|
|
Date: Sun, 21 Jun 2009 17:14:24 -0700
From: Kees Cook <kees@...ntu.com>
To: oss-security@...ts.openwall.com
Subject: libtiff buffer underflow in LZWDecodeCompat
A crafted TIFF can crash libtiff in LZWDecodeCompat via underflow (different
from CVE-2008-2327).
Based on discussions[1] and a quick analysis[2], I don't think this is
exploitable, but it does lead to crashes in any application using libtiff.
I've reported it upstream[3], with the attached patch.
Has anyone else looked this over?
-Kees
[1] http://www.lan.st/showthread.php?t=1856&page=3
[2] https://bugs.launchpad.net/bugs/380149
[3] http://bugzilla.maptools.org/show_bug.cgi?id=2065
--
Kees Cook
Ubuntu Security Team
Description: fix underflow loop in LZWDecodeCompat
Author: Kees Cook <kees@...ntu.com>
Ubuntu: https://bugs.edge.launchpad.net/bugs/380149
--- tiff-3.8.2~/libtiff/tif_lzw.c 2009-06-21 16:10:05.000000000 -0700
+++ tiff-3.8.2/libtiff/tif_lzw.c 2009-06-21 16:09:38.000000000 -0700
@@ -670,6 +670,7 @@
}
oldcodep = codep;
if (code >= 256) {
+ char *op_orig = op;
/*
* Code maps to a string, copy string
* value to output (written in reverse).
@@ -704,7 +705,7 @@
tp = op;
do {
*--tp = codep->value;
- } while( (codep = codep->next) != NULL);
+ } while( (codep = codep->next) != NULL && tp > op_orig);
} else
*op++ = code, occ--;
}
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.