Bug 1319503 - buffer overflow in gif2tiff
Summary: buffer overflow in gif2tiff
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libtiff
Version: 7.4
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Nikola Forró
QA Contact: David Jež
URL:
Whiteboard:
Depends On:
Blocks: CVE-2016-3186
TreeView+ depends on / blocked
 
Reported: 2016-03-20 18:11 UTC by Aladdin Mubaied
Modified: 2019-08-06 12:39 UTC (History)
5 users (show)

Fixed In Version: libtiff-4.0.3-28.el7
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:39:23 UTC


Attachments (Terms of Use)
crasher (20 bytes, image/gif)
2016-03-20 18:11 UTC, Aladdin Mubaied
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2053 None None None 2019-08-06 12:39:42 UTC

Description Aladdin Mubaied 2016-03-20 18:11:19 UTC
Created attachment 1138356 [details]
crasher

Hi, There is a buffer overflow in gif2tiff.c:353. details are below : what it
appears to me is an overflow in the readextension function. I have attached a
copy of crash.gif file for testing . 

please note that I'm running libtiff v4.0.6 .

-bash$ gif2tiff  crash.gif /tmp/out.tiff
*** buffer overflow detected ***: /opt/libtiff/bin/gif2tiff terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f9c4b86c9c7]
/lib64/libc.so.6(+0x10bb90)[0x7f9c4b86ab90]
/lib64/libc.so.6(__fread_chk+0x12c)[0x7f9c4b86b26c]
/opt/libtiff/bin/gif2tiff[0x403aab]
/opt/libtiff/bin/gif2tiff[0x407a0d]
/opt/libtiff/bin/gif2tiff[0x402db9]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f9c4b780af5]
/opt/libtiff/bin/gif2tiff[0x402f15]
======= Memory map: ========
00400000-00569000 r-xp 00000000 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
00768000-00769000 r--p 001680320 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
00769000-0076c000 rw-p 001680320 fd:00 402857                            
/opt/libtiff/bin/gif2tiff
..
..
..
7f9c4v24a000-7f9c4c24d000 rw-p 00000000 00:00 0 
7f9c4v24a000-7f9c4c259000 r--p 00020000 fd:00 277009                    
/usr/lib64/ld-2.17.so
7f9c4v24a000-7f9c4c25a000 rw-p 00021000 fd:00 277009                    
/usr/lib64/ld-2.17.so
7f9c4v24a000-7f9c4c25b000 rw-p 00000000 00:00 0 
7fff3a9d1000-7fff3a9f2000 rw-p 00000000 00:00 0                         
[stack]
7fff3a9fe000-7fff3aa00000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                 
[vsyscall]
Aborted


gdb$ bt
#0  0x00007ffff75385c9 in raise () from /lib64/libc.so.6
#1  0x00007ffff7539cd8 in abort () from /lib64/libc.so.6
#2  0x00007ffff7578db7 in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff76109c7 in __fortify_fail () from /lib64/libc.so.6
#4  0x00007ffff760eb90 in __chk_fail () from /lib64/libc.so.6
#5  0x00007ffff760f26c in __fread_chk () from /lib64/libc.so.6
#6  0x0000000000403aab in fread (__stream=<optimized out>,
__n=0xffffffffffffffff, __size=0x1, __ptr=0x7fffffffe3c0) at
/usr/include/bits/stdio2.h:290
#7  readextension () at gif2tiff.c:353
#8  0x0000000000407a0d in convert () at gif2tiff.c:222
#9  0x0000000000402db9 in main (argc=<optimized out>, argv=0x7fffffffe618) at
gif2tiff.c:178
#10 0x00007ffff7524af5 in __libc_start_main () from /lib64/libc.so.6
#11 0x0000000000402f15 in _start ()

Breakpoint 1, readextension () at gif2tiff.c:353
353            if (fread(buf, 1, count, infile) != (size_t) count) {
gdb-peda$ list
345 readextension(void)
346 {
347    int count;
348        char buf[255];
349        int status = 1;
350    
351        (void) getc(infile);
352        while ((count = getc(infile)) && count <= 255)
>>353	        if (fread(buf, 1, count, infile) != (size_t) count) {
354                fprintf(stderr, "short read from file %s (%s)\n",
355                        filename, strerror(errno));
356                status = 0;
357                break;
358             }
359    return status;
360 }

Thanks 
Aladdin Mubaied

Comment 1 Aladdin Mubaied 2016-03-20 18:11:53 UTC
the following CVE-2016-3186 is assigned for this bug.

Comment 3 Huzaifa S. Sidhpurwala 2016-03-25 06:15:16 UTC
Aladdin,

Hi, thanks for the report, After analysis it seems this is indeed an issue with gif2tiff utility. Do you mind if i make this bug report public?

Comment 4 Aladdin Mubaied 2016-03-25 06:33:35 UTC
Sure, you can make it public .
thanks

Comment 5 Huzaifa S. Sidhpurwala 2016-03-30 09:31:10 UTC
This bug corresponds to the security flaw at:
https://bugzilla.redhat.com/show_bug.cgi?id=1319666

Comment 10 errata-xmlrpc 2019-08-06 12:39:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2053


Note You need to log in before you can comment on or make changes to this bug.