First Last Prev Next    No search results available
Bug 2812 - out-of-bound read vulnerability in function TIFFReadSeparateTileData and function TIFFReadContigTileData in tools/tiffinfoce.c
: out-of-bound read vulnerability in function TIFFReadSeparateTileData and func...
Status: RESOLVED LATER
: libtiff
default
: 4.0.1
: PC Windows NT
: P2 enhancement
: ---
Assigned To:
:
:
: migrated_to_gitlab
:
:
  Show dependency treegraph
 
Reported: 2018-09-07 11:34 by
Modified: 2019-10-01 14:21 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Description From 2018-09-07 11:34:56 
There are two out-of-bound read vulnerability in function
TIFFReadSeparateTileData and function TIFFReadContigTileData in
tools/tiffinfoce.c.

void
TIFFReadSeparateTileData(TIFF* tif)
{       
        unsigned char *buf;
        tsize_t rowsize = TIFFTileRowSize(tif);

        buf = (unsigned char *)_TIFFmalloc(TIFFTileSize(tif));
        if (buf) {
                uint32 tw, th, w, h;
                uint32 row, col;
                tsample_t s, samplesperpixel;

                TIFFGetField(tif, TIFFTAG_IMAGEWIDTH, &w);
                TIFFGetField(tif, TIFFTAG_IMAGELENGTH, &h);
                TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw);
                TIFFGetField(tif, TIFFTAG_TILELENGTH, &th);
                TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samplesperpixel);
                for (row = 0; row < h; row += th) {
                        for (col = 0; col < w; col += tw) {
                                for (s = 0; s < samplesperpixel; s++) { 
                                        if (TIFFReadTile(tif, buf, col, row, 0,
s) < 0) {
                                                if (stoponerr)
                                                        break;
                                        } else if (showdata)
                                                ShowTile(row, col, s, buf, th,
rowsize);
                                }
                        }
                }
                _TIFFfree(buf);
        }
}

if condition "rowsize==0" or "th > TIFFTileSize(tif)/rowsize", the program
should return. this issue is the same as  TIFFReadContigTileData.

Below is the proposal patch for function TIFFReadSeparateTileData.
 TIFFReadSeparateTileData(TIFF* tif)
 {
        unsigned char *buf;
-       tsize_t rowsize = TIFFTileRowSize(tif);
+        tmsize_t rowsize = TIFFTileRowSize(tif);
+        tmsize_t tilesize = TIFFTileSize(tif);

-       buf = (unsigned char *)_TIFFmalloc(TIFFTileSize(tif));
+       buf = (unsigned char *)_TIFFmalloc(tilesize);
        if (buf) {
-               uint32 tw, th, w, h;
+               uint32 tw=0, th=0, w=0, h=0;
                uint32 row, col;
                tsample_t s, samplesperpixel;

@@ -331,6 +332,12 @@ TIFFReadSeparateTileData(TIFF* tif)
                TIFFGetField(tif, TIFFTAG_TILEWIDTH, &tw);
                TIFFGetField(tif, TIFFTAG_TILELENGTH, &th);
                TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samplesperpixel);
+               if( rowsize == 0 || th > tilesize / rowsize )
+               {
+                       fprintf(stderr, "Cannot display data: th * rowsize >
tilesize\n");
+                       _TIFFfree(buf);
+                       return;
+               }
                for (row = 0; row < h; row += th) {
                        for (col = 0; col < w; col += tw) {
                                for (s = 0; s < samplesperpixel; s++) {
------- Comment #1 From 2019-01-29 05:50:57 ------- 
you could (should?) create a merge request on
https://gitlab.com/libtiff/libtiff
------- Comment #2 From 2019-10-01 14:21:23 ------- 
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets,
such as this one, have been migrated to the libtiff GitLab instance at
https://gitlab.com/libtiff/libtiff/issues .

The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is
the initial Bugzilla issue number.
First Last Prev Next    No search results available