Bug 2587 - CVE-2016-9273: heap-buffer-overflow in cpStrips (tiffsplit.c:246)
: CVE-2016-9273: heap-buffer-overflow in cpStrips (tiffsplit.c:246)
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-11-07 15:39 by
Modified: 2016-11-11 16:09 (History)


Attachments
malformed tif (74 bytes, application/x-gzip)
2016-11-07 15:39, geeknik
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-11-07 15:39:06
Created an attachment (id=687) [details]
malformed tif

Triggered in libtiff 4.0.6 with AFL and ASAN.

./tiffsplit test049

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
=================================================================
==18669==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000ef78 at pc 0x407549 bp 0x7ffeeb10bc00 sp 0x7ffeeb10bbf8
READ of size 8 at 0x60200000ef78 thread T0
    #0 0x407548 in cpStrips /root/libtiff/tools/tiffsplit.c:246
    #1 0x407548 in tiffcp /root/libtiff/tools/tiffsplit.c:227
    #2 0x407548 in main /root/libtiff/tools/tiffsplit.c:89
    #3 0x7face2437b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #4 0x40836c (/root/libtiff/tools/tiffsplit+0x40836c)

0x60200000ef78 is located 0 bytes to the right of 8-byte region
[0x60200000ef70,0x60200000ef78)
allocated by thread T0 here:
    #0 0x7face2b169f6 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
    #1 0x4a9ea0 in _TIFFCheckRealloc /root/libtiff/libtiff/tif_aux.c:73
    #2 0x4a9ea0 in _TIFFCheckMalloc /root/libtiff/libtiff/tif_aux.c:88

SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/libtiff/tools/tiffsplit.c:246 cpStrips
Shadow bytes around the buggy address:
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9de0: fa fa fa fa fa fa fd fd fa fa 00 fa fa fa 00[fa]
  0x0c047fff9df0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==18669==ABORTING
------- Comment #1 From 2016-11-09 12:03:40 -------
Can't reproduce this with the latest codebase from CVS. I have no idea what
commit fixed this issue and I do not plan to investigate this further. I also
tested with ASan build.
------- Comment #2 From 2016-11-09 18:01:11 -------
Fixed per

2016-11-10 Even Rouault <even.rouault at spatialys.com>

        * libtiff/tif_strip.c: make TIFFNumberOfStrips() return the
td->td_nstrips
        value when it is non-zero, instead of recomputing it. This is needed in
        TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize
of
        array in tiffsplit (or other utilities using TIFFNumberOfStrips()).
        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2587

/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
new revision: 1.1151; previous revision: 1.1150
/cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v  <--  libtiff/tif_strip.c
new revision: 1.37; previous revision: 1.36
------- Comment #3 From 2016-11-11 16:07:03 -------
For reference this has been assigned CVE-2016-9273.