oss-sec mailing list archives
Re: CVE Request: libtiff: Heap-buffer overflow when processing a TIFF image with PixarLog Compression
From: Sebastian Krahmer <krahmer () suse de>
Date: Wed, 26 Sep 2012 08:57:19 +0200
On Tue, Sep 25, 2012 at 10:56:02AM -0600, Kurt Seifried wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/25/2012 03:06 AM, Huzaifa Sidhpurwala wrote:On 09/23/2012 08:29 AM, Solar Designer wrote:"libtiff 4.0.3 brings "various memory buffer access fixes". Does it fix more than CVE-2012-3401?" to which I have no answer. The change log does in fact mention "Various memory buffer access fixes." as the very first change listed for libtiff. Perhaps someone should review code changes.I had a look at the libtiff-4.0.3 commit logs and found one issue which seems to bring a possibility of heap-based buffer overflow when using a tiff file with PixarLog compression format. More details at: https://bugzilla.redhat.com/show_bug.cgi?id=860198 Though memory overwrite outside the heap-buffer is only a few bytes, one cannot really overwrite possible arbitrary code execution.
This conclusion leaves me a bit puzzled. :) Even just "a few bytes" are often enough to trigger code exec. In particular if you get a big bounty for it. As well as the patch: - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); + sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size+sizeof(uint16)*sp->stride); If there were sizeof(uint16)*sp->stride bytes missing before, this is really more than just a few bytes. I checked that the mult cannot overflow, as sp->stride seems to be uint16. However, I think the add can actually wrap, (at least on ILP32) as tbuf_size can be 0xffffffff or so. I think the patch is broken and just shifts the hole. Plus, there are more occurences of _TIFFmalloc(tbuf_size) inside this file, one in PixarLogSetupEncode() and one in PixarLogSetupDecode() (but it might be that the Encode can never be triggered like so by attackers). Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team
Current thread:
- tiff2pdf: Heap-based buffer overflow due to improper initialization of T2P context struct pointer Huzaifa Sidhpurwala (Jul 18)
- Re: tiff2pdf: Heap-based buffer overflow due to improper initialization of T2P context struct pointer Henri Salo (Jul 19)
- Re: tiff2pdf: Heap-based buffer overflow due to improper initialization of T2P context struct pointer Huzaifa Sidhpurwala (Jul 19)
- Re: tiff2pdf: Heap-based buffer overflow due to improper initialization of T2P context struct pointer Solar Designer (Sep 22)
- CVE Request: libtiff: Heap-buffer overflow when processing a TIFF image with PixarLog Compression Huzaifa Sidhpurwala (Sep 25)
- Re: CVE Request: libtiff: Heap-buffer overflow when processing a TIFF image with PixarLog Compression Kurt Seifried (Sep 25)
- Re: CVE Request: libtiff: Heap-buffer overflow when processing a TIFF image with PixarLog Compression Sebastian Krahmer (Sep 25)
- Re: CVE Request: libtiff: Heap-buffer overflow when processing a TIFF image with PixarLog Compression Huzaifa Sidhpurwala (Sep 26)
- Re: CVE Request: libtiff: Heap-buffer overflow when processing a TIFF image with PixarLog Compression Tom Lane (Sep 26)
- CVE Request: libtiff: Heap-buffer overflow when processing a TIFF image with PixarLog Compression Huzaifa Sidhpurwala (Sep 25)
- Re: tiff2pdf: Heap-based buffer overflow due to improper initialization of T2P context struct pointer Henri Salo (Jul 19)