Bug 2579 - CVE-2016-9453: out-of-bounds Write Caused by memcpy and no bound check in tiff2pdf
: CVE-2016-9453: out-of-bounds Write Caused by memcpy and no bound check in tif...
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P1 enhancement
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-09-28 23:44 by
Modified: 2016-11-19 04:19 (History)


Attachments
poc (160 bytes, image/tiff)
2016-09-28 23:45, chenqin@topsec.com.cn
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-09-28 23:44:57
Hello,

"""
Affected Versions: latest
Vulnerability Type:  Out-of-bounds Write Caused by memcpy and no bound check.
Credit: Aibot, Alpha lab, Topsec

When libtiff latest tiff2pdf handle malicious tiff file 
will cause illegal write. An attacker may control the write address and/or
value
to result in denial-of-service or command execution.

                        if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count,
&jpt) != 0) {
                                if (count > 0) {
:2890
                                        _TIFFmemcpy(buffer, jpt, count);
                                        bufferoffset += count - 2;
                                        table_end[0] = buffer[bufferoffset-2];
                                        table_end[1] = buffer[bufferoffset-1];
                                }
                                if (count > 0) {


different case than:http://bugzilla.maptools.org/show_bug.cgi?id=2545#c0 

out-of-bounds write vulnerability in the tiff2pdf tool has been reported in:
http://www.openwall.com/lists/oss-security/2016/09/29/

"""
------- Comment #1 From 2016-09-28 23:45:24 -------
Created an attachment (id=678) [details]
poc
------- Comment #2 From 2016-09-28 23:46:15 -------
(In reply to comment #1)
> Created an attachment (id=678) [details] [details]
> poc

in file tiff2pdf.c line 2890
------- Comment #3 From 2016-10-08 11:39:47 -------
Just fixed per

2016-10-08 Even Rouault <even.rouault at spatialys.com>

        * tools/tiff2pdf.c: fix read -largely- outsize of buffer in
        t2p_readwrite_pdf_image_tile(), causing crash, when reading a
        JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
        Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
        the MSRC Vulnerabilities & Mitigations team.

/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v  <--  tools/tiff2pdf.c
new revision: 1.93; previous revision: 1.92
------- Comment #4 From 2016-11-18 09:57:32 -------
CVE request: http://www.openwall.com/lists/oss-security/2016/11/18/4
------- Comment #5 From 2016-11-19 04:19:59 -------
CVE assigned: http://www.openwall.com/lists/oss-security/2016/11/19/1