Bug 2524 – DoS with a crafted tiff file

Bug 2524 - DoS with a crafted tiff file

Summary:

DoS with a crafted tiff file

Status:	RESOLVED LATER

Product:	libtiff
Component:	default
Version:	unspecified
Platform:	PC Linux

Importance:	P2 normal
Target Milestone:	---
Assigned To:	Frank Warmerdam

URL:
Whiteboard:
Keywords:	migrated_to_gitlab

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-09-21 09:52 by gustavo.grieco@imag.fr
Modified:	2019-10-01 14:20 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From gustavo.grieco@imag.fr 2015-09-21 09:52:33

Hi,

We found a DoS using a crafted tiff file that causes a OOM kill in low memory
system (usually less than 3GB). This was tested in Ubuntu 14.04 (64bit) but the
issue exists even in the CVS libtiff version. Please find attached the
compressed test case (otherwise it can kill my browser since gdk-pixbuf is
loading tiff files in the preview dialog!). You can test it executing:

$ tiffdither oom.tif /dev/null

If you run it with ltrace, you can see some very large reallocs:

libtiff.so.5->realloc(0, 1636178024)                                           
             = 0x7f71a42b6010
libtiff.so.5->realloc(0, 1636178024)                                           
             = 0x7f7142a54010

Despite it is a low risk security issue, it could be hiding some more severe
issues and i think it should be investigated.

This vulnerability was found using QuickFuzz.

Regards,

------- Comment #1 From Frank Warmerdam 2015-09-21 17:49:03 -------

FYI, the file has a # of image lines around four billion.  I didn't dig into it
closely when first reported, but it might be that auto-strip-chopping is
creating an expensive/large data structure.  

I'm not entirely confident whether to treat library requests for large amounts
of memory as a defect in the library.  It makes me sad that modern operating
systems seem to have trouble just return NULL for malloc() calls for which
there isn't enough memory available.  (If my assumptions are correct).

------- Comment #2 From Roger Leigh 2016-07-04 17:06:20 -------

See also: https://github.com/ome/ome-files-cpp/issues/22

This includes testcases and some initial investigation into where the problems
lie and how they might be fixed.

It would be useful to add checks to functions which would read data after the
end of file since this is clearly invalid.  I'm looking at whether libtiff
stores the file size anywhere on read, but haven't found it yet.  I've found
_tiffSizeProc(fd) but it's not exposed even in internal headers.  Could this be
made more public so we can query the file size when accessing field data or
anywhere else using offsets?

------- Comment #3 From Even Rouault 2019-10-01 14:20:03 -------

Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.