Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 15 Jun 2016 02:28:58 +0000
From: 张开翔 <>
To: "" <>
Subject: CVE-2016-5314:libtiff 4.0.6 PixarLogDecode() out-of-bound writes


Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: out-of-bound writes
Vendor URL:
CVE ID: CVE-2016-5314
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360


It was always corrupted when I use rgb2ycbcr command followed by a crafted TIFF image. The vulnerability of out-of-bound writes comes from PixarLogDecode() function without checking the buffer length, which cause the head of next heap could be filled with any data, crash occurs when malloc() or free() is called.Attackers could exploit this issue to result in DoS.

Here is the stack info:
gdb –args ./rgb2ycbcr gtTileContig.tif tmpout.tif
--- ---
(gdb) b tif_pixarlog.c:787
Breakpoint 1 at 0xb7f7916c: file tif_pixarlog.c, line 787.
(gdb) r
--- ---
Breakpoint 1, PixarLogDecode (tif=0x804f148, op=0x804f508 "", occ=<optimized out>, s=0) at tif_pixarlog.c:787
787                     int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
(gdb) x/32xw  sp->stream->next_out
0x804f598:       0xb7d917b0     0xb7d917b0     0x9b9a9998     0x9f9e9d9c
0x804f5a8:       0xa3a2a1a0     0xa7a6a5a4     0xabaaa9a8     0xafaeadac
0x804f5b8:       0xb3b2b1b0     0xb7b6b5b4     0xbbbab9b8     0xbfbebdbc
0x804f5c8:       0xc3c2c1c0     0xc7c6c5c4     0xcbcac9c8     0xcfcecdcc
0x804f5d8:       0xd3d2d1d0     0xd7d6d5d4     0xdbdad9d8     0x00000091
0x804f5e8:       0xb7d91838     0xb7d91838     0xebeae9e8     0xefeeedec

(gdb) finish
(gdb) x/32xw  sp->stream->next_out
0x804f598:       0x86868686     0x93920d0c      0xa09e1a18     0xadaa2724
0x804f5a8:       0xbab63430     0xc7c2413c      0xd4ce4e48     0xe1da5b54
0x804f5b8:       0xeee66860     0xfbf2756c      0x08fe8278     0x160a8f84
0x804f5c8:       0x23169c90     0x3022a99c      0x3d2eb6a8     0x4a3ac3b4
0x804f5d8:       0x5746d0c0     0x8686ddcc      0x93920d0c     0x409d1a18
0x804f5e8:       0x4da9c723     0x5ab5d42f      0x67c1e13b     0x74cdee47

(gdb) c
Program received signal SIGSEGV, Segmentation fault.
0xb7c3bd38 in _int_free (av=0xb7d91780 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4015
4015                   unlink(av, nextchunk, bck, fwd);
(gdb) bt
#0  0xb7c3bd38 in _int_free (av=0xb7d91780 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4015
#1  0xb7c3f6e0 in __GI___libc_free (mem=0x804f508) at malloc.c:2969
#2  0xb7faa8f8 in _TIFFfree (p=0x804f508) at tif_unix.c:322
#3  0xb7f29050 in gtTileContig (img=0xbfffe584, raster=0x8068b00, w=34, h=4) at tif_getimage.c:691
#4  0xb7f31517 in TIFFRGBAImageGet (img=0xbfffe584, raster=0x8068b00, w=34, h=4) at tif_getimage.c:500
#5  0xb7f3173c in TIFFReadRGBAImageOriented (tif=0x804f148, rwidth=34, rheight=4, raster=0x8068b00, orientation=4, stop=0) at tif_getimage.c:519
#6  0xb7f317ba in TIFFReadRGBAImage (tif=0x804f148, rwidth=34, rheight=4, raster=0x8068b00, stop=0) at tif_getimage.c:537
#7  0x0804a59f in tiffcvt (in=in@...ry=0x804f148, out=out@...ry=0x804e008) at rgb2ycbcr.c:315
#8  0x080494a1 in main (argc=3, argv=0xbffff3b4) at rgb2ycbcr.c:127

(gdb) x/8xw 0x804f508-8
0x804f500:       0x00000030     0x00000091     0xffffffff    0x42c4ffff
0x804f510:       0x02f70eb8      0xffffffff    0x1bb17d9c     0xffff061b
(gdb) x/8xw 0x804f500+0x90
0x804f590:       0x8b8a8988     0x00000051     0x86868686     0x93920d0c
0x804f5a0:       0xa09e1a18     0xadaa2724     0xbab63430     0xc7c2413c
(gdb) x/8xw 0x804f500+0x90+0x50
0x804f5e0:       0x93920d0c     0x409d1a18     0x4da9c723     0x5ab5d42f
0x804f5f0:       0x67c1e13b     0x74cdee47     0x81d9fb53      0x8ee5085f


Thank you!
Best Regards,

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.