libtiff: divide-by-zero in JPEGSetupEncode (tiff_jpeg.c)

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

A crafted tiff can crash the library.

The complete ASan output:

# tiffcp -i $FILE /tmp/out
==28692==ERROR: AddressSanitizer: FPE on unknown address 0x7f03239af35b (pc 0x7f03239af35b bp 0x7ffc7923f730 sp 0x7ffc7923f600 T0)                                                                                                                                             
    #0 0x7f03239af35a in JPEGSetupEncode /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_jpeg.c:1687:26                                                                                                                                                         
    #1 0x7f0323a00312 in TIFFWriteEncodedTile /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_write.c:446:8                                                                                                                                                     
    #2 0x510f06 in writeBufferToContigTiles /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1539:8                                                                                                                                                           
    #3 0x50f1ce in cpImage /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1236:14                                                                                                                                                                           
    #4 0x50dc1b in cpContigTiles2ContigTiles /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1673:9                                                                                                                                                          
    #5 0x50c5b6 in tiffcp /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:815:15                                                                                                                                                                             
    #6 0x50c5b6 in main /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:304                                                                                                                                                                                  
    #7 0x7f0322a4661f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289                                                                                                                                                        
    #8 0x419f18 in _init (/usr/bin/tiffcp+0x419f18)                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                               
AddressSanitizer can not provide additional info.                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: FPE /tmp/portage/media-libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_jpeg.c:1687:26 in JPEGSetupEncode 

Affected version:
4.0.7

Fixed version:
N/A

Commit fix:
https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7595

Reproducer:
https://github.com/asarubbo/poc/blob/master/00123-libtiff-fpe-JPEGSetupEncode

Timeline:
2017-01-04: bug discovered and reported to upstream
2017-01-11: upstream released a patch
2017-04-01: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libtiff: divide-by-zero in JPEGSetupEncode (tiff_jpeg.c)

This entry was posted in advisories, security. Bookmark the permalink.

One Response to libtiff: divide-by-zero in JPEGSetupEncode (tiff_jpeg.c)

  1. Pingback: Silicon Graphics LibTIFF ‘JPEGSetupEncode’函数拒绝服务漏洞的补丁 | Heikuo ' Blog

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.