You need to log in before you can comment on or make changes to this bug.
From original advisory: Affected Versions: <= 4.0.6 Vulnerability Type: Out-of-bounds Read CVE ID: CVE-2016-3625 Credit: Mei Wang of the Cloud Security Team, Qihoo 360 Introduction ============ Out-of-bounds Read occurred in tif_read.c:545 or tif_read.c:402 or tif_read.c:560 in tiff2bw allows attackers to cause a denial of service via a crafted TIFF image. gdb tiff2bw (gdb)r sample/tiff2bw_1.tif 1.tif Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7bb4b3a in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:545 545 td->td_stripoffset[strip] > (uint64)tif->tif_size - bytecount) { Missing separate debuginfos, use: debuginfo-install glibc-2.17-78.el7.x86_64 (gdb) p td->td_stripoffset[strip] Cannot access memory at address 0x0 (gdb) bt #0 0x00007ffff7bb4b3a in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:545 #1 0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228 #2 0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x6076d0, row=0, sample=0) at tif_read.c:295 #3 0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253 (gdb) (gdb) r sample/tiff2bw_2.tif 1.tif Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7bb46e4 in TIFFReadRawStrip1 (tif=0x604010, strip=0, buf=0x605620, size=10, module=0x7ffff7bcfa81 <module.3917> "TIFFFillStrip") at tif_read.c:402 402 ma=(tmsize_t)td->td_stripoffset[strip]; (gdb) p td->td_stripoffset[strip] Cannot access memory at address 0x0 (gdb) bt #0 0x00007ffff7bb46e4 in TIFFReadRawStrip1 (tif=0x604010, strip=0, buf=0x605620, size=10, module=0x7ffff7bcfa81 <module.3917> "TIFFFillStrip") at tif_read.c:402 #1 0x00007ffff7bb4d73 in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:612 #2 0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228 #3 0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x6076e0, row=0, sample=0) at tif_read.c:295 #4 0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253 (gdb) r sample/tiff2bw_3.tif 1.tif Program received signal SIGSEGV, Segmentation fault. TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:560 560 TIFFErrorExt(tif->tif_clientdata, module, (gdb) l 555 "got %I64u bytes, expected %I64u", 556 (unsigned long) strip, 557 (unsigned __int64) tif->tif_size - td->td_stripoffset[strip], 558 (unsigned __int64) bytecount); 559 #else 560 TIFFErrorExt(tif->tif_clientdata, module, 561 562 "Read error on strip %lu; " 563 "got %llu bytes, expected %llu", 564 (unsigned long) strip, (gdb) p td->td_stripoffset[strip] Cannot access memory at address 0x0 (gdb) bt #0 TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:560 #1 0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228 #2 0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x607600, row=0, sample=0) at tif_read.c:295 #3 0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253
The files to reproduce were not provided in the original report ? From the traces the issue could be in libtiff itself.
I have requested the sample from original reporter 2016-07-10.
Created an attachment (id=673) [details] Out-of-bounds Read occurred in tif_read.c:545
Created an attachment (id=674) [details] Out-of-bounds Read occurred in tif_read.c:402
Created an attachment (id=675) [details] Out-of-bounds Read occurred in tif_read.c:560
I cannot reproduce any crash or Valgrind error with latest CVS head, nor stock 4.0.6... Tried with 32 and 64bit builds
Can't reproduce.
