libtiff: multiple UBSAN crashes

Description:
Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.

A fuzz with the undefined behavior sanitizer revealed some crashes.

# tiffcp -i $FILE /tmp/foo
runtime error: value 5.84589e+199 is outside the range of representable values
of type 'float'

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
Reproducer:
https://github.com/asarubbo/poc/blob/master/00113-libtiff-outside-float
CVE:
CVE-2017-7596

##################################################

# tiffcp -i $FILE /tmp/foo
tif_dirread.c:2409:12: runtime error: value -4.779e+161 is outside the range of
representable values of type 'float'

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
Reproducer:
https://github.com/asarubbo/poc/blob/master/00114-libtiff-outside-float-tif_dirread
CVE:
CVE-2017-7597

##################################################

# tiffcp -i $FILE /tmp/foo
tif_dirread.c:2878:24: runtime error: division by zero
tif_dirread.c:2906:33: runtime error: division by zero

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
Reproducer:
https://github.com/asarubbo/poc/blob/master/00115-libtiff-fpe-tif_dirread
CVE:
CVE-2017-7598

##################################################

# tiffcp -i $FILE /tmp/foo
runtime error: value 65280 is outside the range of representable values of type 'short'

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
Reproducer:
https://github.com/asarubbo/poc/blob/master/00117-libtiff-outside-short-tif_dirwrite
CVE:
CVE-2017-7599

##################################################

# tiffcp -i $FILE /tmp/foo
runtime error: value -115 is outside the range of representable values of type 'unsigned char'

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
Reproducer:
https://github.com/asarubbo/poc/blob/master/00118-libtiff-outside-unsigned-char-tif_dirwrite
CVE:
CVE-2017-7600

##################################################

# tiffcp -i $FILE /tmp/foo
runtime error: shift exponent 136 is too large for 64-bit type 'long'

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490
Reproducer:
https://github.com/asarubbo/poc/blob/master/00119-libtiff-shift-long-tif_jpeg
CVE:
CVE-2017-7601

##################################################

# tiffcp -i $FILE /tmp/foo
runtime error: signed integer overflow: 9223372036452122640 + 85899345928
cannot be represented in type 'long'

Affected version:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4
Reproducer:
https://github.com/asarubbo/poc/blob/master/00121-libtiff-signintoverflow-tif_read
CVE:
CVE-2017-7602

##################################################

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-01-01: bugs discovered and reported to upstream
2017-01-11: upstream released a patch
2017-04-01: blog post about the issue
2017-04-09: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

libtiff: multiple UBSAN crashes

This entry was posted in advisories, security. Bookmark the permalink.

3 Responses to libtiff: multiple UBSAN crashes

  1. Pingback: Silicon Graphics LibTIFF 安全漏洞 | 黑阔blog

  2. Pingback: Silicon Graphics LibTIFF tif_dirread.c文件拒绝服务漏洞的补丁 | Heikuo ' Blog

  3. Pingback: Silicon Graphics LibTIFF拒绝服务漏洞(CNVD-2017-05382)的补丁 | Heikuo ' Blog

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.