Buffer overflow in libtiff in Imagemagick

2011-03-23T00:00:00
ID SECURITYVULNS:DOC:25983
Type securityvulns
Reporter Securityvulns
Modified 2011-03-23T00:00:00

Description

--Credits: zgmzgm[at]mail.ustc.edu.cn

-- Disclosure Timeline: 3-17-2011

-- Affected Vendor: Imagemagick 6.6.8-5 Libtiff 6.9.4

-- Problem Description: A buffer overflow is triggered by displaying a malformed tiff image by the Imagemagick.The error information is followed:

display: malformed.tif: Wrong "StripByteCounts" field, ignoring and calculating from imagelength. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/706. display: malformed.tif: Read error on strip 0; got 46128 bytes, expected 80624532. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/496. Segmentation fault

We use flayer to trace the malformed tiff image and the flayer gives the following suggestions:

==1812== Warning: client syscall shmdt tried to modify addresses 0xFFFFFFFF-0xFFFFFFFF ==1812== Warning: set address range perms: large range 325120064 (defined) ==1812== Stack overflow in thread 1: can't grow stack to 0xBE394FAC ==1812== ==1812== Process terminating with default action of signal 11 (SIGSEGV) ==1812== Access not within mapped region at address 0xBE394FAC ==1812== at 0x484D407: (within /usr/lib/libX11.so.6.3.0) ==1812== Stack overflow in thread 1: can't grow stack to 0xBE394FA8 ==1812== ==1812== Process terminating with default action of signal 11 (SIGSEGV) ==1812== Access not within mapped region at address 0xBE394FA8 ==1812== at 0x401F2C1: _vgnU_freeres (vg_preloaded.c:56)

The flayer suggest that a stack overflow occurred in thread 1.This may allow remote attackers to execute arbitrary code.

You can download the malformed tiff image which lead to the application collapse: http://home.ustc.edu.cn/~zgmzgm/malformed.tif