Bug 2494 - Out-of-bounds memory read in bmp2tiff
: Out-of-bounds memory read in bmp2tiff
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P2 critical
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2014-12-09 08:01 by
Modified: 2014-12-21 12:16 (History)


Attachments
bmp crash file (1.20 KB, image/bmp)
2014-12-09 08:02, Paris Zoumpouloglou
Details
gdb output (623 bytes, application/octet-stream)
2014-12-09 08:03, Paris Zoumpouloglou
Details
valgrind output (1.87 KB, application/octet-stream)
2014-12-09 08:04, Paris Zoumpouloglou
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2014-12-09 08:01:07
Hello again,

Another issue found in bmp2tif. It is an out-of-bounds memory read which occurs
in tif_packbits.c

84            b = *bp++, cc--, n = 1;

This is caused by the value of length variable which is set in bmp2tiff:405.
The function TIFFWriteScanline continues to read values after the end of the
BMP file until it reaches out of bounds memory.

I attach both gdb and valgrind output.

The issue was found using 4.0.3 source code.
------- Comment #1 From 2014-12-09 08:02:36 -------
Created an attachment (id=578) [details]
bmp crash file
------- Comment #2 From 2014-12-09 08:03:19 -------
Created an attachment (id=579) [details]
gdb output
------- Comment #3 From 2014-12-09 08:04:11 -------
Created an attachment (id=580) [details]
valgrind output
------- Comment #4 From 2014-12-21 12:16:23 -------
Fixed by

2014-12-21  Even Rouault  <even.rouault@spatialys.com>

    Fix various crasher bugs on fuzzed images.
    * libtiff/tif_dir.c: TIFFSetField(): refuse to set negative values for
    TIFFTAG_XRESOLUTION and TIFFTAG_YRESOLUTION that cause asserts when writing
    the directory
    * libtiff/tif_dirread.c: TIFFReadDirectory(): refuse to read ColorMap or
    TransferFunction if BitsPerSample has not yet been read, otherwise reading
    it later will cause user code to crash if BitsPerSample > 1
    * libtiff/tif_getimage.c: TIFFRGBAImageOK(): return FALSE if LOGLUV with
    SamplesPerPixel != 3, or if CIELAB with SamplesPerPixel != 3 or
BitsPerSample != 8
    * libtiff/tif_next.c: in the "run mode", use tilewidth for tiled images
    instead of imagewidth to avoid crash
    * tools/bmp2tiff.c: fix crash due to int overflow related to input BMP
dimensions
    * tools/tiff2pdf.c: fix crash due to invalid tile count (should likely be
checked by
    libtiff too). Detect invalid settings of BitsPerSample/SamplesPerPixel for
CIELAB / ITULAB
    * tools/tiffcrop.c: fix crash due to invalid TileWidth/TileHeight
    * tools/tiffdump.c: fix crash due to overflow of entry count.