
orientation=1, stop=0)
    at tif_getimage.c:519
#7  0x000000000040196c in cvt_whole_image (in=0x604930, out=0x604010) at tiff2rgba.c:386
#8  0x0000000000401e6d in tiffcvt (in=0x604930, out=0x604010) at tiff2rgba.c:504
#9  0x00000000004011b5 in main (argc=3, argv=0x7fffffffe418) at tiff2rgba.c:126


References:
[1] http://www.remotesensing.org/libtiff/
[2] http://bugzilla.maptools.org/buglist.cgi?product=libtiff


Thank you!
Best Regards,


Mei
Previous By Date Next
Previous By Thread Next

Current thread: