Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 25 Dec 2015 13:30:48 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request libtiff: out-of-bounds read in CIE Lab image format

Hi,

Unfortunately, the text/plain version of zzf's message was badly
misformatted.  I've included below the result of processing of the
text/html portion, which is actually readable.

Alexander

zuozhi.fzz@...baba-inc.com wrote:
> If the data of image is packed(e.g., TIFFDirectory.td_samplesperpixel == 1,
> TIFFDirectory.td_bitspersample == 8), a pixel only owns one byte. But in the
> implementation of putcontig8bitCIELab, it eats 3 bytes per pixel. This will
> lead to an out-of-bounds read vulnerability.
> 
> vuln code in tif_getimage.c, libtiff v4.0.6
> 
> 1699 DECLAREContigPutFunc(putcontig8bitCIELab)
> 1700 {
> 1701         float X, Y, Z;
> 1702         uint32 r, g, b;
> 1703         (void) y;
> 1704         fromskew *= 3;
> 1705         while (h-- > 0) {
> 1706                 for (x = w; x-- > 0;) {
> 1707                         TIFFCIELabToXYZ(img->cielab,
> 1708                                         (unsigned char)pp[0],
> 1709                                         (signed char)pp[1],
> 1710                                         (signed char)pp[2],
> 1711                                         &X, &Y, &Z);
> 1712                         TIFFXYZToRGB(img->cielab, X, Y, Z, &r, &g, &b);
> 1713                         *cp++ = PACK(r, g, b);
> 1714                         pp += 3;
> 1715                 }
> 1716                 cp += toskew;
> 1717                 pp += fromskew;
> 1718         }
> 1719 }
> 
> I use the tutorial code from http://www.remotesensing.org/libtiff/libtiff.html
> to test that, and poc is in the attachment.
> 
>     #include "tiffio.h"
>     main(int argc, char* argv[])
>     {
>         TIFF* tif = TIFFOpen(argv[1], "r");
>         if (tif) {
>             TIFFRGBAImage img;
>             char emsg[1024];
> 
>             if (TIFFRGBAImageBegin(&img, tif, 0, emsg)) {
>                 size_t npixels;
>                 uint32* raster;
> 
>                 npixels = img.width * img.height;
>                 raster = (uint32*) _TIFFmalloc(npixels * sizeof (uint32));
>                 if (raster != NULL) {
>                     if (TIFFRGBAImageGet(&img, raster, img.width, img.height)) {
>                         ...process raster data...
>                     }
>                     _TIFFfree(raster);
>                 }
>                 TIFFRGBAImageEnd(&img);
>             } else
>                 TIFFError(argv[1], emsg);
>             TIFFClose(tif);
>         }
>         exit(0);
>     }
> 
> If it would be assigned a CVE, please credit it for: zzf of Alibaba.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ