[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Buffer overflow in libtiff in Imagemagick
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Buffer overflow in libtiff in Imagemagick
- From: zgmzgm@xxxxxxxxxxxxxxxx
- Date: Mon, 21 Mar 2011 01:11:17 -0600
--Credits:
zgmzgm[at]mail.ustc.edu.cn
-- Disclosure Timeline:
3-17-2011
-- Affected Vendor:
Imagemagick 6.6.8-5
Libtiff 6.9.4
-- Problem Description:
A buffer overflow is triggered by displaying a malformed tiff image by the
Imagemagick.The error information is followed:
display: malformed.tif: Wrong "StripByteCounts" field, ignoring and calculating
from imagelength. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/706.
display: malformed.tif: Read error on strip 0; got 46128 bytes, expected
80624532. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/496.
Segmentation fault
We use flayer to trace the malformed tiff image and the flayer gives the
following suggestions:
==1812== Warning: client syscall shmdt tried to modify addresses
0xFFFFFFFF-0xFFFFFFFF
==1812== Warning: set address range perms: large range 325120064 (defined)
==1812== Stack overflow in thread 1: can't grow stack to 0xBE394FAC
==1812==
==1812== Process terminating with default action of signal 11 (SIGSEGV)
==1812== Access not within mapped region at address 0xBE394FAC
==1812== at 0x484D407: (within /usr/lib/libX11.so.6.3.0)
==1812== Stack overflow in thread 1: can't grow stack to 0xBE394FA8
==1812==
==1812== Process terminating with default action of signal 11 (SIGSEGV)
==1812== Access not within mapped region at address 0xBE394FA8
==1812== at 0x401F2C1: _vgnU_freeres (vg_preloaded.c:56)
The flayer suggest that a stack overflow occurred in thread 1.This may allow
remote attackers to execute arbitrary code.
You can download the malformed tiff image which lead to the application
collapse:
http://home.ustc.edu.cn/~zgmzgm/malformed.tif