[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318

Raphael Hertzog <hertzog@debian.org> writes:

>> What does the TIFFReadDirectoryFindFieldInfo function do? What
>> situations is TIFFReadDirectoryFindFieldInfo unsuccessful?
> I don't know.

It searches for the field in the tiff file. As I guessed.

Which confused me (and still does), if the field is not there, how can
this vulnerability exist? Would expect _TIFFVGetField to fail before
writing to the vararg.

I think answer might based on the fact that
TIFFReadDirectoryFindFieldInfo does a binary search. And it looks like
the tag data in the sample tiff that is claimed to generate this problem
is not in sorted order. So it probably is possible to craft a file so
that TIFFReadDirectoryFindFieldInfo fails even though the field exists.

TIFFGetField does't use TIFFReadDirectoryFindFieldInfo, it uses
TIFFFindField instead, which appears to do a similar thing. However it
uses bsearch() to implement the binary search instead of doing the
binary search itself.

So I wonder if it is possible to somehow get
TIFFReadDirectoryFindFieldInfo to fail while TIFFFindField succeeds due
to the different implementations used of the binary search?

If so, then just blacklisting the tags may not be sufficient.
Brian May <bam@debian.org>

Reply to: