Bug 2590 - CVE-2016-9297: segfault in _TIFFPrintField (tif_print.c:127)
: CVE-2016-9297: segfault in _TIFFPrintField (tif_print.c:127)
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P2 critical
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-11-07 16:41 by
Modified: 2016-11-14 13:40 (History)


Attachments
poc (67 bytes, application/x-gzip)
2016-11-07 16:41, geeknik
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-11-07 16:41:18
Created an attachment (id=690) [details]
poc

Triggered in libtiff 4.0.6 with AFL and ASAN. Only crashes if I LD_PRELOAD
AFL's libdislocator (more info:
https://github.com/mirrorer/afl/tree/master/libdislocator).

LD_PRELOAD=/root/afl-2.35b/libdislocator/libdislocator.so ./tiffinfo -i test000

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 12291 (0x3003) encountered.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
TIFF Directory at offset 0x62 (98)
  Image Width: 12336 Image Length: 12336
  Compression Scheme: None
  Planar Configuration: single image plane
ASAN:SIGSEGV
=================================================================
==6884==ERROR: AddressSanitizer: SEGV on unknown address 0x7faf9b2d2000 (pc
0x7faf999ecd10 sp 0x7ffe26e325b8 bp 0x7faf9b2d1fff T0)
    #0 0x7faf999ecd0f in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x81d0f)
    #1 0x7faf999d52ee in _IO_fputs (/lib/x86_64-linux-gnu/libc.so.6+0x6a2ee)
    #2 0x490376 in _TIFFPrintField /root/libtiff/libtiff/tif_print.c:127
    #3 0x490376 in TIFFPrintDirectory /root/libtiff/libtiff/tif_print.c:647
    #4 0x405545 in tiffinfo /root/libtiff/tools/tiffinfo.c:463
    #5 0x405545 in main /root/libtiff/tools/tiffinfo.c:152
    #6 0x7faf9998cb44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #7 0x40648c (/root/libtiff/tools/tiffinfo+0x40648c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 strlen
==6884==ABORTING
------- Comment #1 From 2016-11-07 16:42:44 -------
Without the LD_PRELOAD we see this:

./tiffinfo -i test000

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 12291 (0x3003) encountered.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
TIFF Directory at offset 0x62 (98)
  Image Width: 12336 Image Length: 12336
  Compression Scheme: None
  Planar Configuration: single image plane
  Tag 12291: 0
------- Comment #2 From 2016-11-11 15:22:17 -------
Fixed per

2016-11-11 Even Rouault <even.rouault at spatialys.com>

        * libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
        values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
        access are null terminated, to avoid potential read outside buffer
        in _TIFFPrintField().
        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2590


/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
new revision: 1.1154; previous revision: 1.1153
/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v  <-- 
libtiff/tif_dirread.c
new revision: 1.203; previous revision: 1.202
------- Comment #3 From 2016-11-14 13:40:44 -------
For reference this flaw has been assigned CVE-2016-9297.