Bugzilla – Bug 983268
VUL-1: CVE-2016-5102: tiff: gif2tiff: buffer overflow in readgifimage()
Last modified: 2020-07-10 13:31:37 UTC
CVE-2016-5102 http://bugzilla.maptools.org/show_bug.cgi?id=2552 While analyzing libtiff security issues I noticed that there is additional buffer overflow in gif2tiff tool (different issue than CVE-2016-3186) tested with 4.0.6 version. http://bugs.fi/media/afl/libtiff/gif2tiff-bufferoverflow.gif file: GIF image data, version 87a, 12336 x 12336 SHA1: 6a90ff2a087b5a351ee0652097064942764d51d4 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5102 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5102.html
Created attachment 679682 [details] gif2tiff-bufferoverflow.gif QA REPRODUCER: gif2tiff gif2tiff-bufferoverflow.gif foo.tiff crashes before, should not crash after
sle11 does not crash, but valgrind gif2tiff gif2tiff-bufferoverflow.gif foo.tiff shows writing into invalid buffers
bugbot adjusting priority
The problem is still reproducible under SLE-11 and SLE-12.
12/tiff Program received signal SIGABRT, Aborted. 0x00007ffff74f3047 in raise () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff74f3047 in raise () from /lib64/libc.so.6 #1 0x00007ffff74f43f8 in abort () from /lib64/libc.so.6 #2 0x00007ffff7530714 in __libc_message () from /lib64/libc.so.6 #3 0x00007ffff7535fb6 in malloc_printerr () from /lib64/libc.so.6 #4 0x00005555555567a5 in readgifimage (mode=0x555555556af9 "a") at gif2tiff.c:335 #5 0x0000555555556a00 in convert () at gif2tiff.c:218 #6 0x000055555555562a in main (argc=<optimized out>, argv=<optimized out>) at gif2tiff.c:178 (gdb) 11/tiff No segfault, but: $ valgrind -q gif2tiff gif2tiff-bufferoverflow.gif out.tif overwrite out.tif? y warning: wrong rastersize: 2 bytes instead of 592128 bytes ==22875== Conditional jump or move depends on uninitialised value(s) ==22875== at 0x4E624ED: PackBitsEncode (tif_packbits.c:90) ==22875== by 0x4E62933: PackBitsEncodeChunk (tif_packbits.c:209) ==22875== by 0x4E707BE: TIFFWriteEncodedStrip (tif_write.c:245) ==22875== by 0x4024B1: rasterize (gif2tiff.c:526) ==22875== by 0x40190F: readgifimage (gif2tiff.c:298) ==22875== by 0x401542: convert (gif2tiff.c:209) ==22875== by 0x4013DA: main (gif2tiff.c:170) ==22875== ==22875== Syscall param write(buf) points to uninitialised byte(s) ==22875== at 0x57F0F30: write (in /lib64/libc-2.9.so) ==22875== by 0x4E6F975: _tiffWriteProc (tif_unix.c:64) ==22875== by 0x4E71AA9: TIFFAppendToStrip (tif_write.c:680) ==22875== by 0x4E70863: TIFFWriteEncodedStrip (tif_write.c:252) ==22875== by 0x4024B1: rasterize (gif2tiff.c:526) ==22875== by 0x40190F: readgifimage (gif2tiff.c:298) ==22875== by 0x401542: convert (gif2tiff.c:209) ==22875== by 0x4013DA: main (gif2tiff.c:170) ==22875== Address 0x5ba7104 is 4 bytes inside a block of size 12,336 alloc'd ==22875== at 0x4C256AE: malloc (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so) ==22875== by 0x4E6FBF9: _TIFFmalloc (tif_unix.c:244) ==22875== by 0x4E71469: TIFFWriteBufferSetup (tif_write.c:571) ==22875== by 0x4E7063D: TIFFWriteEncodedStrip (tif_write.c:215) ==22875== by 0x4024B1: rasterize (gif2tiff.c:526) ==22875== by 0x40190F: readgifimage (gif2tiff.c:298) ==22875== by 0x401542: convert (gif2tiff.c:209) ==22875== by 0x4013DA: main (gif2tiff.c:170) warning: wrong rastersize: 4 bytes instead of 592128 bytes warning: wrong rastersize: 2 bytes instead of 592128 bytes warning: wrong rastersize: 4 bytes instead of 592128 bytes warning: wrong rastersize: 2 bytes instead of 592128 bytes warning: wrong rastersize: 4 bytes instead of 592128 bytes code 6168 too large for 4101 warning: wrong rastersize: 4 bytes instead of 592128 bytes $ 10sp3/tiff Program received signal SIGSEGV, Segmentation fault. 0x0000000000401504 in process (code=3084, fill=0x7fffffffe638) at gif2tiff.c:447 447 *(*fill)++ = *--stackp; (gdb) bt #0 0x0000000000401504 in process (code=3084, fill=0x7fffffffe638) at gif2tiff.c:447 #1 0x00000000004017a7 in readraster () at gif2tiff.c:363 #2 0x0000000000401b42 in readgifimage (mode=0x402205 "a") at gif2tiff.c:297 #3 0x0000000000401d1a in convert () at gif2tiff.c:209 #4 0x0000000000401f79 in main (argc=2, argv=0x7fffffffebe8) at gif2tiff.c:170 (gdb)
Index: tiff-4.0.9/tools/gif2tiff.c =================================================================== --- tiff-4.0.9.orig/tools/gif2tiff.c 2018-06-06 12:39:27.908447967 +0200 +++ tiff-4.0.9/tools/gif2tiff.c 2018-06-06 12:50:00.265179088 +0200 @@ -418,10 +418,11 @@ readraster(void) } exitloop: if (fill != raster + width*height) { - fprintf(stderr, "warning: wrong rastersize: %ld bytes\n", + fprintf(stderr, "error: wrong rastersize: %ld bytes\n", (long) (fill-raster)); fprintf(stderr, " instead of %ld bytes\n", (long) width*height); + status = 0; } return status; } This would bail out for this testcase, which seems to be patologic according to this condition, nevertheless still not completely sure it would resolve the issue completely (another testcase that would pass this check could exhibit the CVE-2016-5102). Perhaps will look at it later.
Breakpoint 6, readgifimage (mode=0x555555557133 "a") at gif2tiff.c:314 314 if ((raster = (unsigned char*) _TIFFmalloc(raster_size)) == NULL) { (gdb) n 318 if (local) { (gdb) watch raster Hardware watchpoint 7: raster (gdb) c Continuing. Hardware watchpoint 7: raster Old value = (unsigned char *) 0x7ffff7f5c010 "\201", '\272' <repeats 199 times>... New value = (unsigned char *) 0x7fff00000181 <error: Cannot access memory at address 0x7fff00000181> process (code=1433771392, fill=0x7fffffffe2a8) at gif2tiff.c:479 479 suffix[avail] = firstchar; (gdb) p avail $108 = 4098 (gdb) However: unsigned char suffix[4096]; avail is counted as follows: datasize = getc(infile); if (datasize > 12) return 0; clear = 1 << datasize; eoi = clear + 1; avail = clear + 2; So the program allows datasize == 12, however the structures and the rest of the program does not assume that possibility. E. g.: prefix[avail] = oldcode; suffix[avail] = firstchar; avail++; if (((avail & codemask) == 0) && (avail < 4096)) { They even assume that avail could be >= 4096 in the condition, nevertheless prefix[] and suffix[] does not have enough entries. I think we can limit datasize by one less plus guard avail before dereferencing suffix and prefix.
BEFORE comment 5 AFTER 10sp3,11,12/tiff $ gif2tiff gif2tiff-bufferoverflow.gif output.tif warning: wrong rastersize: 2 bytes instead of 592128 bytes warning: wrong rastersize: 4 bytes instead of 592128 bytes warning: wrong rastersize: 2 bytes instead of 592128 bytes warning: wrong rastersize: 4 bytes instead of 592128 bytes warning: wrong rastersize: 2 bytes instead of 592128 bytes warning: wrong rastersize: 4 bytes instead of 592128 bytes $ valgrind warnings in comment 11 manifests before and after the patch (even for 12/tiff and 10sp3/tiff), so does not seem to be related directly to this bug.
Will be submitted for 12,11,10sp3/tiff. Michael, I have made a submit request into your home:, feel free to attach it to your current submission, if you think it is worth it.
Thanks a lot Petr! Included them in the current submissions. SR#184326 SLE-10-SP3 SR#184327 SLE-11 SR#184328 SLE-12
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2019-03-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64212
SUSE-SU-2019:14002-1: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 1121626,983268 CVE References: CVE-2016-5102,CVE-2019-6128 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.31.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.31.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): tiff-3.8.2-141.169.31.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.31.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:3058-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1108606,1121626,1125113,1146608,983268 CVE References: CVE-2016-5102,CVE-2018-17000,CVE-2019-14973,CVE-2019-6128,CVE-2019-7663 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): tiff-4.0.9-44.42.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): tiff-4.0.9-44.42.1 SUSE Linux Enterprise Server 12-SP5 (src): tiff-4.0.9-44.42.1 SUSE Linux Enterprise Server 12-SP4 (src): tiff-4.0.9-44.42.1 SUSE Linux Enterprise Desktop 12-SP4 (src): tiff-4.0.9-44.42.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done