Bugzilla – Bug 974615
VUL-1: CVE-2016-3625: tiff: Out-of-bounds Read in the tiff2bw tool
Last modified: 2019-04-25 14:47:51 UTC
Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Out-of-bounds Read Vendor URL: http://www.remotesensing.org/libtiff/ CVE ID: CVE-2016-3625 Credit: Mei Wang of the Cloud Security Team, Qihoo 360 Introduction ============ Out-of-bounds Read occurred in tif_read.c:545 or tif_read.c:402 or tif_read.c:560 in tiff2bw allows attackers to cause a denial of service via a crafted TIFF image. gdb tiff2bw (gdb)r sample/tiff2bw_1.tif 1.tif Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7bb4b3a in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:545 545 td->td_stripoffset[strip] > (uint64)tif->tif_size - bytecount) { Missing separate debuginfos, use: debuginfo-install glibc-2.17-78.el7.x86_64 (gdb) p td->td_stripoffset[strip] Cannot access memory at address 0x0 (gdb) bt #0 0x00007ffff7bb4b3a in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:545 #1 0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228 #2 0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x6076d0, row=0, sample=0) at tif_read.c:295 #3 0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253 (gdb) (gdb) r sample/tiff2bw_2.tif 1.tif Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7bb46e4 in TIFFReadRawStrip1 (tif=0x604010, strip=0, buf=0x605620, size=10, module=0x7ffff7bcfa81 <module.3917> "TIFFFillStrip") at tif_read.c:402 402 ma=(tmsize_t)td->td_stripoffset[strip]; (gdb) p td->td_stripoffset[strip] Cannot access memory at address 0x0 (gdb) bt #0 0x00007ffff7bb46e4 in TIFFReadRawStrip1 (tif=0x604010, strip=0, buf=0x605620, size=10, module=0x7ffff7bcfa81 <module.3917> "TIFFFillStrip") at tif_read.c:402 #1 0x00007ffff7bb4d73 in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:612 #2 0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228 #3 0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x6076e0, row=0, sample=0) at tif_read.c:295 #4 0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253 (gdb) r sample/tiff2bw_3.tif 1.tif Program received signal SIGSEGV, Segmentation fault. TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:560 560 TIFFErrorExt(tif->tif_clientdata, module, (gdb) l 555 "got %I64u bytes, expected %I64u", 556 (unsigned long) strip, 557 (unsigned __int64) tif->tif_size - td->td_stripoffset[strip], 558 (unsigned __int64) bytecount); 559 #else 560 TIFFErrorExt(tif->tif_clientdata, module, 561 562 "Read error on strip %lu; " 563 "got %llu bytes, expected %llu", 564 (unsigned long) strip, (gdb) p td->td_stripoffset[strip] Cannot access memory at address 0x0 (gdb) bt #0 TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:560 #1 0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228 #2 0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x607600, row=0, sample=0) at tif_read.c:295 #3 0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3625 http://seclists.org/oss-sec/2016/q2/29
bugbot adjusting priority
afl is still afling.
mighgt have been fixed with tiff-4.0.6-libtiff-tif_read.c-make-TIFFReadEncodedStrip-and.patch . I let afl run a bit longer.
There are two comments inside the upstream bug that they cannot reproduce it with the latest CVS head. http://bugzilla.maptools.org/show_bug.cgi?id=2566#c6 + c7.
No proper reproducer. Closing bug as invalid.