Bug 1319503 - buffer overflow in gif2tiff
Summary: buffer overflow in gif2tiff
Status: ON_QA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libtiff   
(Show other bugs)
Version: 7.4
Hardware: All Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Nikola Forró
QA Contact: Miroslav Hradílek
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks: CVE-2016-3186
TreeView+ depends on / blocked
 
Reported: 2016-03-20 18:11 UTC by Aladdin Mubaied
Modified: 2019-01-31 15:44 UTC (History)
3 users (show)

Fixed In Version: libtiff-4.0.3-28.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
crasher (20 bytes, image/gif)
2016-03-20 18:11 UTC, Aladdin Mubaied
no flags Details

Description Aladdin Mubaied 2016-03-20 18:11:19 UTC
Created attachment 1138356 [details]
crasher

Hi, There is a buffer overflow in gif2tiff.c:353. details are below : what it
appears to me is an overflow in the readextension function. I have attached a
copy of crash.gif file for testing . 

please note that I'm running libtiff v4.0.6 .

-bash$ gif2tiff  crash.gif /tmp/out.tiff
*** buffer overflow detected ***: /opt/libtiff/bin/gif2tiff terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f9c4b86c9c7]
/lib64/libc.so.6(+0x10bb90)[0x7f9c4b86ab90]
/lib64/libc.so.6(__fread_chk+0x12c)[0x7f9c4b86b26c]
/opt/libtiff/bin/gif2tiff[0x403aab]
/opt/libtiff/bin/gif2tiff[0x407a0d]
/opt/libtiff/bin/gif2tiff[0x402db9]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f9c4b780af5]
/opt/libtiff/bin/gif2tiff[0x402f15]
======= Memory map: ========
00400000-00569000 r-xp 00000000 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
00768000-00769000 r--p 001680320 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
00769000-0076c000 rw-p 001680320 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
..
..
..
7f9c4v24a000-7f9c4c24d000 rw-p 00000000 00:00 0 
7f9c4v24a000-7f9c4c259000 r--p 00020000 fd:00 277009                    
/usr/lib64/ld-2.17.so
7f9c4v24a000-7f9c4c25a000 rw-p 00021000 fd:00 277009                    
/usr/lib64/ld-2.17.so
7f9c4v24a000-7f9c4c25b000 rw-p 00000000 00:00 0 
7fff3a9d1000-7fff3a9f2000 rw-p 00000000 00:00 0                         
[stack]
7fff3a9fe000-7fff3aa00000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                 
[vsyscall]
Aborted


gdb$ bt
#0  0x00007ffff75385c9 in raise () from /lib64/libc.so.6
#1  0x00007ffff7539cd8 in abort () from /lib64/libc.so.6
#2  0x00007ffff7578db7 in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff76109c7 in __fortify_fail () from /lib64/libc.so.6
#4  0x00007ffff760eb90 in __chk_fail () from /lib64/libc.so.6
#5  0x00007ffff760f26c in __fread_chk () from /lib64/libc.so.6
#6  0x0000000000403aab in fread (__stream=<optimized out>,
__n=0xffffffffffffffff, __size=0x1, __ptr=0x7fffffffe3c0) at
/usr/include/bits/stdio2.h:290
#7  readextension () at gif2tiff.c:353
#8  0x0000000000407a0d in convert () at gif2tiff.c:222
#9  0x0000000000402db9 in main (argc=<optimized out>, argv=0x7fffffffe618) at
gif2tiff.c:178
#10 0x00007ffff7524af5 in __libc_start_main () from /lib64/libc.so.6
#11 0x0000000000402f15 in _start ()

Breakpoint 1, readextension () at gif2tiff.c:353
353            if (fread(buf, 1, count, infile) != (size_t) count) {
gdb-peda$ list
345 readextension(void)
346 {
347    int count;
348        char buf[255];
349        int status = 1;
350    
351        (void) getc(infile);
352        while ((count = getc(infile)) && count <= 255)
>>353	        if (fread(buf, 1, count, infile) != (size_t) count) {
354                fprintf(stderr, "short read from file %s (%s)\n",
355                        filename, strerror(errno));
356                status = 0;
357                break;
358             }
359    return status;
360 }

Thanks 
Aladdin Mubaied

Comment 1 Aladdin Mubaied 2016-03-20 18:11:53 UTC
the following CVE-2016-3186 is assigned for this bug.

Comment 3 Huzaifa S. Sidhpurwala 2016-03-25 06:15:16 UTC
Aladdin,

Hi, thanks for the report, After analysis it seems this is indeed an issue with gif2tiff utility. Do you mind if i make this bug report public?

Comment 4 Aladdin Mubaied 2016-03-25 06:33:35 UTC
Sure, you can make it public .
thanks

Comment 5 Huzaifa S. Sidhpurwala 2016-03-30 09:31:10 UTC
This bug corresponds to the security flaw at:
https://bugzilla.redhat.com/show_bug.cgi?id=1319666


Note You need to log in before you can comment on or make changes to this bug.