On Sat, 7 Apr 2012, Mikulas Patocka wrote:
> Hi > > There is a security bug in Debian Squeeze libtiff 3.9.4-5+sq. > > When loading corrupted images and with ElectricFence memory debugging > enabled, programs using libtiff crash. > > How to reproduce: Download corrupted images from here: > http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/ > > These tiff images were created by running fsfuzzer > (http://people.redhat.com/sgrubb/files/fsfuzzer-0.7.tar.gz) over normal > valid tiff images. > > Install electric-fence package from Debian. > > Run programs that use libtiff with electric fence, for example: > > LD_PRELOAD=/usr/lib/libefence.so links2 -g tiff1.tif > > LD_PRELOAD=/usr/lib/libefence.so xloadimage tiff1.tif > > LD_PRELOAD=/usr/lib/libefence.so xpaint tiff1.tif > > All the programs crash in TIFFReadDirectory (I tested it on amd64) --- so > it is a bug in libtiff. > > > I reproduced this bug on upstream libtiff 3.9.4, but couldn't reproduce it > on 3.9.5, 3.9.6 or 4.0.1 --- so the bug was fixed upstream and Debian > didn't backport it. After further fuzzing and testing with Electric Fence, I found out an image that crashes even upstream libtiff-3.9.6. So I'm sending the report to the upstream maintainers too. I placed the crashing image here: http://artax.karlin.mff.cuni.cz/~mikulas/debian-libtiff-bug/libtiff-3.9.6-crash.tif The crash happens here: #0 TIFFReadDirectory (tif=0x7f6f92434bc8) at tif_dirread.c:223 223 fip = tif->tif_fieldinfo[++fix]; The apparent problem in the code: fip = tif->tif_fieldinfo[fix]; while (dp->tdir_type != (unsigned short) fip->field_type && fix < tif->tif_nfields) { ^^^^^^^^^^ check that fix is smaller than tif->tif_nfields if (fip->field_type == TIFF_ANY) /* wildcard */ break; fip = tif->tif_fieldinfo[++fix]; ^^^^^^^^^^ increment fix by one and dereference tif->tif_fieldinfo[fix] !!! so we may be dereferencing one field after tif->tif_fieldinfo end if (fix >= tif->tif_nfields || ^^^^^^^^^^ this check fix >= tif->tif_nfields comes too late, we already accessed the array beyond its end :-( fip->field_tag != dp->tdir_tag) { TIFFWarningExt(tif->tif_clientdata, module, "%s: wrong data type %d for \"%s\"; tag ignored", tif->tif_name, dp->tdir_type, tif->tif_fieldinfo[fix-1]->field_name); goto ignore; } } libtiff-4.0.1 doesn't crash and the above code seems to be rewritten there. Mikulas -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
