Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Feb 2017 21:18:17 -0600 (CST)
From: Bob Friesenhahn <bfriesen@...ple.dallas.tx.us>
To: oss-security@...ts.openwall.com
Subject: GraphicsMagick heap out of bounds write issue

GraphicsMagick versions up to 1.3.25 encounter a write beyond an 
allocated heap buffer when reading CMYKA TIFF files which claim to 
offer fewer samples per pixel than required.

This is the tiffinfo description of the problematic TIFF file:

TIFF Directory at offset 0x808 (2056)
   Image Width: 34 Image Length: 48
   Bits/Sample: 8
   Sample Format: unsigned integer
   Compression Scheme: None
   Photometric Interpretation: separated
   Extra Samples: 1<unassoc-alpha>
   Orientation: row 0 top, col 0 lhs
   Samples/Pixel: 2
   Rows/Strip: 32
   Planar Configuration: single image plane

The fix for this is Mercurial changeset 14998:6156b4c2992d which may 
be viewed at SourceForge via this link:

https://sourceforge.net/p/graphicsmagick/code/ci/6156b4c2992d855ece6079653b3b93c3229fc4b8/

A minimal patch to correct the problem is attached.

This issue was reported to us on February 15, 2017 by Valon Chu.

Bob
-- 
Bob Friesenhahn
bfriesen@...ple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
diff -r 0392c4305a43 -r 6156b4c2992d coders/tiff.c
--- a/coders/tiff.c	Sun Jan 29 10:04:57 2017 -0600
+++ b/coders/tiff.c	Thu Feb 23 21:06:50 2017 -0600
@@ -1230,8 +1230,8 @@
                   case 0:
                     if (samples_per_pixel == 1)
                       *quantum_type=GrayQuantum;
-                      else
-                        *quantum_type=RedQuantum;
+                    else
+                      *quantum_type=RedQuantum;
                     break;
                   case 1:
                     *quantum_type=GreenQuantum;
@@ -1411,12 +1411,12 @@
               }
             else
               {
-                if (image->matte)
+                if (image->matte && samples_per_pixel >= 5)
                   {
                     *quantum_type=CMYKAQuantum;
                     *quantum_samples=5;
                   }
-                else
+                else if (samples_per_pixel >= 4)
                   {
                     *quantum_type=CMYKQuantum;
                     *quantum_samples=4;

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ