Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 7 Apr 2016 07:39:43 +0000
From: 王梅 <wangmei@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2016-3621 libtiff: Out-of-bounds Read in the bmp2tiff tool

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Out-of-bounds Read
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2016-3621
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Introduction
============

LZWEncode function in tif_lzw.c in bmp2tiff allows attackers to cause a denial of service (Out-of-bounds Read) via a crafted bmp image with param -c lzw.


libtiff-master/libtiff/tif_lzw.c:915

910  */
911 PutNextCode(op, CODE_CLEAR);
912 ent = *bp++; cc--; incount++;
913 }
914 while (cc > 0) {
915 c = *bp++; cc--; incount++;
916 fcode = ((long)c << BITS_MAX) + ent;
917 h = (c << HSHIFT) ^ ent; /* xor hashing */


./bmp2tiff  -c lzw  ./sample/bmp2tiff_lzw.bmp 1.tif

=================================================================
==10455== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fbcd06d1c00 at pc 0x4827aa bp 0x7ffef81741d0 sp 0x7ffef81741c0
READ of size 1 at 0x7fbcd06d1c00 thread T0
    #0 0x4827a9 in LZWEncode /home/dazhuang/asan/libtiff-master/libtiff/tif_lzw.c:915
    #1 0x45665e in TIFFWriteScanline /home/dazhuang/asan/libtiff-master/libtiff/tif_write.c:173
    #2 0x40450f in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:775
    #3 0x7fbcccc92af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
    #4 0x4019a8 in _start (/home/dazhuang/asan/libtiff-master/tools/bmp2tiff+0x4019a8)
0x7fbcd06d1c00 is located 0 bytes to the right of 1573888-byte region [0x7fbcd0551800,0x7fbcd06d1c00)
allocated by thread T0 here:
    #0 0x7fbccd563129 (/lib64/libasan.so.0+0x16129)
    #1 0x45b761 in _TIFFmalloc /home/dazhuang/asan/libtiff-master/libtiff/tif_unix.c:316
    #2 0x4037c3 in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:678
    #3 0x7fbcccc92af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/dazhuang/asan/libtiff-master/libtiff/tif_lzw.c:915 LZWEncode
Shadow bytes around the buggy address:
  0x0ff81a0d2330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff81a0d2340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff81a0d2350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff81a0d2360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff81a0d2370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff81a0d2380:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d2390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d23a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d23b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d23c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d23d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==10455== ABORTING

References:
[1] http://www.remotesensing.org/libtiff/
[2] http://bugzilla.maptools.org/buglist.cgi?product=libtiff


Thank you!
Best Regards,


Mei

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.