Date: Sun, 01 Jan 2017 16:54:34 +0100 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Subject: libtiff: NULL pointer dereference in TIFFReadRawData (tiffinfo.c) Description: Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. A crafted tiff file revealed a NULL pointer access. The complete ASan output: # tiffinfo -Dijr $FILE TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 384 (0x180) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1093 (0x445) encountered. TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations. TIFFFetchNormalTag: Warning, Incorrect count for "JpegProc"; tag ignored. TIFFReadDirectory: Warning, Photometric tag value assumed incorrect, assuming data is YCbCr instead of RGB. TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct SamplesPerPixel value of 3. _TIFFVSetField: Warning, SamplesPerPixel tag value is changing, but SMinSampleValue tag was read with a different value. Cancelling it. ASAN:DEADLYSIGNAL ================================================================= ==15897==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000050d8ad bp 0x7ffc4a3eaf90 sp 0x7ffc4a3eaec0 T0) ==15897==The signal is caused by a READ memory access. ==15897==Hint: address points to the zero page. #0 0x50d8ac in TIFFReadRawData /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:421:29 #1 0x50b2de in tiffinfo /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:473:4 #2 0x50a999 in main /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:152:6 #3 0x7f6258f0961f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #4 0x419f38 in _init (/usr/bin/tiffinfo+0x419f38) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:421:29 in TIFFReadRawData ==15897==ABORTING TIFF Directory at offset 0xc (12) Image Width: 128 Image Length: 1 Bits/Sample: 32189 Compression Scheme: Old-style JPEG Photometric Interpretation: YCbCr YCbCr Subsampling: 2, 2 Samples/Pixel: 3 Rows/Strip: 2048 Planar Configuration: single image plane DocumentName: Tag 384: 16779264 Affected version: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/c2f931bb558b9db41cb3516a6df3aa600fd85744 Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00056-libtiff-nullptr-TIFFReadRawData Timeline: 2016-11-22: bug discovered and reported to upstream 2016-12-03: upstream released a patch 2017-01-01: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/01/01/libtiff-null-pointer-dereference-in-tiffreadrawdata-tiffinfo-c -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.