Use-after-free in TIFFSetField()

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
fumfel
Posts: 12
Joined: 2016-09-20T06:30:11-07:00
Authentication code: 1151

Use-after-free in TIFFSetField()

Post by fumfel »

More details and faulting test case: http://bugzilla.maptools.org/show_bug.cgi?id=2730
Regards,
Kamil Frankowicz
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: Use-after-free in TIFFSetField()

Post by magick »

The stack trace shows the fault occurs withing the libTIFF delegate library. ImageMagick calls libTIFF's TIFFGetField() to obtain a private tag profile 37724 (used by Adobe). TIFFGetField() returns success with a length of 9908 bytes and a data buffer to the location of the profile. Unfortunately the data buffer is corrupt. The fix to this problem lies within the TIFF delegate library, libTIFF. If the 37724 profile is corrupt, libTIFF should return something other than success (1) for TIFFGetField(). If it does return success, the associated data buffer should be valid and subsequently touching it would not return a fault.
fumfel
Posts: 12
Joined: 2016-09-20T06:30:11-07:00
Authentication code: 1151

Re: Use-after-free in TIFFSetField()

Post by fumfel »

Regards,
Kamil Frankowicz
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: Use-after-free in TIFFSetField()

Post by magick »

Can you try the latest release of ImageMagick, 6.9.9-11? We tried your test case and it returned gracefully:

Code: Select all

$ convert tiff_uaf_TIFFSetField test.tif
convert: Incorrect value for "ICC Profile"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/921.
convert: unable to decompress image `tiff_uaf_TIFFSetField' @ error/psd.c/ReadPSDChannel/1385.
Post Reply