2013.08.01 09:21 "[Tiff] Vulnerabilities in libtiff 4.0.3", by Pedro Ribeiro

2013.08.01 09:21 "[Tiff] Vulnerabilities in libtiff 4.0.3", by Pedro Ribeiro

Hi,

I have discovered a few security vulnerabilities in libtiff. Some of them are critical, but they are all in the tools section of the library. The report below should be self explanatory, but I am happy to help with interpreting it or providing advice on how to fix it if needed. If you do update the library based on this information, please give credit to Pedro Ribeiro (pedrib@gmail.com).

Regards
Pedro

Issue: Buffer overflow
Impact:Critical
Exploitability:Easy
File: tiff-4.0.3/tools/gif2tiff.c
Line: 316
Code snippet:
void
readextension(void)
{
    int count;
    char buf[255];

    (void) getc(infile);
    while ((count = getc(infile)))
        fread(buf, 1, count, infile);
}
Justification:

buffer is 256 bytes, but uses getc to get user input. Easy to exploit.

========================================================= Issue: Buffer overflow (memory corruption)

Impact:Critical
Exploitability:Medium
File: tiff-4.0.3/tools/gif2tiff.c
Line: 343-344
Code snippet:
    unsigned char buf[255];
    register int bits=0;
    register unsigned long datum=0;
    register unsigned char *ch;
    register int count, code;
    int status = 1;

    datasize = getc(infile);
    clear = 1 << datasize;
    eoi = clear + 1;
    avail = clear + 2;
    oldcode = -1;
    codesize = datasize + 1;
    codemask = (1 << codesize) - 1;
    for (code = 0; code < clear; code++) {
prefix[code] = 0;
suffix[code] = code;
Justification:

buf is 255 but datasize is read from file input. If a crafted file provides a datasize of 22, clear will be 4194304 (1 << 22). This means that a big chunk of memory will become corrupted.

=========================================================
Issue: Buffer overflow
Impact:Critical
Exploitability:Easy
File: tiff-4.0.3/tools/gif2tiff.c
Line: 348
Code snippet:
    for (count = getc(infile); count > 0; count = getc(infile)) {
fread(buf,1,count,infile);
Justification:

buf is 255 but function reads count and input from user. Easy to exploit.

=========================================================
Issue: Use after free
Impact:High
Exploitability:Undetermined
File: tiff-4.0.3/tools/tiff2pdf.c
Line: 2469
Code snippet:
if(samplebuffer==NULL){
TIFFError(TIFF2PDF_MODULE,

"Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s", (unsigned long) t2p->tiff_datasize,

TIFFFileName(input));
t2p->t2p_error = T2P_ERR_ERROR;
  _TIFFfree(buffer);
} else {
buffer=samplebuffer;
t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
}
t2p_sample_realize_palette(t2p, buffer);

Justification:

If samplebuffer is NULL, buffer will be freed. However at the end of the if statement, buffer is used again.

=========================================================
Issue: Buffer overflow
Impact:High
Exploitability:Undetermined
File: tiff-4.0.3/tools/rgb2ycbcr.c
Line: 335
Code snippet:
{ char buf[2048];
  char *cp = strrchr(TIFFFileName(in), '/');
  sprintf(buf, "YCbCr conversion of %s", cp? cp+1: TIFFFileName(in));
  TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf);
}
Justification:

Use of sprintf to write into a 2048 character buffer. The input is the filename, which might be over 2048 if crafted by a malicious user. However I could not determine this as the code is not easy to navigate.