LibTiff Mailing List
TIFF and LibTiff Mailing List Archive
September 2005
Previous Thread
Next Thread
Previous by Thread
Next by Thread
Previous by Date
Next by Date
Contact
The TIFF Mailing List Homepage
This list is run by Frank Warmerdam
Archive maintained by AWare Systems
Thread
2005.09.28 13:39 "Re: PSP libtiff hack?", by Dmitry V Levin
On Tue, Sep 27, 2005 at 08:49:10PM -0400, Frank Warmerdam wrote: > According to Slashdot a recent Sony PSP hack was accomplished > using a vulnerability in libtiff (who knew libtiff was on the PSP?). I > tried the file in question with TIFFOpen() and it seems to have no > problem. That is TIFFOpen() properly identifies it as corrupt and gives > up. So I think the vulnerability has already been corrected in the > current > libtiff. > > The file is available at: > > http://home.gdal.org/~warmerda/overflow.tif > > In case anyone wants to test TIFF applications with it. > > BTW, it does crash tiffdump but I'm not too concerned about that. I think this is fixed already. $ tiffinfo -v 2>&1 |head -1 LIBTIFF, Version 3.7.2 $ tiffinfo overflow.tif overflow.tif: Warning, incorrect count for field "BitsPerSample" (16496, expecting 3); tag trimmed. overflow.tif: Error fetching data for field "BitsPerSample". $ tiffdump overflow.tif overflow.tif: Magic: 0x4949 <little-endian> Version: 0x2a Directory 0: offset 200 (0xc8) next 0 (0) ImageWidth (256) SHORT (3) 1<8> ImageLength (257) SHORT (3) 1<8> overflow.tif: Error while reading data for tag 258. BitsPerSample (258) SHORT (3) 16496<> Compression (259) SHORT (3) 1<1> Photometric (262) SHORT (3) 1<2> StripOffsets (273) LONG (4) 1<8> Orientation (274) SHORT (3) 1<1> SamplesPerPixel (277) SHORT (3) 1<3> StripByteCounts (279) LONG (4) 1<192> XResolution (282) RATIONAL (5) 1<96> YResolution (283) RATIONAL (5) 1<96> PlanarConfig (284) SHORT (3) 1<1> ResolutionUnit (296) SHORT (3) 1<2> -- ldv