2013.08.01 09:21 "[Tiff] Vulnerabilities in libtiff 4.0.3", by Pedro Ribeiro

2013.09.24 06:55 "Re: [Tiff] Vulnerabilities in libtiff 4.0.3", by Albert Cahalan

On Fri, Sep 20, 2013 at 12:09 PM, Lee Howard <faxguy@howardsilvan.com> wrote:

On 08/01/2013 02:21 AM, Pedro Ribeiro wrote:

Issue: Buffer overflow
Impact:Critical
Exploitability:Easy
File: tiff-4.0.3/tools/gif2tiff.c
Line: 316
Code snippet:
void
readextension(void)
{
    int count;
    char buf[255];

    (void) getc(infile);
    while ((count = getc(infile)))
        fread(buf, 1, count, infile);
}
Justification:

buffer is 256 bytes, but uses getc to get user input. Easy to exploit.

Are you thinking the file is growing as it is read (socket?), or are you thinking that the code might run on a system where a char is not 8 bits? Aside from that insanity:

getc() returns EOF or an unsigned char cast to an int.

EOF can't overflow because, well, it's End Of File.

The code does get stuck in the loop though.

All other values will cause an fread() that fits just fine.

I've addressed this in CVS by changing the while() statement to:

     while ((count = getc(infile)) && count <= 255)

The second check can never matter, so it should go away.

The code still does hang if it hits EOF at this point though.

BTW, in case infile actually can be a socket, you're likely to be calling fread with a request for -1 bytes.

=========================================================
Issue: Buffer overflow
Impact:Critical
Exploitability:Easy
File: tiff-4.0.3/tools/gif2tiff.c
Line: 348
Code snippet:
    for (count = getc(infile); count > 0; count = getc(infile)) {
fread(buf,1,count,infile);
Justification:

buf is 255 but function reads count and input from user. Easy to exploit.

I've addressed this in CVS by changing the for() statement to:

     for (count = getc(infile); count > 0 && count <= 255; count =
getc(infile)) {

No need; same as above except that EOF (normally being -1) will not cause a hang.