Bug 2688 - CVE-2017-9404: libtiff:memory leak in OJPEGReadHeaderInfoSecTablesQTable
: CVE-2017-9404: libtiff:memory leak in OJPEGReadHeaderInfoSecTablesQTable
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2017-04-20 12:16 by
Modified: 2017-06-13 04:32 (History)


Attachments
testcase (4.93 KB, image/tiff)
2017-04-20 12:16, bestshow
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2017-04-20 12:16:20
Created an attachment (id=769) [details]
testcase

on libtiff 4.0.7

The OJPEGReadHeaderInfoSecTablesQTable function in tif_ojpeg.c:1770 allows
remote attackers to cause a denial of service (memory leak) via a crafted file.

#tiff2ps $FILE

=================================================================
==11260==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 73 byte(s) in 1 object(s) allocated from:
    #0 0x7f44f6f78bb8 in __interceptor_malloc
../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x45f0cd in _TIFFmalloc
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:316
    #2 0x4af1c7 in OJPEGReadHeaderInfoSecTablesQTable
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_ojpeg.c:1770
    #3 0x4abe74 in OJPEGReadHeaderInfoSec
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_ojpeg.c:1360
    #4 0x4a8c93 in OJPEGReadHeaderInfo
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_ojpeg.c:1086
    #5 0x4a4fca in OJPEGPreDecode
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_ojpeg.c:674
    #6 0x452d6e in TIFFStartStrip
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_read.c:1023
    #7 0x450b02 in TIFFFillStrip
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_read.c:647
    #8 0x44ec16 in TIFFSeek
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_read.c:233
    #9 0x44efe1 in TIFFReadScanline
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_read.c:300
    #10 0x40bf41 in PSDataColorContig
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:2449
    #11 0x40ba1d in PSpage
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:2347
    #12 0x4087ce in TIFF2PS
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:1606
    #13 0x40379a in main
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:473
    #14 0x7f44f6184b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

SUMMARY: AddressSanitizer: 73 byte(s) leaked in 1 allocation(s).

testcase:https://github.com/bestshow/p0cs/blob/master/memory-leak-OJPEGReadHeaderInfoSecTablesQTable-tiff2ps-1.tif
------- Comment #1 From 2017-04-27 10:21:36 -------
I can reproduce with 4.0.7, but no longer with CVS HEAD.
------- Comment #2 From 2017-06-03 00:42:58 -------
(In reply to comment #0)
> Created an attachment (id=769) [details] [details]
> testcase
> 
> on libtiff 4.0.7
> 
> The OJPEGReadHeaderInfoSecTablesQTable function in tif_ojpeg.c:1770 allows
> remote attackers to cause a denial of service (memory leak) via a crafted file.
> 
> #tiff2ps $FILE
> 
> =================================================================
> ==11260==ERROR: LeakSanitizer: detected memory leaks
> 
> Direct leak of 73 byte(s) in 1 object(s) allocated from:
>     #0 0x7f44f6f78bb8 in __interceptor_malloc
> ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
>     #1 0x45f0cd in _TIFFmalloc
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:316
>     #2 0x4af1c7 in OJPEGReadHeaderInfoSecTablesQTable
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_ojpeg.c:1770
>     #3 0x4abe74 in OJPEGReadHeaderInfoSec
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_ojpeg.c:1360
>     #4 0x4a8c93 in OJPEGReadHeaderInfo
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_ojpeg.c:1086
>     #5 0x4a4fca in OJPEGPreDecode
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_ojpeg.c:674
>     #6 0x452d6e in TIFFStartStrip
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_read.c:1023
>     #7 0x450b02 in TIFFFillStrip
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_read.c:647
>     #8 0x44ec16 in TIFFSeek
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_read.c:233
>     #9 0x44efe1 in TIFFReadScanline
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_read.c:300
>     #10 0x40bf41 in PSDataColorContig
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:2449
>     #11 0x40ba1d in PSpage
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:2347
>     #12 0x4087ce in TIFF2PS
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:1606
>     #13 0x40379a in main
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:473
>     #14 0x7f44f6184b34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
> 
> SUMMARY: AddressSanitizer: 73 byte(s) leaked in 1 allocation(s).
> 
> testcase:https://github.com/bestshow/p0cs/blob/master/memory-leak-OJPEGReadHeaderInfoSecTablesQTable-tiff2ps-1.tif

Credit: ADLab of Venustech
------- Comment #3 From 2017-06-13 04:32:50 -------
For reference, this has been assigned CVE-2017-9404.