Hide Forgot
Created attachment 1138356 [details] crasher Hi, There is a buffer overflow in gif2tiff.c:353. details are below : what it appears to me is an overflow in the readextension function. I have attached a copy of crash.gif file for testing . please note that I'm running libtiff v4.0.6 . -bash$ gif2tiff crash.gif /tmp/out.tiff *** buffer overflow detected ***: /opt/libtiff/bin/gif2tiff terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7f9c4b86c9c7] /lib64/libc.so.6(+0x10bb90)[0x7f9c4b86ab90] /lib64/libc.so.6(__fread_chk+0x12c)[0x7f9c4b86b26c] /opt/libtiff/bin/gif2tiff[0x403aab] /opt/libtiff/bin/gif2tiff[0x407a0d] /opt/libtiff/bin/gif2tiff[0x402db9] /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f9c4b780af5] /opt/libtiff/bin/gif2tiff[0x402f15] ======= Memory map: ======== 00400000-00569000 r-xp 00000000 fd:00 402857 /opt/libtiff/bin/gif2tiff 00768000-00769000 r--p 001680320 fd:00 402857 /opt/libtiff/bin/gif2tiff 00769000-0076c000 rw-p 001680320 fd:00 402857 /opt/libtiff/bin/gif2tiff .. .. .. 7f9c4v24a000-7f9c4c24d000 rw-p 00000000 00:00 0 7f9c4v24a000-7f9c4c259000 r--p 00020000 fd:00 277009 /usr/lib64/ld-2.17.so 7f9c4v24a000-7f9c4c25a000 rw-p 00021000 fd:00 277009 /usr/lib64/ld-2.17.so 7f9c4v24a000-7f9c4c25b000 rw-p 00000000 00:00 0 7fff3a9d1000-7fff3a9f2000 rw-p 00000000 00:00 0 [stack] 7fff3a9fe000-7fff3aa00000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted gdb$ bt #0 0x00007ffff75385c9 in raise () from /lib64/libc.so.6 #1 0x00007ffff7539cd8 in abort () from /lib64/libc.so.6 #2 0x00007ffff7578db7 in __libc_message () from /lib64/libc.so.6 #3 0x00007ffff76109c7 in __fortify_fail () from /lib64/libc.so.6 #4 0x00007ffff760eb90 in __chk_fail () from /lib64/libc.so.6 #5 0x00007ffff760f26c in __fread_chk () from /lib64/libc.so.6 #6 0x0000000000403aab in fread (__stream=<optimized out>, __n=0xffffffffffffffff, __size=0x1, __ptr=0x7fffffffe3c0) at /usr/include/bits/stdio2.h:290 #7 readextension () at gif2tiff.c:353 #8 0x0000000000407a0d in convert () at gif2tiff.c:222 #9 0x0000000000402db9 in main (argc=<optimized out>, argv=0x7fffffffe618) at gif2tiff.c:178 #10 0x00007ffff7524af5 in __libc_start_main () from /lib64/libc.so.6 #11 0x0000000000402f15 in _start () Breakpoint 1, readextension () at gif2tiff.c:353 353 if (fread(buf, 1, count, infile) != (size_t) count) { gdb-peda$ list 345 readextension(void) 346 { 347 int count; 348 char buf[255]; 349 int status = 1; 350 351 (void) getc(infile); 352 while ((count = getc(infile)) && count <= 255) >>353 if (fread(buf, 1, count, infile) != (size_t) count) { 354 fprintf(stderr, "short read from file %s (%s)\n", 355 filename, strerror(errno)); 356 status = 0; 357 break; 358 } 359 return status; 360 } Thanks Aladdin Mubaied
the following CVE-2016-3186 is assigned for this bug.
Aladdin, Hi, thanks for the report, After analysis it seems this is indeed an issue with gif2tiff utility. Do you mind if i make this bug report public?
Sure, you can make it public . thanks
This bug corresponds to the security flaw at: https://bugzilla.redhat.com/show_bug.cgi?id=1319666
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2053