Bug 1985 – Buffer underflow in LZW decoding routines

Bug 1985 - Buffer underflow in LZW decoding routines

Summary:

Buffer underflow in LZW decoding routines

Status:	RESOLVED FIXED

Product:	libtiff
Component:	default
Version:	3.8.2
Platform:	All All

Importance:	P2 major
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2009-01-13 10:37 by Jeffrey Pfau
Modified:	2009-06-30 04:16 (History)

Attachments
Patch for tif_lzw.c (721 bytes, patch) 2009-01-13 10:37, Jeffrey Pfau	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Jeffrey Pfau 2009-01-13 10:37:22

Created an attachment (id=279) [details]
Patch for tif_lzw.c

In August, a vulnerability was discovered in the LZW decoding routines that
would allow for a buffer underflow. While a patch was submitted, this patch
does not take into account some circumstances which would still cause a buffer
underflow. I have discovered a method of inserting an arbitrary byte repeatedly
via this buffer underflow, which works in all versions of LibTIFF I have tested
it with. The provided patch is for the CVS version, but similar patches can be
easily made given that only two lines must be changed. However, the previous
patch does appear to prevent a payload of more than one distinct byte, making
this effectively useless as a code injection vector. Nonetheless, it still is
effective at crashing applications that use LibTIFF.

------- Comment #1 From Frank Warmerdam 2009-06-30 04:16:32 -------

Applied patch in CVS head.  A slightly less good patch was applied in 3.9
branch (see ticket #2065) but I am not excited enough to back it out there in
favor of this better patch.