LibTIFF 'td_stripbytecount' NULL Pointer Dereference Remote Denial of Service

2010-08-09 / 2010-08-10
Credit: Tomas Hoger
Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Description of problem: Originally reported by Sauli Pahlman in Launchpad: https://bugs.launchpad.net/bugs/589145 Attached tif file triggers NULL pointer dereference in OJPEG handling code. Version-Release number of selected component (if applicable): libtiff-3.9.2-3.el6.i686 Steps to Reproduce: tiff2rgba lp589145-sample.tif /dev/null Additional info: Program received signal SIGSEGV, Segmentation fault. 0x00962250 in OJPEGReadBufferFill (sp=0x804cbf8) at tif_ojpeg.c:1912 1912 sp->in_buffer_file_pos=sp->tif->tif_dir.td_stripoffset[sp->in_buffer_next_strile]; (gdb) print sp->tif->tif_dir.td_stripoffset $1 = (toff_t *) 0x0 (gdb) bt #0 0x00962250 in OJPEGReadBufferFill (sp=0x804cbf8) at tif_ojpeg.c:1912 #1 0x00963327 in OJPEGReadBytePeek (byte=<value optimized out>, sp=<value optimized out>) at tif_ojpeg.c:1956 #2 OJPEGReadHeaderInfoSec (byte=<value optimized out>, sp=<value optimized out>) at tif_ojpeg.c:1231 #3 0x00964319 in OJPEGSubsamplingCorrect (tif=0x804c548) at tif_ojpeg.c:959 #4 0x00964586 in OJPEGVGetField (tif=<value optimized out>, tag=<value optimized out>, ap=<value optimized out>) at tif_ojpeg.c:466 #5 0x00942fbb in TIFFVGetField (tif=<value optimized out>, tag=<value optimized out>, ap=<value optimized out>) at tif_dir.c:966 #6 0x00943a1c in TIFFGetField (tif=<value optimized out>, tag=<value optimized out>) at tif_dir.c:950 #7 0x00970204 in TIFFScanlineSize (tif=<value optimized out>) at tif_strip.c:237 #8 0x0094876b in TIFFReadDirectory (tif=<value optimized out>) at tif_dirread.c:713 #9 0x0096670c in TIFFClientOpen (name=<value optimized out>, mode=<value optimized out>, clientdata=<value optimized out>, readproc=<value optimized out>, writeproc=<value optimized out>, seekproc=<value optimized out>, closeproc=<value optimized out>, sizeproc=<value optimized out>, mapproc=<value optimized out>, unmapproc=<value optimized out>) at tif_open.c:436 #10 0x009714c3 in TIFFFdOpen (fd=<value optimized out>, name=<value optimized out>, mode=<value optimized out>) at tif_unix.c:139 #11 0x0097154d in TIFFOpen (name=<value optimized out>, mode=<value optimized out>) at tif_unix.c:178 #12 0x08048d24 in main (argc=<value optimized out>, argv=<value optimized out>) at tiff2rgba.c:112

References:

https://bugzilla.redhat.com/show_bug.cgi?id=608010
https://bugzilla.redhat.com/show_bug.cgi?id=603024
https://bugs.launchpad.net/bugs/597246
http://www.openwall.com/lists/oss-security/2010/06/30/22
http://secunia.com/advisories/40422
http://marc.info/?l=oss-security&m=127797353202873&w=2
http://marc.info/?l=oss-security&m=127738540902757&w=2
http://marc.info/?l=oss-security&m=127736307002102&w=2
http://bugzilla.maptools.org/show_bug.cgi?id=1996


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top