oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

libtiff: divide-by-zero in JPEGSetupEncode (tiff_jpeg.c)

From: "Agostino Sarubbo" <ago () gentoo org>
Date: Mon, 10 Apr 2017 07:10:44 +0000
Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing 
image data.

A crafted tiff can crash the library.

The complete ASan output:

# tiffcp -i $FILE /tmp/out
==28692==ERROR: AddressSanitizer: FPE on unknown address 0x7f03239af35b (pc 0x7f03239af35b bp 0x7ffc7923f730 sp 
0x7ffc7923f600 T0)
    #0 0x7f03239af35a in JPEGSetupEncode /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_jpeg.c:1687:26
    #1 0x7f0323a00312 in TIFFWriteEncodedTile 
/tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_write.c:446:8     
    #2 0x510f06 in writeBufferToContigTiles /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1539:8    
 
    #3 0x50f1ce in cpImage /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1236:14   
    #4 0x50dc1b in cpContigTiles2ContigTiles /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1673:9   
 
    #5 0x50c5b6 in tiffcp /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:815:15     
    #6 0x50c5b6 in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:304    
    #7 0x7f0322a4661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 
 
    #8 0x419f18 in _init (/usr/bin/tiffcp+0x419f18)    
 
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_jpeg.c:1687:26 in 
JPEGSetupEncode 
Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7595

Reproducer:
https://github.com/asarubbo/poc/blob/master/00123-libtiff-fpe-JPEGSetupEncode

Timeline:
2017-01-04: bug discovered and reported to upstream
2017-01-11: upstream released a patch
2017-04-01: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/04/01/libtiff-divide-by-zero-in-jpegsetupencode-tiff_jpeg-c/

--
Agostino Sarubbo
Gentoo Linux Developer
Previous By Date Next
Previous By Thread Next

Current thread: