Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 8 Apr 2016 04:58:48 +0000
From: 王梅 <wangmei@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2016-3624 libtiff: Out-of-bounds Write in the rgb2ycbcr tool

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type:  Out-of-bounds Write
Vendor URL: http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-3624
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Introduction
============

Out-of-bounds Write occurred in function cvtClump in rgb2ycbcr allows attackers to cause a denial of service when param v was set to -1.



libtiff-master/libtiff/rgb2ycbcr.c:193

187                             lumaGreen[TIFFGetG(RGB)] +
188                             lumaBlue[TIFFGetB(RGB)];
189                         /* accumulate chrominance */
190                         Cb += (TIFFGetB(RGB) - Y) * D1;
191                         Cr += (TIFFGetR(RGB) - Y) * D2;
192                         /* emit luminence */
193                         *op++ = V2Code(Y,
194                             refBlackWhite[0], refBlackWhite[1], 255);
195                 }



gdb rgb2ycbcr

(gdb) r -c none  -r -1  -h -1  -v -1 sample/rgb2ycbcr_cvtClump.tif 1.tif

Program received signal SIGSEGV, Segmentation fault.
0x0000000000401440 in cvtClump (op=0x1 <Address 0x1 out of bounds>, raster=0x7ffff7249f90, ch=152, cw=65312, w=65312)
    at rgb2ycbcr.c:193
193                             *op++ = V2Code(Y,
(gdb) p op
$6 = (unsigned char *) 0x1 <Address 0x1 out of bounds>
(gdb) p *op
Cannot access memory at address 0x1
(gdb) bt
#0  0x0000000000401440 in cvtClump (op=0x1 <Address 0x1 out of bounds>, raster=0x7ffff7249f90, ch=152, cw=65312, w=65312)
    at rgb2ycbcr.c:193
#1  0x0000000000401757 in cvtStrip (op=0x0, raster=0x7ffff7249f90, nrows=152, width=65312) at rgb2ycbcr.c:245
#2  0x00000000004018b7 in cvtRaster (tif=0x604010, raster=0x7ffff4cab010, width=65312, height=152) at rgb2ycbcr.c:267
#3  0x0000000000401f03 in tiffcvt (in=0x605560, out=0x604010) at rgb2ycbcr.c:352
#4  0x000000000040108a in main (argc=11, argv=0x7fffffffe3b8) at rgb2ycbcr.c:127

References:
[1] http://www.remotesensing.org/libtiff/
[2] http://bugzilla.maptools.org/buglist.cgi?product=libtiff


Thank you!
Best Regards,


Mei

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ