oss-sec mailing list archives
CVE-2016-3624 libtiff: Out-of-bounds Write in the rgb2ycbcr tool
From: 王梅 <wangmei () 360 cn>
Date: Fri, 8 Apr 2016 04:58:48 +0000
Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Out-of-bounds Write Vendor URL: http://www.remotesensing.org/libtiff/ CVE ID: CVE-2016-3624 Credit: Mei Wang of the Cloud Security Team, Qihoo 360 Introduction ============ Out-of-bounds Write occurred in function cvtClump in rgb2ycbcr allows attackers to cause a denial of service when param v was set to -1. libtiff-master/libtiff/rgb2ycbcr.c:193 187 lumaGreen[TIFFGetG(RGB)] + 188 lumaBlue[TIFFGetB(RGB)]; 189 /* accumulate chrominance */ 190 Cb += (TIFFGetB(RGB) - Y) * D1; 191 Cr += (TIFFGetR(RGB) - Y) * D2; 192 /* emit luminence */ 193 *op++ = V2Code(Y, 194 refBlackWhite[0], refBlackWhite[1], 255); 195 } gdb rgb2ycbcr (gdb) r -c none -r -1 -h -1 -v -1 sample/rgb2ycbcr_cvtClump.tif 1.tif Program received signal SIGSEGV, Segmentation fault. 0x0000000000401440 in cvtClump (op=0x1 <Address 0x1 out of bounds>, raster=0x7ffff7249f90, ch=152, cw=65312, w=65312) at rgb2ycbcr.c:193 193 *op++ = V2Code(Y, (gdb) p op $6 = (unsigned char *) 0x1 <Address 0x1 out of bounds> (gdb) p *op Cannot access memory at address 0x1 (gdb) bt #0 0x0000000000401440 in cvtClump (op=0x1 <Address 0x1 out of bounds>, raster=0x7ffff7249f90, ch=152, cw=65312, w=65312) at rgb2ycbcr.c:193 #1 0x0000000000401757 in cvtStrip (op=0x0, raster=0x7ffff7249f90, nrows=152, width=65312) at rgb2ycbcr.c:245 #2 0x00000000004018b7 in cvtRaster (tif=0x604010, raster=0x7ffff4cab010, width=65312, height=152) at rgb2ycbcr.c:267 #3 0x0000000000401f03 in tiffcvt (in=0x605560, out=0x604010) at rgb2ycbcr.c:352 #4 0x000000000040108a in main (argc=11, argv=0x7fffffffe3b8) at rgb2ycbcr.c:127 References: [1] http://www.remotesensing.org/libtiff/ [2] http://bugzilla.maptools.org/buglist.cgi?product=libtiff Thank you! Best Regards, Mei
Current thread:
- CVE-2016-3624 libtiff: Out-of-bounds Write in the rgb2ycbcr tool 王梅 (Apr 07)