Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.
A crafted tiff can crash the library.
The complete ASan output:
# tiffcp -i $FILE /tmp/out
==28692==ERROR: AddressSanitizer: FPE on unknown address 0x7f03239af35b (pc 0x7f03239af35b bp 0x7ffc7923f730 sp 0x7ffc7923f600 T0)
#0 0x7f03239af35a in JPEGSetupEncode /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_jpeg.c:1687:26
#1 0x7f0323a00312 in TIFFWriteEncodedTile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_write.c:446:8
#2 0x510f06 in writeBufferToContigTiles /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1539:8
#3 0x50f1ce in cpImage /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1236:14
#4 0x50dc1b in cpContigTiles2ContigTiles /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1673:9
#5 0x50c5b6 in tiffcp /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:815:15
#6 0x50c5b6 in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:304
#7 0x7f0322a4661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#8 0x419f18 in _init (/usr/bin/tiffcp+0x419f18)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_jpeg.c:1687:26 in JPEGSetupEncode
Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-7595
Reproducer:
https://github.com/asarubbo/poc/blob/master/00123-libtiff-fpe-JPEGSetupEncode
Timeline:
2017-01-04: bug discovered and reported to upstream
2017-01-11: upstream released a patch
2017-04-01: blog post about the issue
2017-04-09: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
Pingback: Silicon Graphics LibTIFF ‘JPEGSetupEncode’函数拒绝服务漏洞的补丁 | Heikuo ' Blog