First Last Prev Next    No search results available
Bug 2565 - CVE-2016-3621: libtiff: Out-of-bounds Read in the bmp2tiff tool
: CVE-2016-3621: libtiff: Out-of-bounds Read in the bmp2tiff tool
Status: RESOLVED WONTFIX
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
: http://www.openwall.com/lists/oss-sec...
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-06-27 02:25 by
Modified: 2016-08-15 16:11 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Description From 2016-06-27 02:25:35 
Original advisory below:

Affected Versions: <= 4.0.6
Vulnerability Type: Out-of-bounds Read
CVE ID: CVE-2016-3621
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Introduction
============

LZWEncode function in tif_lzw.c in bmp2tiff allows attackers to cause a denial
of service (Out-of-bounds Read) via a crafted bmp image with param -c lzw.


libtiff-master/libtiff/tif_lzw.c:915

910  */
911 PutNextCode(op, CODE_CLEAR);
912 ent = *bp++; cc--; incount++;
913 }
914 while (cc > 0) {
915 c = *bp++; cc--; incount++;
916 fcode = ((long)c << BITS_MAX) + ent;
917 h = (c << HSHIFT) ^ ent; /* xor hashing */


./bmp2tiff  -c lzw  ./sample/bmp2tiff_lzw.bmp 1.tif

=================================================================
==10455== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x7fbcd06d1c00 at pc 0x4827aa bp 0x7ffef81741d0 sp 0x7ffef81741c0
READ of size 1 at 0x7fbcd06d1c00 thread T0
    #0 0x4827a9 in LZWEncode
/home/dazhuang/asan/libtiff-master/libtiff/tif_lzw.c:915
    #1 0x45665e in TIFFWriteScanline
/home/dazhuang/asan/libtiff-master/libtiff/tif_write.c:173
    #2 0x40450f in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:775
    #3 0x7fbcccc92af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
    #4 0x4019a8 in _start
(/home/dazhuang/asan/libtiff-master/tools/bmp2tiff+0x4019a8)
0x7fbcd06d1c00 is located 0 bytes to the right of 1573888-byte region
[0x7fbcd0551800,0x7fbcd06d1c00)
allocated by thread T0 here:
    #0 0x7fbccd563129 (/lib64/libasan.so.0+0x16129)
    #1 0x45b761 in _TIFFmalloc
/home/dazhuang/asan/libtiff-master/libtiff/tif_unix.c:316
    #2 0x4037c3 in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:678
    #3 0x7fbcccc92af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dazhuang/asan/libtiff-master/libtiff/tif_lzw.c:915 LZWEncode
Shadow bytes around the buggy address:
  0x0ff81a0d2330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff81a0d2340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff81a0d2350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff81a0d2360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff81a0d2370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff81a0d2380:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d2390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d23a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d23b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d23c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff81a0d23d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==10455== ABORTING
------- Comment #1 From 2016-08-15 16:11:48 ------- 
Closing as wontfix since bmp2tiff has been removed from libtiff
First Last Prev Next    No search results available