Bug 2819 - There is a NULL pointer dereference at function LZWDecode in libtiff 4.0.9 (CVE-2018-18661)
: There is a NULL pointer dereference at function LZWDecode in libtiff 4.0.9 (C...
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P2 enhancement
: ---
Assigned To:
: https://github.com/TeamSeri0us/pocs/b...
:
:
:
:
  Show dependency treegraph
 
Reported: 2018-10-25 05:21 by
Modified: 2018-10-30 12:50 (History)


Attachments
poc (186.75 KB, application/octet-stream)
2018-10-25 05:21, teamseri0us360@gmail.com
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2018-10-25 05:21:20
Created an attachment (id=872) [details]
poc

Overview:
There is a NULL pointer dereference at function LZWDecode at file
tif_lzw.c:462.

Steps to Reproduce:
$ ./tiff2bw poc /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
Segmentation fault

Actual Results: 
The application crashed.

Build Date & Platform
Build 2018-10-25 on ubuntu 18.04

Additional Information
gdb info:

In file: /home/pwd/fuzz/fuzz-libtiff/tiff-4.0.9/libtiff/tif_lzw.c
   457                 TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
   458                 "LZWDecode: Corrupted LZW table at scanline %d",
   459                          tif->tif_row);
   460                 return (0);
   461             }
 ► 462             *op++ = (char)code;
   463             occ--;
   464             oldcodep = sp->dec_codetab + code;
   465             continue;
   466         }
   467         codep = sp->dec_codetab + code;

pwndbg> p op
$2 = 0x0
pwndbg> bt
#0  LZWDecode (tif=<optimized out>, op0=<optimized out>, occ0=<optimized out>,
s=<optimized out>) at tif_lzw.c:462
#1  0x00007ffff7b8bbb9 in PredictorDecodeRow (tif=0x616260, op0=0x0,
occ0=6442453011, s=0) at tif_predict.c:467
#2  0x00007ffff7b9485c in TIFFReadScanline (tif=0x616260, buf=<optimized out>,
row=0, sample=0) at tif_read.c:450
#3  0x0000000000402f15 in ?? ()
#4  0x00007ffff6ee0b97 in __libc_start_main (main=0x401340, argc=3,
argv=0x7fffffffdc48, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffdc38) at ../csu/libc-start.c:310
#5  0x000000000040127a in ?? ()
------- Comment #1 From 2018-10-27 03:49:25 -------
This issue was assigned CVE-2018-18661.
------- Comment #2 From 2018-10-27 06:09:31 -------
AFAICT this issue is still present in the curren HEAD as of now
(7030e8acbcbfada4e649da53b1b5c72702c61e88).

TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4750==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x7f1f7099ffc2 bp 0x7fffa47a4a90 sp 0x7fffa47a49f0 T0)
==4750==The signal is caused by a WRITE memory access.
==4750==Hint: address points to the zero page.
    #0 0x7f1f7099ffc1 in LZWDecode /build/libtiff/libtiff/tif_lzw.c:462
    #1 0x7f1f709d0620 in PredictorDecodeRow
/build/libtiff/libtiff/tif_predict.c:465
    #2 0x7f1f709da82c in TIFFReadScanline /build/libtiff/libtiff/tif_read.c:455
    #3 0x564bff142e7d in main /build/libtiff/tools/tiff2bw.c:258
    #4 0x7f1f6fa73b16 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x22b16)
    #5 0x564bff1412e9 in _start (/build/libtiff/tools/.libs/tiff2bw+0x32e9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/libtiff/libtiff/tif_lzw.c:462 in
LZWDecode                 
==4750==ABORTING