oss-sec mailing list archives
CVE request libtiff: out-of-bounds read in CIE Lab image format
From: "范祚至(库特)" <zuozhi.fzz () alibaba-inc com>
Date: Fri, 25 Dec 2015 18:02:39 +0800
If the data of image is packed(e.g., TIFFDirectory.td_samplesperpixel == 1,TIFFDirectory.td_bitspersample == 8), a
pixel only owns one byte. But in theimplementation of putcontig8bitCIELab, it eats 3 bytes per pixel. This willlead to
an out-of-bounds read vulnerability.vuln code in tif_getimage.c, libtiff v4.0.61699
DECLAREContigPutFunc(putcontig8bitCIELab)1700 {1701 float X, Y, Z;1702 uint32 r, g, b;1703
(void) y;1704 fromskew *= 3;1705 while (h-- > 0) {1706 for (x = w; x-- > 0;) {1707
TIFFCIELabToXYZ(img->cielab,1708 (unsigned char)pp[0],1709
(signed char)pp[1],1710 (signed
char)pp[2],1711 &X, &Y, &Z);1712
TIFFXYZToRGB(img->cielab, X, Y, Z, &r, &g, &b);1713 *cp++ = PACK(r, g, b);1714
pp += 3;1715 }1716 cp += toskew;1717 pp += fromskew;1718
}1719 }I use the tutorial code from http://www.remotesensing.org/libtiff/libtiff.htmlto test that, and poc is in the
attachment. #include "tiffio.h" main(int argc, char* argv[]) { TIFF* tif = TIFFOpen(argv[1], "r");
if (tif) { TIFFRGBAImage img; char emsg[1024]; if
(TIFFRGBAImageBegin(&img, tif, 0, emsg)) { size_t npixels; uint32* raster;
npixels = img.width * img.height; raster = (uint32*) _TIFFmalloc(npixels * sizeof
(uint32)); if (raster != NULL) { if (TIFFRGBAImageGet(&img, raster, img.width,
img.height)) { ...process raster data... }
_TIFFfree(raster); } TIFFRGBAImageEnd(&img); } else
TIFFError(argv[1], emsg); TIFFClose(tif); } exit(0); }If it would be assigned a CVE, please
credit it for: zzf of Alibaba.Attachment:
poc029.zip
Description:
Current thread:
- CVE request libtiff: out-of-bounds read in CIE Lab image format 范祚至(库特) (Dec 25)
- Re: CVE request libtiff: out-of-bounds read in CIE Lab image format Solar Designer (Dec 25)
- Re: CVE request libtiff: out-of-bounds read in CIE Lab image format cve-assign (Dec 25)