oss-sec mailing list archives
CVE-2016-3622 libtiff: Divide By Zero in the tiff2rgba tool
From: 张开翔 <zhangkaixiang () 360 cn>
Date: Thu, 7 Apr 2016 10:16:58 +0000
Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Illegel read Vendor URL: http://www.libtiff.org/ CVE ID: CVE-2016-3631 Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360 Introduction Illegal read occurs in the cpStrips and cpTiles function in thumbnail.c in thumbnail allows attackers to exploit this issue to cause denial-of-service. libtiff/tools/thumbnail.c:314. 313 for (s = 0; s < ns; s++) { 314 if (bytecounts[s] > (uint64) bufsize) { 315 buf = (unsigned char *)_TIFFrealloc(buf, (tmsize_t)bytecounts[s]); 316 if (!buf) 317 goto bad; 318 bufsize = (tmsize_t)bytecounts[s]; 319 } 320 if (TIFFReadRawStrip(in, s, buf, (tmsize_t)bytecounts[s]) < 0 || 321 TIFFWriteRawStrip(out, s, buf, (tmsize_t)bytecounts[s]) < 0) { 322 _TIFFfree(buf); 323 return 0; 324 } 325 } gdb --args thumbnail cpStrips.tif tmpout.tif …… Program received signal SIGSEGV, Segmentation fault. 0x0804c7bf in cpStrips (out=<optimized out>, in=0x8164530) at thumbnail.c:314 314 if (bytecounts[s] > (uint64) bufsize) { (gdb) bt #0 0x0804c7bf in cpStrips (out=<optimized out>, in=0x8164530) at thumbnail.c:314 #1 cpIFD (out=<optimized out>, in=<optimized out>) at thumbnail.c:378 #2 main (argc=3, argv=0xbffff384) at thumbnail.c:124 (gdb) p *bytecounts Cannot access memory at address 0x42900001 References: [1] http://www.remotesensing.org/libtiff/ [2] http://bugzilla.maptools.org/buglist.cgi?product=libtiff Thank you! Best Regards,
Current thread:
- CVE-2016-3622 libtiff: Divide By Zero in the tiff2rgba tool 王梅 (Apr 07)
- <Possible follow-ups>
- CVE-2016-3622 libtiff: Divide By Zero in the tiff2rgba tool 张开翔 (Apr 07)