Legacy ImageMagick Discussions Archive

Use https://github.com/ImageMagick/ImageMagick/discussions instead.
https://www.imagemagick.org/discourse-server/

Use-after-free in TIFFSetField()

https://www.imagemagick.org/discourse-server/viewtopic.php?t=32560

Page 1 of 1

Use-after-free in TIFFSetField()

Posted: 2017-08-23T08:38:02-07:00
by fumfel
More details and faulting test case: http://bugzilla.maptools.org/show_bug.cgi?id=2730

Re: Use-after-free in TIFFSetField()

Posted: 2017-08-23T10:28:22-07:00
by magick
The stack trace shows the fault occurs withing the libTIFF delegate library. ImageMagick calls libTIFF's TIFFGetField() to obtain a private tag profile 37724 (used by Adobe). TIFFGetField() returns success with a length of 9908 bytes and a data buffer to the location of the profile. Unfortunately the data buffer is corrupt. The fix to this problem lies within the TIFF delegate library, libTIFF. If the 37724 profile is corrupt, libTIFF should return something other than success (1) for TIFFGetField(). If it does return success, the associated data buffer should be valid and subsequently touching it would not return a fault.

Re: Use-after-free in TIFFSetField()

Posted: 2017-09-04T12:28:14-07:00
by fumfel
Reply from LibTIFF developer: http://bugzilla.maptools.org/show_bug.cgi?id=2730#c3

Re: Use-after-free in TIFFSetField()

Posted: 2017-09-04T13:52:39-07:00
by magick
Can you try the latest release of ImageMagick, 6.9.9-11? We tried your test case and it returned gracefully:

Code: Select all

$ convert tiff_uaf_TIFFSetField test.tif
convert: Incorrect value for "ICC Profile"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/921.
convert: unable to decompress image `tiff_uaf_TIFFSetField' @ error/psd.c/ReadPSDChannel/1385.
All times are UTC-07:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited