-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Issue Report #19
Comments
This is fixed by: @@ -583,7 +604,8 @@ static void TinyTIFFReader_readNextFrame(TinyTIFFReaderFile* tiff) {
} break;
case TIFF_FIELD_COMPRESSION: tiff->currentFrame.compression=ifd.value; break;
- case TIFF_FIELD_STRIPOFFSETS: {
+ case TIFF_FIELD_STRIPOFFSETS:
+ if (ifd.count && ifd.pvalue) { In this case just ifd.pvalue was empty. reading from NULL is not particularily security relevant. case TIFF_FIELD_STRIPBYTECOUNTS:
if (ifd.count && ifd.pvalue) { |
rurban
added a commit
to SpexAI/TinyTIFF
that referenced
this issue
Apr 9, 2024
dont copy empty ifd.pvalue for TIFF_FIELD_STRIPBYTECOUNTS and TIFF_FIELD_STRIPOFFSETS
rurban
added a commit
to SpexAI/TinyTIFF
that referenced
this issue
Apr 9, 2024
dont copy empty ifd.pvalue for TIFF_FIELD_STRIPBYTECOUNTS and TIFF_FIELD_STRIPOFFSETS
rurban
added a commit
to SpexAI/TinyTIFF
that referenced
this issue
Apr 9, 2024
dont copy empty ifd.pvalue for TIFF_FIELD_STRIPBYTECOUNTS and TIFF_FIELD_STRIPOFFSETS
is fixed via 3049159 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Project Address
https://github.com/jkriege2/TinyTIFF
Security Issue Report
A global-buffer-overflow issue was discovered in TinyTIFF in tinytiffreader.c file. The flow allows an attacker to cause a denial of service (abort) via a crafted file.
OS information
Summary
AddressSanitizer: global-buffer-overflow (/home/ubuntu/Desktop/TinyTIFF/src/asan_tinytiffreader+0x4969c6) in __asan_memcpy
Problem Code location
Poc file: id8
asan_tinytiffreader
compile the test case in the source
modified the tinytiffreader.c file, add harness
then,complie the tinytiffreader.c
test with poc
this program will trigger global-buffer-overflow crash. The asan complie program is asan_tinytiffreader.
ASAN Report:
use gdb debug this crah
you can see "../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.", I think this problem is caused by abnormal references to Pointers, See this link.This one bug I tested on multiple systems crashed.
The text was updated successfully, but these errors were encountered: