libFreeImage3.18 Stack-overflow

2019.05.20
cn yes (CN) cn
Risk: High
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

A stack buff overflower on line 1284 at PluginTIFF.cpp When reading a tiff file, the program will call the load function in 'PluginTIFF.cpp', In the '2251' line of the 'load' function, the program will call the 'ReadThumbnail' function. ReadThumbnail(io, handle, data, tif, dib); Entering the 'ReadThumbnail' function, we see that the 'load' function is called again on line '1288'. However, the decision to determine the recursion is based on the return value of the 'TIFFSetSubDirectory' function. if(TIFFSetSubDirectory(tiff, subIFD_offsets[0])) { // load the thumbnail int page = -1; int flags = TIFF_DEFAULT; thumbnail = Load(io, handle, page, flags, data); // store the thumbnail (remember to release it before return) FreeImage_SetThumbnail(dib, thumbnail); } In fact, the function that determines the return value of TIFFSetSubDirectory is the result of the 'TIFFReadDirectory' function.But under some special conditions, the 'TIFFReadDirectory' function always returns 1, which will cause the program stack space to be filled. TIFFSetSubDirectory(TIFF* tif, uint64 diroff) { tif->tif_nextdiroff = diroff; /* * Reset tif_dirnumber counter and start new list of seen directories. * We need this to prevent IFD loops. */ tif->tif_dirnumber = 0; return (TIFFReadDirectory(tif)); } The following is a concrete example, which causes program memory corruption, which can lead to remote denial of service by attackers. #12470 0x00005555555c25ab in Load () #12471 0x00005555555c25ab in Load () #12472 0x00005555555c25ab in Load () #12473 0x00005555555c25ab in Load () #12474 0x00005555555c25ab in Load () #12475 0x00005555555c25ab in Load () #12476 0x00005555555c25ab in Load () #12477 0x00005555555c25ab in Load () #12478 0x00005555555c25ab in Load () #12479 0x0000555555596796 in FreeImage_LoadFromHandle () #12480 0x0000555555596838 in FreeImage_Load () #12481 0x000055555558fd5f in main (argc=0x2, argv=0x7fffffffe038) at harness.cpp:43 #12482 0x00007ffff7ae509b in __libc_start_main (main=0x55555558fcb5 <main(int, char const**)>, argc=0x2, argv=0x7fffffffe038, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe028) at ../csu/libc-start.c:308 #12483 0x000055555558fbfa in _start ()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top