Bug 2552 - CVE-2016-5102: gif2tiff tool buffer overflow in readgifimage()
: CVE-2016-5102: gif2tiff tool buffer overflow in readgifimage()
Status: RESOLVED WONTFIX
: libtiff
default
: unspecified
: PC Linux
: P2 enhancement
: ---
Assigned To:
: http://bugs.fi/media/afl/libtiff/gif2...
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-05-30 05:10 by
Modified: 2016-09-05 09:43 (History)


Attachments
CVE-2016-5102.gif (519 bytes, image/gif)
2016-09-05 09:43, Henri Salo
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-05-30 05:10:34
While analyzing libtiff security issues I noticed that there is additional
buffer overflow in gif2tiff tool (different issue than CVE-2016-3186) tested
with 4.0.6 version.

http://bugs.fi/media/afl/libtiff/gif2tiff-bufferoverflow.gif
file: GIF image data, version 87a, 12336 x 12336
SHA1: 6a90ff2a087b5a351ee0652097064942764d51d4

(gdb) run
Starting program: ./bin/gif2tiff gif2tiff-bufferoverflow.gif /tmp/test.tiff
warning: wrong rastersize: 2 bytes
         instead of 592128 bytes
warning: wrong rastersize: 4 bytes
         instead of 592128 bytes
warning: wrong rastersize: 2 bytes
         instead of 592128 bytes
warning: wrong rastersize: 4 bytes
         instead of 592128 bytes
warning: wrong rastersize: 2 bytes
         instead of 592128 bytes
warning: wrong rastersize: 4 bytes
         instead of 592128 bytes
raster full before eoi code
warning: wrong rastersize: 6332624 bytes
         instead of 592128 bytes

Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x181) at malloc.c:2929
2929    malloc.c: No such file or directory.
(gdb) bt
#0  __GI___libc_free (mem=0x181) at malloc.c:2929
#1  0x0000000000401fb1 in readgifimage (mode=mode@entry=0x402299 "a") at
gif2tiff.c:331
#2  0x00000000004021a8 in convert () at gif2tiff.c:214
#3  0x00000000004010d8 in main (argc=<optimized out>, argv=0x7fffffffe138) at
gif2tiff.c:174

Breakpoint 1, readgifimage (mode=mode@entry=0x402362 "w") at gif2tiff.c:331
331         _TIFFfree(raster);
------- Comment #1 From 2016-06-02 01:13:19 -------
CVE-2016-5102 has been assigned to this issue.
------- Comment #2 From 2016-06-02 03:11:08 -------
This issue was found with using american fuzzy lop fuzzer.
------- Comment #3 From 2016-06-05 16:36:45 -------
The gif2tiff utility is now removed from the libtiff package (as will appear in
4.0.7).
------- Comment #4 From 2016-07-19 12:13:12 -------
(In reply to comment #3)
> The gif2tiff utility is now removed from the libtiff package (as will appear in
> 4.0.7).

That's just crazy... Was the utility so useless?

Henri, the URL you set for this ticket returns a 404. Examining the directory
(http://bugs.fi/media/afl/libtiff/ ), I can see the CVE-2016-5102.gif, but get
a 403, when I attempt to download it... Could you make it readable, please?
Maybe, I can craft a patch to save the utility from oblivion? Thanks!
------- Comment #5 From 2016-07-19 14:06:21 -------
Mikhail, you should be able to download it now. Sorry for the trouble. Fyi they
have said similar removal comment about thumbnail tool.
------- Comment #6 From 2016-09-05 09:43:42 -------
Created an attachment (id=670) [details]
CVE-2016-5102.gif