oss-security - libtiff buffer underflow in LZWDecodeCompat

Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Sun, 21 Jun 2009 17:14:24 -0700
From: Kees Cook <kees@...ntu.com>
To: oss-security@...ts.openwall.com
Subject: libtiff buffer underflow in LZWDecodeCompat

A crafted TIFF can crash libtiff in LZWDecodeCompat via underflow (different
from CVE-2008-2327).

Based on discussions[1] and a quick analysis[2], I don't think this is
exploitable, but it does lead to crashes in any application using libtiff.
I've reported it upstream[3], with the attached patch.

Has anyone else looked this over?

-Kees

[1] http://www.lan.st/showthread.php?t=1856&page=3
[2] https://bugs.launchpad.net/bugs/380149
[3] http://bugzilla.maptools.org/show_bug.cgi?id=2065

-- 
Kees Cook
Ubuntu Security Team

Description: fix underflow loop in LZWDecodeCompat
Author: Kees Cook <kees@...ntu.com>
Ubuntu: https://bugs.edge.launchpad.net/bugs/380149

--- tiff-3.8.2~/libtiff/tif_lzw.c	2009-06-21 16:10:05.000000000 -0700
+++ tiff-3.8.2/libtiff/tif_lzw.c	2009-06-21 16:09:38.000000000 -0700
@@ -670,6 +670,7 @@
 		}
 		oldcodep = codep;
 		if (code >= 256) {
+			char *op_orig = op;
 			/*
 		 	 * Code maps to a string, copy string
 			 * value to output (written in reverse).
@@ -704,7 +705,7 @@
 			tp = op;
 			do {
 				*--tp = codep->value;
-			} while( (codep = codep->next) != NULL);
+			} while( (codep = codep->next) != NULL && tp > op_orig);
 		} else
 			*op++ = code, occ--;
 	}

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.