oss-sec mailing list archives
CVE-2016-3945 libtiff: Out-of-bounds Write in the tiff2rgba tool
From: 王梅 <wangmei () 360 cn>
Date: Fri, 8 Apr 2016 05:05:42 +0000
Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Out-of-bounds Write Vendor URL: http://www.remotesensing.org/libtiff/ CVE ID: CVE-2016-3945 Credit: Mei Wang of the Cloud Security Team, Qihoo 360 Introduction ============ When libtiff 4.0.6 tiff2rgba handle malicious tif file(width= 8388640, height=31) and set param -b will cause illegal write. The vulnerability exist in function cvt_by_strip (also exist in cvt_by_tile ) without checking the buffer allocate result. An attacker may control the write address and/or value to result in denial-of-service or command execution. gdb tiff2rgba (gdb) r -b sample/test.tif 1.tif Starting program: /usr/local/bin/tiff2rgba -b sample/test.tif 1.tif TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag ignored. LZWDecode: Not enough data at scanline 0 (short 67108864 bytes). Breakpoint 2, gtStripContig (img=0x7fffffffdd90, raster=0x7ffff7fce010, w=8388640, h=32) at tif_getimage.c:946 946 (*put)(img, raster+y*w, 0, y, w, nrow, fromskew, toskew, buf + pos); (gdb) p *put $5 = {void (TIFFRGBAImage *, uint32 *, uint32, uint32, uint32, uint32, int32, int32, unsigned char *)} 0x7ffff7b98a5e <put2bitcmaptile> (gdb) p *(raster+y*w) Cannot access memory at address 0x800035fcef90 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7b98ae7 in put2bitcmaptile (img=0x7fffffffdd90, cp=0x800035fcef94, x=0, y=31, w=8388640, h=31, fromskew=0, toskew=-16777280, pp=0x7ffff1288011 '\377' <repeats 11 times>, "\303\300\377\377\377\377\377\377\024?\377\377\377\360\003") at tif_getimage.c:1233 1233 UNROLL4(w, bw = PALmap[*pp++], *cp++ = *bw++); (gdb) bt #0 0x00007ffff7b98ae7 in put2bitcmaptile (img=0x7fffffffdd90, cp=0x800035fcef94, x=0, y=31, w=8388640, h=31, fromskew=0, toskew=-16777280, pp=0x7ffff1288011 '\377' <repeats 11 times>, "\303\300\377\377\377\377\377\377\024?\377\377\377\360\003") at tif_getimage.c:1233 #1 0x00007ffff7b98055 in gtStripContig (img=0x7fffffffdd90, raster=0x7ffff7fce010, w=8388640, h=32) at tif_getimage.c:946 #2 0x00007ffff7b96ce7 in TIFFRGBAImageGet (img=0x7fffffffdd90, raster=0x7ffff7fce010, w=8388640, h=32) at tif_getimage.c:500 #3 0x00007ffff7ba11da in TIFFReadRGBAStrip (tif=0x604930, row=0, raster=0x7ffff7fce010) at tif_getimage.c:2816 #4 0x0000000000401693 in cvt_by_strip (in=0x604930, out=0x604010) at tiff2rgba.c:290 #5 0x0000000000401e58 in tiffcvt (in=0x604930, out=0x604010) at tiff2rgba.c:502 #6 0x00000000004011b5 in main (argc=4, argv=0x7fffffffe408) at tiff2rgba.c:126 References: [1] http://www.remotesensing.org/libtiff/ [2] http://bugzilla.maptools.org/buglist.cgi?product=libtiff Thank you! Best Regards, Mei
Current thread:
- CVE-2016-3945 libtiff: Out-of-bounds Write in the tiff2rgba tool 王梅 (Apr 07)