AWARE [SYSTEMS] Imaging expertise for the Delphi developer
AWare Systems, Imaging expertise for the Delphi developer, Home TIFF and LibTiff Mailing List Archive

LibTiff Mailing List

TIFF and LibTiff Mailing List Archive
August 2013

Previous Thread
Next Thread

Previous by Thread
Next by Thread

Previous by Date
Next by Date

Contact

The TIFF Mailing List Homepage
This list is run by Frank Warmerdam
Archive maintained by AWare Systems



Valid HTML 4.01!



2013.08.01 09:21 "Vulnerabilities in libtiff 4.0.3", by Pedro Ribeiro

Hi,

I have discovered a few security vulnerabilities in libtiff. Some of them
are critical, but they are all in the tools section of the library.
The report below should be self explanatory, but I am happy to help with
interpreting it or providing advice on how to fix it if needed.
If you do update the library based on this information, please give credit
to Pedro Ribeiro (pedrib@gmail.com).

Regards
Pedro

Issue: Buffer overflow
Impact:Critical
Exploitability:Easy
File: tiff-4.0.3/tools/gif2tiff.c
Line: 316
Code snippet:
void
readextension(void)
{
    int count;
    char buf[255];

    (void) getc(infile);
    while ((count = getc(infile)))
        fread(buf, 1, count, infile);
}
Justification:
buffer is 256 bytes, but uses getc to get user input. Easy to exploit.

=========================================================
Issue: Buffer overflow (memory corruption)
Impact:Critical
Exploitability:Medium
File: tiff-4.0.3/tools/gif2tiff.c
Line: 343-344
Code snippet:
    unsigned char buf[255];
    register int bits=0;
    register unsigned long datum=0;
    register unsigned char *ch;
    register int count, code;
    int status = 1;

    datasize = getc(infile);
    clear = 1 << datasize;
    eoi = clear + 1;
    avail = clear + 2;
    oldcode = -1;
    codesize = datasize + 1;
    codemask = (1 << codesize) - 1;
    for (code = 0; code < clear; code++) {
prefix[code] = 0;
suffix[code] = code;
Justification:
buf is 255 but datasize is read from file input. If a crafted file provides
a datasize of 22, clear will be 4194304 (1 << 22). This means that a big
chunk of memory will become corrupted.

=========================================================
Issue: Buffer overflow
Impact:Critical
Exploitability:Easy
File: tiff-4.0.3/tools/gif2tiff.c
Line: 348
Code snippet:
    for (count = getc(infile); count > 0; count = getc(infile)) {
fread(buf,1,count,infile);
Justification:
buf is 255 but function reads count and input from user. Easy to exploit.

=========================================================
Issue: Use after free
Impact:High
Exploitability:Undetermined
File: tiff-4.0.3/tools/tiff2pdf.c
Line: 2469
Code snippet:
if(samplebuffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s",
(unsigned long) t2p->tiff_datasize,
TIFFFileName(input));
t2p->t2p_error = T2P_ERR_ERROR;
  _TIFFfree(buffer);
} else {
buffer=samplebuffer;
t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
}
t2p_sample_realize_palette(t2p, buffer);

Justification:
If samplebuffer is NULL, buffer will be freed. However at the end of the if
statement, buffer is used again.

=========================================================
Issue: Buffer overflow
Impact:High
Exploitability:Undetermined
File: tiff-4.0.3/tools/rgb2ycbcr.c
Line: 335
Code snippet:
{ char buf[2048];
  char *cp = strrchr(TIFFFileName(in), '/');
  sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in));
  TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf);
}
Justification:
Use of sprintf to write into a 2048 character buffer. The input is the
filename, which might be over 2048 if crafted by a malicious user. However
I could not determine this as the code is not easy to navigate.