Bug 2689 - CVE-2017-9403: libtiff:memory leak in TIFFReadDirEntryLong8Array
: CVE-2017-9403: libtiff:memory leak in TIFFReadDirEntryLong8Array
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2017-04-20 12:17 by
Modified: 2018-08-07 21:29 (History)


Attachments
testcase (1.86 KB, image/tiff)
2017-04-20 12:17, bestshow
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2017-04-20 12:17:43
Created an attachment (id=770) [details]
testcase

on libtiff 4.0.7

The TIFFReadDirEntryLong8Array function in tif_dirread.c:1919 allows remote
attackers to cause a denial of service (memory leak) via a crafted file.

#tiff2ps $FILE
=================================================================
==11378==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7f9553673bb8 in __interceptor_malloc
../../../../libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x45f0cd in _TIFFmalloc
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:316
    #2 0x436c31 in TIFFReadDirEntryLong8Array
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:1919
    #3 0x449962 in TIFFFetchStripThing
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:5402
    #4 0x43ee00 in TIFFReadDirectory
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:3737
    #5 0x44d461 in TIFFClientOpen
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_open.c:466
    #6 0x45ee3d in TIFFFdOpen
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:211
    #7 0x45f08c in TIFFOpen
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:250
    #8 0x4036ff in main
/home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:465
    #9 0x7f955287fb34 in __libc_start_main (/lib64/libc.so.6+0x21b34)

SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s).

testcase:https://github.com/bestshow/p0cs/blob/master/memory-leak-TIFFReadDirEntryLong8Array-tiff2ps-2.tif
------- Comment #1 From 2017-04-27 10:46:34 -------
Fixed per
/cvs/maptools/cvsroot/libtiff/ChangeLog,v  <--  ChangeLog
new revision: 1.1219; previous revision: 1.1218
/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v  <-- 
libtiff/tif_dirread.c
new revision: 1.208; previous revision: 1.207
/cvs/maptools/cvsroot/libtiff/tools/tiff2ps.c,v  <--  tools/tiff2ps.c
new revision: 1.56; previous revision: 1.55


2017-04-27
        * libtiff/tif_dirread.c: fix memory leak in non DEFER_STRILE_LOAD
        mode (ie default) when there is both a StripOffsets and
        TileOffsets tag, or a StripByteCounts and TileByteCounts
        Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2689
        * tools/tiff2ps.c: call TIFFClose() in error code paths.
------- Comment #2 From 2017-06-01 08:16:03 -------
*** Bug 2680 has been marked as a duplicate of this bug. ***
------- Comment #3 From 2017-06-03 00:41:36 -------
(In reply to comment #0)
> Created an attachment (id=770) [details] [details]
> testcase
> 
> on libtiff 4.0.7
> 
> The TIFFReadDirEntryLong8Array function in tif_dirread.c:1919 allows remote
> attackers to cause a denial of service (memory leak) via a crafted file.
> 
> #tiff2ps $FILE
> =================================================================
> ==11378==ERROR: LeakSanitizer: detected memory leaks
> 
> Direct leak of 8 byte(s) in 1 object(s) allocated from:
>     #0 0x7f9553673bb8 in __interceptor_malloc
> ../../../../libsanitizer/asan/asan_malloc_linux.cc:62
>     #1 0x45f0cd in _TIFFmalloc
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:316
>     #2 0x436c31 in TIFFReadDirEntryLong8Array
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:1919
>     #3 0x449962 in TIFFFetchStripThing
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:5402
>     #4 0x43ee00 in TIFFReadDirectory
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_dirread.c:3737
>     #5 0x44d461 in TIFFClientOpen
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_open.c:466
>     #6 0x45ee3d in TIFFFdOpen
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:211
>     #7 0x45f08c in TIFFOpen
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/libtiff/tif_unix.c:250
>     #8 0x4036ff in main
> /home/haojun/Downloads/testopensourcecode/tiff-4.0.7/tools/tiff2ps.c:465
>     #9 0x7f955287fb34 in __libc_start_main (/lib64/libc.so.6+0x21b34)
> 
> SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s).
> 
> testcase:https://github.com/bestshow/p0cs/blob/master/memory-leak-TIFFReadDirEntryLong8Array-tiff2ps-2.tif

Credit: ADLab of Venustech
------- Comment #4 From 2017-06-05 17:38:50 -------
*** Bug 2695 has been marked as a duplicate of this bug. ***
------- Comment #5 From 2017-06-13 04:32:00 -------
For reference, this has been assigned CVE-2017-9403.
------- Comment #6 From 2018-08-07 21:29:30 -------
*** Bug 2682 has been marked as a duplicate of this bug. ***