oss-sec mailing list archives
CVE-2016-3625 libtiff: Out-of-bounds Read in the tiff2bw tool
From: 王梅 <wangmei () 360 cn>
Date: Fri, 8 Apr 2016 05:02:06 +0000
Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Out-of-bounds Read Vendor URL: http://www.remotesensing.org/libtiff/ CVE ID: CVE-2016-3625 Credit: Mei Wang of the Cloud Security Team, Qihoo 360 Introduction ============ Out-of-bounds Read occurred in tif_read.c:545 or tif_read.c:402 or tif_read.c:560 in tiff2bw allows attackers to cause a denial of service via a crafted TIFF image. gdb tiff2bw (gdb)r sample/tiff2bw_1.tif 1.tif Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7bb4b3a in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:545 545 td->td_stripoffset[strip] > (uint64)tif->tif_size - bytecount) { Missing separate debuginfos, use: debuginfo-install glibc-2.17-78.el7.x86_64 (gdb) p td->td_stripoffset[strip] Cannot access memory at address 0x0 (gdb) bt #0 0x00007ffff7bb4b3a in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:545 #1 0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228 #2 0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x6076d0, row=0, sample=0) at tif_read.c:295 #3 0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253 (gdb) (gdb) r sample/tiff2bw_2.tif 1.tif Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7bb46e4 in TIFFReadRawStrip1 (tif=0x604010, strip=0, buf=0x605620, size=10, module=0x7ffff7bcfa81 <module.3917> "TIFFFillStrip") at tif_read.c:402 402 ma=(tmsize_t)td->td_stripoffset[strip]; (gdb) p td->td_stripoffset[strip] Cannot access memory at address 0x0 (gdb) bt #0 0x00007ffff7bb46e4 in TIFFReadRawStrip1 (tif=0x604010, strip=0, buf=0x605620, size=10, module=0x7ffff7bcfa81 <module.3917> "TIFFFillStrip") at tif_read.c:402 #1 0x00007ffff7bb4d73 in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:612 #2 0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228 #3 0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x6076e0, row=0, sample=0) at tif_read.c:295 #4 0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253 (gdb) r sample/tiff2bw_3.tif 1.tif Program received signal SIGSEGV, Segmentation fault. TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:560 560 TIFFErrorExt(tif->tif_clientdata, module, (gdb) l 555 "got %I64u bytes, expected %I64u", 556 (unsigned long) strip, 557 (unsigned __int64) tif->tif_size - td->td_stripoffset[strip], 558 (unsigned __int64) bytecount); 559 #else 560 TIFFErrorExt(tif->tif_clientdata, module, 561 562 "Read error on strip %lu; " 563 "got %llu bytes, expected %llu", 564 (unsigned long) strip, (gdb) p td->td_stripoffset[strip] Cannot access memory at address 0x0 (gdb) bt #0 TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:560 #1 0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228 #2 0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x607600, row=0, sample=0) at tif_read.c:295 #3 0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253 References: [1] http://www.remotesensing.org/libtiff/ [2] http://bugzilla.maptools.org/buglist.cgi?product=libtiff Thank you! Best Regards, Mei
Current thread:
- CVE-2016-3625 libtiff: Out-of-bounds Read in the tiff2bw tool 王梅 (Apr 07)