libtiff: multiple heap-based buffer overflow

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

Some crafted images, through a fuzzing revealed multiple overflow. Since the number of the issues, I will post the relevant part of the stacktrace.

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df
Reproducer:
https://github.com/asarubbo/poc/blob/master/00068-libtiff-heapoverflow-_tiffWriteProc
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==16440==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000e861 at pc 0x0000004531de bp 0x7ffd2aba5c30 sp 0x7ffd2aba53e0
READ of size 78490 at 0x62500000e861 thread T0
    #1 0x7f280456d37b in _tiffWriteProc /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:115:23

CVE:
CVE-2016-10268

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df
Reproducer:
https://github.com/asarubbo/poc/blob/master/00066-libtiff-heapoverflow-TIFFReverseBits
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==14332==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000f4f0 at pc 0x7f95e90c11ad bp 0x7ffd74ba5ca0 sp 0x7ffd74ba5c98
READ of size 1 at 0x63000000f4f0 thread T0
    #0 0x7f95e90c11ac in TIFFReverseBits /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_swab.c:289:27

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86
Reproducer:
https://github.com/asarubbo/poc/blob/master/00071-libtiff-heapoverflow-_TIFFmemcpy
Relevant part of the stacktrace:

#tiffcp -i $FILE /tmp/foo
==10398==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eef4 at pc 0x0000004bc235 bp 0x7fff3ebfa700 sp 0x7fff3ebf9eb0
READ of size 512 at 0x60200000eef4 thread T0
     #1 0x7fcaf590cf0d in _TIFFmemcpy /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2

CVE:
CVE-2016-10269

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018
Reproducer:
https://github.com/asarubbo/poc/blob/master/00074-libtiff-heapoverflow-TIFFFillStrip
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==15106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000edd8 at pc 0x7f33918c5de3 bp 0x7ffc5abe6ba0 sp 0x7ffc5abe6b98
READ of size 8 at 0x60200000edd8 thread T0
    #0 0x7f33918c5de2 in TIFFFillStrip /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_read.c:523:22

CVE:
CVE-2016-10270

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
Reproducer:
https://github.com/asarubbo/poc/blob/master/00100-libtiff-heapoverflow-_TIFFFax3fillruns
Relevant part of the stacktrace:

# tiffcrop -i $FILE /tmp/foo
==9181==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd3b2e277f8 at pc 0x7fd3b7a762cc bp 0x7ffffd6e2550 sp 0x7ffffd6e2548
READ of size 1 at 0x7fd3b2e277f8 thread T0
    #0 0x7fd3b7a762cb in _TIFFFax3fillruns /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_fax3.c:413:13

CVE:
CVE-2016-10271

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
Reproducer:
https://github.com/asarubbo/poc/blob/master/00102-libtiff-heapoverflow-_TIFFmemcpy
Relevant part of the stacktrace:

# tiffcrop -i $FILE /tmp/foo
==988==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001ccff at pc 0x0000004bc00c bp 0x7fff920da690 sp 0x7fff920d9e40
WRITE of size 1 at 0x62100001ccff thread T0
    #1 0x7f49edd6af0d in _TIFFmemcpy /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2

CVE:
CVE-2016-10092

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/b4b41925115059b49f97432bda0613411df2f686
Reproducer:
https://github.com/asarubbo/poc/blob/master/00067-libtiff-heapoverflow-tiffcp
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==7788==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000edd3 at pc 0x0000004629ac bp 0x7ffe4adf8df0 sp 0x7ffe4adf85a0
READ of size 1 at 0x60200000edd3 thread T0
    #1 0x50d6a5 in tiffcp /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:784:57

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
Upstream said that the previous changes, fixes this too. It needs to be bisected.
UPDATE:
A test on master showed that it isn’t fixed.
Reproducer:
https://github.com/asarubbo/poc/blob/master/00079-libtiff-heapoverflow-cpSeparateBufToContigBuf
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==25645==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f651cc3b800 at pc 0x00000051ef24 bp 0x7ffec0573a70 sp 0x7ffec0573a68
READ of size 16 at 0x7f651cc3b800 thread T0
    #0 0x51ef23 in cpSeparateBufToContigBuf /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1209:14

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec
Reproducer:
https://github.com/asarubbo/poc/blob/master/00082-libtiff-heap-overflow-cpStripToTile
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==20438==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fef2adde803 at pc 0x00000051befa bp 0x7ffd3ee26b50 sp 0x7ffd3ee26b48
WRITE of size 16 at 0x7fef2adde803 thread T0
    #0 0x51bef9 in cpStripToTile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1171:11

CVE:
CVE-2016-10093

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
Upstream said that the previous changes, fixes this too. It needs to be bisected.
From the bisect the fix is:
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
Reproducer:
https://github.com/asarubbo/poc/blob/master/00103-libtiff-heapoverflow-NeXTDecode
Relevant part of the stacktrace:

# tiffcrop -i $FILE /tmp/foo
==29649==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00000a3fc at pc 0x0000004bc48c bp 0x7ffd6f23c680 sp 0x7ffd6f23be30
WRITE of size 2048 at 0x62d00000a3fc thread T0
      #1 0x7fcac5ac0033 in NeXTDecode /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_next.c:64:9

CVE:
CVE-2016-10272

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
Upstream said that the previous changes, fixes this too. It needs to be bisected.
From the bisect the fix is:
https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
Reproducer:
https://github.com/asarubbo/poc/blob/master/00102-libtiff-heapoverflow-_TIFFmemcpy
Relevant part of the stacktrace:

# tiffcrop -i $FILE /tmp/foo
==23091==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eed2 at pc 0x0000004629dc bp 0x7fff8d1e2950 sp 0x7fff8d1e2100
READ of size 1 at 0x60200000eed2 thread T0
   #1 0x53277f in writeCroppedImage /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcrop.c:7940:23

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/5ed9fea523316c2f5cec4d393e4d5d671c2dbc33
Reproducer:
https://github.com/asarubbo/poc/blob/master/00108-libtiff-heapoverflow-PSDataBW
Relevant part of the stacktrace:

# tiff2ps $FILE
==32416==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee91 at pc 0x00000051ea78 bp 0x7ffd76b73dd0 sp 0x7ffd76b73dc8
READ of size 1 at 0x60200000ee91 thread T0
    #0 0x51ea77 in PSDataBW /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2ps.c:2703:21

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/5ed9fea523316c2f5cec4d393e4d5d671c2dbc33
Reproducer:
https://github.com/asarubbo/poc/blob/master/00107-libtiff-heapoverflow-PSDataColorContig
Relevant part of the stacktrace:

# tiff2ps $FILE
==31384==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee54 at pc 0x000000518b75 bp 0x7fff437bfdb0 sp 0x7fff437bfda8
READ of size 1 at 0x60200000ee54 thread T0
    #0 0x518b74 in PSDataColorContig /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2ps.c:2470:2

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/bd9d7670d0224412b3bd146e221658211ece876e
Reproducer:
https://github.com/asarubbo/poc/blob/master/00101-libtiff-heapoverflow-combineSeparateSamples16bits
Relevant part of the stacktrace:

# tiffcrop -i $FILE /tmp/foo
==8016==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eef1 at pc 0x000000530805 bp 0x7ffeb0d41770 sp 0x7ffeb0d41768
READ of size 1 at 0x60200000eef1 thread T0
    #0 0x530804 in combineSeparateSamples16bits /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcrop.c:3913:20

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76b0969235c
Reproducer:
https://github.com/asarubbo/poc/blob/master/00112-libtiff-heapoverflow-_TIFFmemcpy
Relevant part of the stacktrace:

# tiff2pdf $FILE -o foo
==31315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ea11 at pc 0x0000004bc10c bp 0x7fffd59abc40 sp 0x7fffd59ab3f0
WRITE of size 2 at 0x60200000ea11 thread T0
    #1 0x7fd49c1adf0d in _TIFFmemcpy /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2

CVE:
CVE-2016-10094

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00109-libtiff-heapoverflow-putcontig8bitYCbCr44tile
Relevant part of the stacktrace:

# tiff2rgba $FILE /tmp/foo
==20699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000ed12 at pc 0x7f49ab2c134c bp 0x7ffc7e4eda30 sp 0x7ffc7e4eda28                                                                                                                                      
READ of size 1 at 0x62500000ed12 thread T0                                                                                                                                                                                                                                     
    #0 0x7f49ab2c134b in putcontig8bitYCbCr44tile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_getimage.c:1885:28

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-11-20: started to post the issues to upstream
2017-01-01: blog post about the issue
2017-01-01: CVE assigned
2017-03-24: bisect done, all issues have a commit fix reference

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

libtiff: multiple heap-based buffer overflow

This entry was posted in advisories, security. Bookmark the permalink.

One Response to libtiff: multiple heap-based buffer overflow

  1. Pingback: SB17-065: Vulnerability Summary for the Week of February 27, 2017 – sec.uno

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.