Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 8 Apr 2016 07:14:55 +0000
From: 张开翔 <>
To: "" <>
Subject: CVE-2016-3634 - libtiff illegel read



Product: libtiff

Affected Versions: <= 4.0.6

Vulnerability Type: Illegel read

Vendor URL:

CVE ID: CVE-2016-3634

Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360


Illegal read occurs in the tagCompare function in tif_dirinfo.c when using thumbnail command, which allows attackers to exploit this issue to cause denial-of-service.

/libtiff/tif_dirinfo.c: 341

tagCompare(const void* a, const void* b)


338          const TIFFField* ta = *(const TIFFField**) a;

339          const TIFFField* tb = *(const TIFFField**) b;

340          /* NB: be careful of return values for 16-bit platforms */

341          if (ta->field_tag != tb->field_tag)

342                         return (int)ta->field_tag - (int)tb->field_tag;

343          else

344                         return (ta->field_type == TIFF_ANY) ?

345                                         0 : ((int)tb->field_type - (int)ta->field_type);


gdb  --args  thumbnail  tagCompare.tif  tmpout.tif
Program received signal SIGSEGV, Segmentation fault.
tagCompare (b=0x8164a84, a=<synthetic pointer>) at tif_dirinfo.c:341
341        if (ta->field_tag != tb->field_tag)
(gdb) bt
#0  tagCompare (b=0x8164a84, a=<synthetic pointer>) at tif_dirinfo.c:341
#1  bsearch (__compar=0x8067330 <tagCompare>, __size=4, __nmemb=153, __base=0x8164a60, __key=<synthetic pointer>) at /usr/include/i386-linux-gnu/bits/stdlib-bsearch.h:33
#2  TIFFFindField (tif=0x8164530, tag=262, dt=TIFF_NOTYPE) at tif_dirinfo.c:518
#3  0x08060e06 in TIFFVGetField (ap=0xbffff238 "\032\065\026\b\377\377\377\377_\314\376\267\350\372\", tag=262, tif=0x8164530) at tif_dir.c:1172
#4  TIFFGetField (tif=0x8164530, tag=262) at tif_dir.c:1158
#5  0x0804ae2f in generateThumbnail (out=<optimized out>, in=<optimized out>) at thumbnail.c:631
#6  main (argc=3, argv=0xbffff374) at thumbnail.c:122
(gdb) p tb
$5 = (const TIFFField *) 0xffffffff


Thank you!

Best Regards,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ