Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <04F55884-564E-4A3E-8D22-AF3E17DA229E@360.cn>
Date: Thu, 7 Apr 2016 07:43:32 +0000
From: 王梅 <wangmei@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2016-3622 libtiff: Divide By Zero in the tiff2rgba tool

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Divide By Zero
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2016-3622
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Introduction
============

Division by zero occurs in the fpAcc function in tif_predict.c in tiff2rgba allows attackers to cause a denial of service via a crafted TIFF image.



libtiff-master/libtiff/tif_predict.c:381.

377 fpAcc(TIFF* tif, uint8* cp0, tmsize_t cc)
378 {
379         tmsize_t stride = PredictorState(tif)->stride;
380         uint32 bps = tif->tif_dir.td_bitspersample / 8;
381         tmsize_t wc = cc / bps;
382         tmsize_t count = cc;
383         uint8 *cp = (uint8 *) cp0;
384         uint8 *tmp = (uint8 *)_TIFFmalloc(cc);


gdb tiff2rgba

(gdb) r sample/tiff2rgba_1.tif  1.tif
Starting program: /usr/local/bin/tiff2rgba sample/tiff2rgba_1.tif  1.tif
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
sample/tiff2rgba_1.tif: Warning, Nonstandard tile length 1, convert file.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "Orientation"; tag ignored.

Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7baffe0 in fpAcc (tif=0x604930, cp0=0x6056b0 "", cc=4) at tif_predict.c:381
381             tmsize_t wc = cc / bps;
(gdb) p bps
$1 = 0
(gdb) bt
#0  0x00007ffff7baffe0 in fpAcc (tif=0x604930, cp0=0x6056b0 "", cc=4) at tif_predict.c:381
#1  0x00007ffff7bb0457 in PredictorDecodeTile (tif=0x604930, op0=0x6056b0 "", occ0=4, s=0) at tif_predict.c:453
#2  0x00007ffff7bb4f9f in TIFFReadEncodedTile (tif=0x604930, tile=0, buf=0x6056b0, size=4) at tif_read.c:668
#3  0x00007ffff7bb4e87 in TIFFReadTile (tif=0x604930, buf=0x6056b0, x=0, y=0, z=0, s=0) at tif_read.c:641
#4  0x00007ffff7b972f1 in gtTileContig (img=0x7fffffffdd90, raster=0x605940, w=32, h=32) at tif_getimage.c:661
#5  0x00007ffff7b96ce7 in TIFFRGBAImageGet (img=0x7fffffffdd90, raster=0x605940, w=32, h=32) at tif_getimage.c:500
#6  0x00007ffff7b96ddd in TIFFReadRGBAImageOriented (tif=0x604930, rwidth=32, rheight=32, raster=0x605940, orientation=1, stop=0)
    at tif_getimage.c:519
#7  0x000000000040196c in cvt_whole_image (in=0x604930, out=0x604010) at tiff2rgba.c:386
#8  0x0000000000401e6d in tiffcvt (in=0x604930, out=0x604010) at tiff2rgba.c:504
#9  0x00000000004011b5 in main (argc=3, argv=0x7fffffffe418) at tiff2rgba.c:126


References:
[1] http://www.remotesensing.org/libtiff/
[2] http://bugzilla.maptools.org/buglist.cgi?product=libtiff


Thank you!
Best Regards,


Mei

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.