-
Notifications
You must be signed in to change notification settings - Fork 168
/
libtiff-4.0.3.txt
47 lines (43 loc) · 1.61 KB
/
libtiff-4.0.3.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 01/08/2013 / Last updated: 12/10/2014
Issue: Use after free
CVE: 2013-4232
Impact: High
Exploitability: Undetermined
File: tiff-4.0.3/tools/tiff2pdf.c
Line: 2469
Code snippet:
if(samplebuffer==NULL){
TIFFError(TIFF2PDF_MODULE,
"Can't allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s",
(unsigned long) t2p->tiff_datasize,
TIFFFileName(input));
t2p->t2p_error = T2P_ERR_ERROR;
_TIFFfree(buffer);
} else {
buffer=samplebuffer;
t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
}
t2p_sample_realize_palette(t2p, buffer);
Justification:
If samplebuffer is NULL, buffer will be freed. However at the end of the if statement, buffer is used again.
=========================================================
Issue: Buffer overflow
CVE: 2013-4231
Impact: High
Exploitability: Undetermined
File: tiff-4.0.3/tools/rgb2ycbcr.c
Line: 335
Code snippet:
{ char buf[2048];
char *cp = strrchr(TIFFFileName(in), '/');
sprintf(buf, "YCbCr conversion of %s", cp ? cp+1 : TIFFFileName(in));
TIFFSetField(out, TIFFTAG_IMAGEDESCRIPTION, buf);
}
Justification:
Use of sprintf to write into a 2048 character buffer. The input is the filename, which might be over 2048 if crafted by a malicious user. However I could not determine this as the code is not easy to navigate.
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>