Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 01 Jan 2017 16:54:34 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Subject: libtiff: NULL pointer dereference in TIFFReadRawData (tiffinfo.c)

Description:
Libtiff is a software that provides support for the Tag Image File Format 
(TIFF), a widely used format for storing image data.

A crafted tiff file revealed a NULL pointer access.

The complete ASan output:

# tiffinfo -Dijr $FILE

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not 
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 384 (0x180) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1093 (0x445) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null 
byte in value; value incorrectly truncated during reading due to 
implementation limitations.
TIFFFetchNormalTag: Warning, Incorrect count for "JpegProc"; tag ignored.
TIFFReadDirectory: Warning, Photometric tag value assumed incorrect, assuming 
data is YCbCr instead of RGB.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct 
SamplesPerPixel value of 3.
_TIFFVSetField: Warning, SamplesPerPixel tag value is changing, but 
SMinSampleValue tag was read with a different value. Cancelling it.
ASAN:DEADLYSIGNAL
=================================================================
==15897==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x00000050d8ad bp 0x7ffc4a3eaf90 sp 0x7ffc4a3eaec0 T0)
==15897==The signal is caused by a READ memory access.
==15897==Hint: address points to the zero page.
    #0 0x50d8ac in TIFFReadRawData /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:421:29
    #1 0x50b2de in tiffinfo /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:473:4
    #2 0x50a999 in main /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:152:6
    #3 0x7f6258f0961f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #4 0x419f38 in _init (/usr/bin/tiffinfo+0x419f38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:421:29 in TIFFReadRawData
==15897==ABORTING
TIFF Directory at offset 0xc (12)
  Image Width: 128 Image Length: 1
  Bits/Sample: 32189
  Compression Scheme: Old-style JPEG
  Photometric Interpretation: YCbCr
  YCbCr Subsampling: 2, 2
  Samples/Pixel: 3
  Rows/Strip: 2048
  Planar Configuration: single image plane
  DocumentName: 
  Tag 384: 16779264

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/c2f931bb558b9db41cb3516a6df3aa600fd85744

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00056-libtiff-nullptr-TIFFReadRawData

Timeline:
2016-11-22: bug discovered and reported to upstream
2016-12-03: upstream released a patch
2017-01-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-null-pointer-dereference-in-tiffreadrawdata-tiffinfo-c

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ