2005.09.28 00:49 "[Tiff] PSP libtiff hack?", by Frank Warmerdam

2005.09.28 13:39 "Re: [Tiff] PSP libtiff hack?", by Dmitry V. Levin

On Tue, Sep 27, 2005 at 08:49:10PM -0400, Frank Warmerdam wrote:

According to Slashdot a recent Sony PSP hack was accomplished using a vulnerability in libtiff (who knew libtiff was on the PSP?). I tried the file in question with TIFFOpen() and it seems to have no problem. That is TIFFOpen() properly identifies it as corrupt and gives up. So I think the vulnerability has already been corrected in the current libtiff.

The file is available at:

  http://home.gdal.org/~warmerda/overflow.tif

In case anyone wants to test TIFF applications with it.

BTW, it does crash tiffdump but I'm not too concerned about that.

I think this is fixed already.

$ tiffinfo -v 2>&1 |head -1
LIBTIFF, Version 3.7.2

$ tiffinfo overflow.tif

overflow.tif: Warning, incorrect count for field "BitsPerSample" (16496, expecting 3); tag trimmed.

overflow.tif: Error fetching data for field "BitsPerSample".

$ tiffdump overflow.tif

overflow.tif:
Magic: 0x4949 <little-endian> Version: 0x2a
Directory 0: offset 200 (0xc8) next 0 (0)
ImageWidth (256) SHORT (3) 1<8>
ImageLength (257) SHORT (3) 1<8>

overflow.tif: Error while reading data for tag 258.

BitsPerSample (258) SHORT (3) 16496<>
Compression (259) SHORT (3) 1<1>
Photometric (262) SHORT (3) 1<2>
StripOffsets (273) LONG (4) 1<8>
Orientation (274) SHORT (3) 1<1>
SamplesPerPixel (277) SHORT (3) 1<3>
StripByteCounts (279) LONG (4) 1<192>
XResolution (282) RATIONAL (5) 1<96>
YResolution (283) RATIONAL (5) 1<96>
PlanarConfig (284) SHORT (3) 1<1>
ResolutionUnit (296) SHORT (3) 1<2>

--
ldv