|
Message-ID: <5EDB84F4B23F5B4DB6500A89258280E0B97359@EX02.corp.qihoo.net> Date: Fri, 8 Apr 2016 07:12:28 +0000 From: 张开翔 <zhangkaixiang@....cn> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE-2016-3631 - libtiff 4.0.6 illegel read Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Illegel read Vendor URL: http://www.libtiff.org/ CVE ID: CVE-2016-3631 Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360 Introduction Illegal read occurs in the cpStrips and cpTiles function in thumbnail.c in thumbnail allows attackers to exploit this issue to cause denial-of-service. libtiff/tools/thumbnail.c:314. 313 for (s = 0; s < ns; s++) { 314 if (bytecounts[s] > (uint64) bufsize) { 315 buf = (unsigned char *)_TIFFrealloc(buf, (tmsize_t)bytecounts[s]); 316 if (!buf) 317 goto bad; 318 bufsize = (tmsize_t)bytecounts[s]; 319 } 320 if (TIFFReadRawStrip(in, s, buf, (tmsize_t)bytecounts[s]) < 0 || 321 TIFFWriteRawStrip(out, s, buf, (tmsize_t)bytecounts[s]) < 0) { 322 _TIFFfree(buf); 323 return 0; 324 } 325 } gdb --args thumbnail cpStrips.tif tmpout.tif …… Program received signal SIGSEGV, Segmentation fault. 0x0804c7bf in cpStrips (out=<optimized out>, in=0x8164530) at thumbnail.c:314 314 if (bytecounts[s] > (uint64) bufsize) { (gdb) bt #0 0x0804c7bf in cpStrips (out=<optimized out>, in=0x8164530) at thumbnail.c:314 #1 cpIFD (out=<optimized out>, in=<optimized out>) at thumbnail.c:378 #2 main (argc=3, argv=0xbffff384) at thumbnail.c:124 (gdb) p *bytecounts Cannot access memory at address 0x42900001 References: [1] http://www.remotesensing.org/libtiff/ Thank you! Best Regards,
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.