[<prev] [next>] [day] [month] [year] [list]
Message-ID: <A9050F7D-C369-4835-9B4B-022B3631E17E@360.cn>
Date: Fri, 8 Apr 2016 05:02:06 +0000
From: 王梅 <wangmei@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2016-3625 libtiff: Out-of-bounds Read in the tiff2bw tool
Details
=======
Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Out-of-bounds Read
Vendor URL: http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-3625
Credit: Mei Wang of the Cloud Security Team, Qihoo 360
Introduction
============
Out-of-bounds Read occurred in tif_read.c:545 or tif_read.c:402 or tif_read.c:560 in tiff2bw allows attackers to cause a denial of service via a crafted TIFF image.
gdb tiff2bw
(gdb)r sample/tiff2bw_1.tif 1.tif
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bb4b3a in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:545
545 td->td_stripoffset[strip] > (uint64)tif->tif_size - bytecount) {
Missing separate debuginfos, use: debuginfo-install glibc-2.17-78.el7.x86_64
(gdb) p td->td_stripoffset[strip]
Cannot access memory at address 0x0
(gdb) bt
#0 0x00007ffff7bb4b3a in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:545
#1 0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228
#2 0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x6076d0, row=0, sample=0) at tif_read.c:295
#3 0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253
(gdb)
(gdb) r sample/tiff2bw_2.tif 1.tif
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bb46e4 in TIFFReadRawStrip1 (tif=0x604010, strip=0, buf=0x605620, size=10, module=0x7ffff7bcfa81 <module.3917> "TIFFFillStrip") at tif_read.c:402
402 ma=(tmsize_t)td->td_stripoffset[strip];
(gdb) p td->td_stripoffset[strip]
Cannot access memory at address 0x0
(gdb) bt
#0 0x00007ffff7bb46e4 in TIFFReadRawStrip1 (tif=0x604010, strip=0, buf=0x605620, size=10, module=0x7ffff7bcfa81 <module.3917> "TIFFFillStrip") at tif_read.c:402
#1 0x00007ffff7bb4d73 in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:612
#2 0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228
#3 0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x6076e0, row=0, sample=0) at tif_read.c:295
#4 0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253
(gdb) r sample/tiff2bw_3.tif 1.tif
Program received signal SIGSEGV, Segmentation fault.
TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:560
560 TIFFErrorExt(tif->tif_clientdata, module,
(gdb) l
555 "got %I64u bytes, expected %I64u",
556 (unsigned long) strip,
557 (unsigned __int64) tif->tif_size - td->td_stripoffset[strip],
558 (unsigned __int64) bytecount);
559 #else
560 TIFFErrorExt(tif->tif_clientdata, module,
561
562 "Read error on strip %lu; "
563 "got %llu bytes, expected %llu",
564 (unsigned long) strip,
(gdb) p td->td_stripoffset[strip]
Cannot access memory at address 0x0
(gdb) bt
#0 TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:560
#1 0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228
#2 0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x607600, row=0, sample=0) at tif_read.c:295
#3 0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253
References:
[1] http://www.remotesensing.org/libtiff/
[2] http://bugzilla.maptools.org/buglist.cgi?product=libtiff
Thank you!
Best Regards,
Mei
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
