βCredits:
zgmzgm[at]mail.ustc.edu.cn
β Disclosure Timeline:
3-17-2011
β Affected Vendor:
Imagemagick 6.6.8-5
Libtiff 6.9.4
β Problem Description:
A buffer overflow is triggered by displaying a malformed tiff image by the Imagemagick.The error information is followed:
display: malformed.tif: Wrong "StripByteCounts" field, ignoring and calculating from imagelength. `TIFFReadDirectory' @ warning/tiff.c/TIFFWarnings/706.
display: malformed.tif: Read error on strip 0; got 46128 bytes, expected 80624532. `TIFFFillStrip' @ error/tiff.c/TIFFErrors/496.
Segmentation fault
We use flayer to trace the malformed tiff image and the flayer gives the following suggestions:
==1812== Warning: client syscall shmdt tried to modify addresses 0xFFFFFFFF-0xFFFFFFFF
==1812== Warning: set address range perms: large range 325120064 (defined)
==1812== Stack overflow in thread 1: can't grow stack to 0xBE394FAC
==1812==
==1812== Process terminating with default action of signal 11 (SIGSEGV)
==1812== Access not within mapped region at address 0xBE394FAC
==1812== at 0x484D407: (within /usr/lib/libX11.so.6.3.0)
==1812== Stack overflow in thread 1: can't grow stack to 0xBE394FA8
==1812==
==1812== Process terminating with default action of signal 11 (SIGSEGV)
==1812== Access not within mapped region at address 0xBE394FA8
==1812== at 0x401F2C1: _vgnU_freeres (vg_preloaded.c:56)
The flayer suggest that a stack overflow occurred in thread 1.This may allow remote attackers to execute arbitrary code.
You can download the malformed tiff image which lead to the application collapse:
http://home.ustc.edu.cn/~zgmzgm/malformed.tif