{"id":1060,"date":"2017-01-01T17:32:30","date_gmt":"2017-01-01T15:32:30","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1060"},"modified":"2017-05-24T13:58:29","modified_gmt":"2017-05-24T11:58:29","slug":"libtiff-multiple-divide-by-zero","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/01\/01\/libtiff-multiple-divide-by-zero\/","title":{"rendered":"libtiff: multiple divide-by-zero"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/libtiff.maptools.org\">Libtiff<\/a> is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.<\/p>\n<p>Some crafted images, through a fuzzing revealed multiple division by zero. Since the number of the issues, I will post the relevant part of the stacktrace.<\/p>\n<p><strong>Affected version \/ Tested on:<\/strong><br \/>\n4.0.7<br \/>\n<strong>Fixed version:<\/strong><br \/>\nN\/A<br \/>\n<strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/vadz\/libtiff\/commit\/438274f938e046d33cb0e1230b41da32ffe223e1\">https:\/\/github.com\/vadz\/libtiff\/commit\/438274f938e046d33cb0e1230b41da32ffe223e1<\/a><br \/>\n<strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00064-libtiff-fpe-TIFFReadEncodedStrip\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00064-libtiff-fpe-TIFFReadEncodedStrip<\/a><br \/>\n<strong>Relevant part of the stacktrace:<\/strong><\/p>\n<pre><font size=\"2\"># tiffcp -i $FILE \/tmp\/foo\r\n==12079==ERROR: AddressSanitizer: FPE on unknown address 0x7fd319436251 (pc 0x7fd319436251 bp 0x7fff851e3d80 sp 0x7fff851e3d30 T0)\r\n    #0 0x7fd319436250 in TIFFReadEncodedStrip \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_read.c:351:22\r\n<\/font><\/pre>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-10266<\/p>\n<p>###############################################<\/p>\n<p><strong>Affected version \/ Tested on:<\/strong><br \/>\n4.0.7<br \/>\n<strong>Fixed version:<\/strong><br \/>\nN\/A<br \/>\n<strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/vadz\/libtiff\/commit\/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec\">https:\/\/github.com\/vadz\/libtiff\/commit\/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec<\/a><br \/>\n<strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00083-libtiff-fpe-OJPEGDecodeRaw\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00083-libtiff-fpe-OJPEGDecodeRaw<\/a><br \/>\n<strong>Relevant part of the stacktrace:<\/strong><\/p>\n<pre><font size=\"2\"># tiffmedian $FILE \/tmp\/foo\r\n==28106==ERROR: AddressSanitizer: FPE on unknown address 0x7faeae7f744e (pc 0x7faeae7f744e bp 0x7ffceab45e40 sp 0x7ffceab45ce0 T0)\r\n    #0 0x7faeae7f744d in OJPEGDecodeRaw \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_ojpeg.c:816:8\r\n<\/font><\/pre>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-10267<\/p>\n<p>###############################################<\/p>\n<p><strong>Affected version \/ Tested on:<\/strong><br \/>\n4.0.7<br \/>\n<strong>Fixed version:<\/strong><br \/>\nN\/A<br \/>\n<strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/vadz\/libtiff\/commit\/d3c5426395dc53e3345712ac7246c29db9fed8fa\">https:\/\/github.com\/vadz\/libtiff\/commit\/d3c5426395dc53e3345712ac7246c29db9fed8fa<\/a><br \/>\n<strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00099-libtiff-fpe-readSeparateStripsIntoBuffer\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00099-libtiff-fpe-readSeparateStripsIntoBuffer<\/a><br \/>\n<strong>Relevant part of the stacktrace:<\/strong><\/p>\n<pre><font size=\"2\"># tiffcrop $FILE \/tmp\/foo\r\n==19098==ERROR: AddressSanitizer: FPE on unknown address 0x000000523acf (pc 0x000000523acf bp 0x7ffcb22ada30 sp 0x7ffcb22ad780 T0)\r\n    #0 0x523ace in readSeparateStripsIntoBuffer \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/tools\/tiffcrop.c:4841:36\r\n<\/font><\/pre>\n<p>###############################################<\/p>\n<p><strong>Affected version \/ Tested on:<\/strong><br \/>\n4.0.7<br \/>\n<strong>Fixed version:<\/strong><br \/>\nN\/A<br \/>\n<strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/vadz\/libtiff\/commit\/a87eb62049f446204ed62c939f965eb76bd98001\">https:\/\/github.com\/vadz\/libtiff\/commit\/a87eb62049f446204ed62c939f965eb76bd98001<\/a><br \/>\n<strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00065-libtiff-fpe-readSeparateTilesIntoBuffer\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00065-libtiff-fpe-readSeparateTilesIntoBuffer<\/a><br \/>\n<strong>Relevant part of the stacktrace:<\/strong><\/p>\n<pre><font size=\"2\"># tiffcp $FILE \/tmp\/foo\r\n==13262==ERROR: AddressSanitizer: FPE on unknown address 0x00000051c43b (pc 0x00000051c43b bp 0x7ffdc8d81d70 sp 0x7ffdc8d81b20 T0)\r\n    #0 0x51c43a in readSeparateTilesIntoBuffer \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/tools\/tiffcp.c:1434:9\r\n<\/font><\/pre>\n<p>###############################################<\/p>\n<p><strong>Affected version \/ Tested on:<\/strong><br \/>\n4.0.7<br \/>\n<strong>Fixed version:<\/strong><br \/>\nN\/A<br \/>\n<strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/vadz\/libtiff\/commit\/296803e79542f5523be1009d64574507b9acc239\">https:\/\/github.com\/vadz\/libtiff\/commit\/296803e79542f5523be1009d64574507b9acc239<\/a><br \/>\n<strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00073-libtiff-fpe-writeBufferToSeparateTiles\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00073-libtiff-fpe-writeBufferToSeparateTiles<\/a><br \/>\n<strong>Relevant part of the stacktrace:<\/strong><\/p>\n<pre><font size=\"2\"># tiffcp -i $FILE \/tmp\/foo\r\n==3614==ERROR: AddressSanitizer: FPE on unknown address 0x00000051650a (pc 0x00000051650a bp 0x7fff41587d30 sp 0x7fff41587b00 T0)\r\n    #0 0x516509 in writeBufferToSeparateTiles \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/tools\/tiffcp.c:1591:13\r\n<\/font><\/pre>\n<p><strong>Credit:<\/strong><br \/>\nThese bugs were discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-11-20: started to post the issues to upstream<br \/>\n2017-01-01: blog post about the issue<\/p>\n<p><strong>Note:<\/strong><br \/>\nThese bugs were found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"KShM8ycDgU\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/01\/01\/libtiff-multiple-divide-by-zero\/\">libtiff: multiple divide-by-zero<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/01\/01\/libtiff-multiple-divide-by-zero\/embed\/#?secret=KShM8ycDgU\" data-secret=\"KShM8ycDgU\" width=\"600\" height=\"338\" title=\"&#8220;libtiff: multiple divide-by-zero&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. Some crafted images, through a fuzzing revealed multiple division by zero. Since the number of the issues, &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/01\/01\/libtiff-multiple-divide-by-zero\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-h6","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1060"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1060"}],"version-history":[{"count":6,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1060\/revisions"}],"predecessor-version":[{"id":1849,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1060\/revisions\/1849"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1060"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1060"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1060"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}