[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 7 Apr 2016 07:39:43 +0000
From: 王梅 <wangmei@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2016-3621 libtiff: Out-of-bounds Read in the bmp2tiff tool
Details
=======
Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Out-of-bounds Read
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2016-3621
Credit: Mei Wang of the Cloud Security Team, Qihoo 360
Introduction
============
LZWEncode function in tif_lzw.c in bmp2tiff allows attackers to cause a denial of service (Out-of-bounds Read) via a crafted bmp image with param -c lzw.
libtiff-master/libtiff/tif_lzw.c:915
910 */
911 PutNextCode(op, CODE_CLEAR);
912 ent = *bp++; cc--; incount++;
913 }
914 while (cc > 0) {
915 c = *bp++; cc--; incount++;
916 fcode = ((long)c << BITS_MAX) + ent;
917 h = (c << HSHIFT) ^ ent; /* xor hashing */
./bmp2tiff -c lzw ./sample/bmp2tiff_lzw.bmp 1.tif
=================================================================
==10455== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fbcd06d1c00 at pc 0x4827aa bp 0x7ffef81741d0 sp 0x7ffef81741c0
READ of size 1 at 0x7fbcd06d1c00 thread T0
#0 0x4827a9 in LZWEncode /home/dazhuang/asan/libtiff-master/libtiff/tif_lzw.c:915
#1 0x45665e in TIFFWriteScanline /home/dazhuang/asan/libtiff-master/libtiff/tif_write.c:173
#2 0x40450f in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:775
#3 0x7fbcccc92af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
#4 0x4019a8 in _start (/home/dazhuang/asan/libtiff-master/tools/bmp2tiff+0x4019a8)
0x7fbcd06d1c00 is located 0 bytes to the right of 1573888-byte region [0x7fbcd0551800,0x7fbcd06d1c00)
allocated by thread T0 here:
#0 0x7fbccd563129 (/lib64/libasan.so.0+0x16129)
#1 0x45b761 in _TIFFmalloc /home/dazhuang/asan/libtiff-master/libtiff/tif_unix.c:316
#2 0x4037c3 in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:678
#3 0x7fbcccc92af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/dazhuang/asan/libtiff-master/libtiff/tif_lzw.c:915 LZWEncode
Shadow bytes around the buggy address:
0x0ff81a0d2330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff81a0d2340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff81a0d2350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff81a0d2360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff81a0d2370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff81a0d2380:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff81a0d2390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff81a0d23a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff81a0d23b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff81a0d23c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff81a0d23d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==10455== ABORTING
References:
[1] http://www.remotesensing.org/libtiff/
[2] http://bugzilla.maptools.org/buglist.cgi?product=libtiff
Thank you!
Best Regards,
Mei
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
