Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 25 Dec 2015 18:02:39 +0800
From: "范祚至(库特)" <zuozhi.fzz@...baba-inc.com>
To: "oss-security" <oss-security@...ts.openwall.com>
Subject: CVE request libtiff: out-of-bounds read in CIE Lab image format

If the data of image is packed(e.g., TIFFDirectory.td_samplesperpixel == 1,TIFFDirectory.td_bitspersample == 8), a pixel only owns one byte. But in theimplementation of putcontig8bitCIELab, it eats 3 bytes per pixel. This willlead to an out-of-bounds read vulnerability.vuln code in tif_getimage.c, libtiff v4.0.61699 DECLAREContigPutFunc(putcontig8bitCIELab)1700 {1701         float X, Y, Z;1702         uint32 r, g, b;1703         (void) y;1704         fromskew *= 3;1705         while (h-- > 0) {1706                 for (x = w; x-- > 0;) {1707                         TIFFCIELabToXYZ(img->cielab,1708                                         (unsigned char)pp[0],1709                                         (signed char)pp[1],1710                                         (signed char)pp[2],1711                                         &X, &Y, &Z);1712                         TIFFXYZToRGB(img->cielab, X, Y, Z, &r, &g, &b);1713                         *cp++ = PACK(r, g, b);1714                         pp += 3;1715                 }1716                 cp += toskew;1717                 pp += fromskew;1718         }1719 }I use the tutorial code from http://www.remotesensing.org/libtiff/libtiff.htmlto test that, and poc is in the attachment.    #include "tiffio.h"    main(int argc, char* argv[])    {        TIFF* tif = TIFFOpen(argv[1], "r");        if (tif) {            TIFFRGBAImage img;            char emsg[1024];                        if (TIFFRGBAImageBegin(&img, tif, 0, emsg)) {                size_t npixels;                uint32* raster;                                npixels = img.width * img.height;                raster = (uint32*) _TIFFmalloc(npixels * sizeof (uint32));                if (raster != NULL) {                    if (TIFFRGBAImageGet(&img, raster, img.width, img.height)) {                        ...process raster data...                    }                    _TIFFfree(raster);                }                TIFFRGBAImageEnd(&img);            } else                TIFFError(argv[1], emsg);            TIFFClose(tif);        }        exit(0);    }If it would be assigned a CVE, please credit it for: zzf of Alibaba.
Content of type "text/html" skipped

Download attachment "poc029.zip" of type "application/octet-stream" (455 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ