Re: tiff / CVE-2018-7456

To: Hugo Lefeuvre <hle@debian.org>, debian-lts@lists.debian.org
Cc: 891288@bugs.debian.org
Subject: Re: tiff / CVE-2018-7456
From: Brian May <bam@debian.org>
Date: Sun, 18 Mar 2018 13:06:54 +1100
Message-id: <[🔎] 87tvtem91d.fsf@silverfish.pri>
In-reply-to: <[🔎] 20180317214240.GA1840@hle-laptop.local>
References: <[🔎] 87d105q3je.fsf@silverfish.pri> <[🔎] 20180315155519.GB2886@hle-laptop.local> <[🔎] 87sh90o7e1.fsf@silverfish.pri> <[🔎] 20180316100737.GA1828@hle-laptop.local> <[🔎] 20180317214240.GA1840@hle-laptop.local>

Hugo Lefeuvre <hle@debian.org> writes:

> So, after some debugging on CVE-2018-7456, I start to get the feeling to
> understand the issue.
>
> Here are my conclusions for the moment:
>
> * In any case, the transfer function should not care about other
>   channels defined by ExtraSamples (see 2nd and 3rd paragraphs of
>   TransferFunction entry, page 84 of the specification), so something
>   like the following patch should be a first step:
>
> --- a/libtiff/tif_print.c	2018-03-17 21:56:47.000000000 +0100
> +++ b/libtiff/tif_print.c	2018-03-17 22:05:58.446092016 +0100
> @@ -546,7 +546,7 @@
>  				uint16 i;
>  				fprintf(fd, "    %2ld: %5u",
>  				    l, td->td_transferfunction[0][l]);
> -				for (i = 1; i < td->td_samplesperpixel; i++)
> +				for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples; i++)
>  					fprintf(fd, " %5u",
>  					    td->td_transferfunction[i][l]);
>  				fputc('\n', fd);
>
> But it's not enough. Why ?
>
> * I discovered that td->td_samplesperpixel can have arbitrary size while
>   td->td_extrasamples stays 0. It shouldn't be the case ! For instance
>   the specification doesn't allow RGB with 4 channels and no ExtraSamples.
>   And while it doesn't make any sense, libtiff won't notice it.
>
>   I even tried RGB with 8 channels and no ExtraSamples and it worked too.
>
>   So, what should be done ?
>
>   For each PhotometricInterpretation type there is a 'standard' samples
>   per pixel value (that is the samples per pixel value without extra samples:
>   3 for RGB, etc). Let's name it (standard spp).
>
>   So, what we should do is: If the actual td->td_samplesperpixel is higher
>   than (standard spp), then we should assume that td->td_extrasamples is
>   td->td_samplesperpixel - (standard spp), even if no ExtraSamples field
>   was specified OR if the specified td->td_extrasamples was smaller.

Seems good to me. I would suggest sending a patch upstream, see what
they think.

Also I tend to think some some of assertion might be a good idea,
something that aborts if

(td->td_samplesperpixel - td->td_extrasamples) > 3

As aborting early is probably better then screwing up memory.


For reference, the next value in the struct is:

typedef struct {
        [...]

        /* Colorimetry parameters */
	uint16* td_transferfunction[3];
	float*	td_refblackwhite;

        [...]
} TIFFDirectory;

So I am guessing when you access td_transferfunction[3], you are
actually accessing td_refblackwhite, which - surprise surprise - happens
to be NULL.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: tiff / CVE-2018-7456
  - From: Hugo Lefeuvre <hle@debian.org>

References:
- tiff / CVE-2018-7456
  - From: Brian May <bam@debian.org>
- Re: tiff / CVE-2018-7456
  - From: Hugo Lefeuvre <hle@debian.org>
- Re: tiff / CVE-2018-7456
  - From: Brian May <bam@debian.org>
- Re: tiff / CVE-2018-7456
  - From: Hugo Lefeuvre <hle@debian.org>
- Re: tiff / CVE-2018-7456
  - From: Hugo Lefeuvre <hle@debian.org>

Prev by Date: Re: tiff / CVE-2018-7456
Next by Date: Review graphite2
Previous by thread: Re: tiff / CVE-2018-7456
Next by thread: Re: tiff / CVE-2018-7456
Index(es):
- Date
- Thread