There is an integer overflow vulnerability found in optipng. When a victim runs optipng with a maliciously crafted TIFF input file, arbitrary code may be executed in the victim's system. The latest version (0.7.6) of optipng is vulnerable to this bug in 32bit OS.
The vulnerability resides in minitiff/tiffread.c file. In line 353 of tiffread.c, the program allocates
a buffer and store it to 'tiff_ptr->strip_offsets' field. Memory allocation size is calculated by
multiplying 'sizeof(long)' to 'tiff_ptr->strip_offsets_count'. And 'strip_offsets_count' field was
set with the value derived from input TIFF file, in line 240.
192 if (fread(buf, 12, 1, fp) != 1)
...
196 count = (size_t)getter.get_ulong(buf + 4);
...
...
239 case TIFF_TAG_STRIP_OFFSETS:
240 tiff_ptr->strip_offsets_count = count;
...
...
350 count = tiff_ptr->strip_offsets_count;
351 if (count == 0 || count > tiff_ptr->height)
352 goto err_invalid;
353 tiff_ptr->strip_offsets = (long )malloc(count * sizeof(long));
...
358 if (read_ulong_values(&getter, strip_offsets_tag_type,
359 (unsigned long )tiff_ptr->strip_offsets, count, fp) != count)
Although there is a code in line 351 that checks if 'count' is larger than 'tiff_ptr->height', the value of
'tiff_ptr->height' isn't sanitized either, so it can have arbitrary value. Therefore multiplication in line 353
may result in integer overflow, and lead to a small heap block being allocated. This eventually leads to
a buffer overrun when this buffer is subsequently used to read in data in line 358.
We attach a maliciously crafted TIFF file (poc.tiff) which crashes the optipng like below.
jason@ubuntu:~/optipng-0.7.6/src/optipng$ ./optipng poc.tiff Segmentation fault (core dumped)
Confirmed. The fix shall consist in checking whether
count
does not exceed maximumsize_t
divided bysizeof(long)
, right before usingmalloc
.Thank you very much for your insightful report and test data.
Hi,
has this issue been fixed in the meantime?
Here's a patch candidate for review.
Output with the patch applied from a Debian sid i386 chroot:
Last edit: Sebastian Pipping 2017-11-19
Thank you for the patch. Do you also intend to make a new release?
Thank you, Sebastian, for the patch.
I have a few changes piled up for the next release (v0.7.7). I can't publish the release right now, but if all goes well, I may be able to do so, hopefully by the end of this year.
Adding CVE link https://nvd.nist.gov/vuln/detail/CVE-2017-1000229 for completeness.
Thanks.
Fixed in OptiPNG version 0.7.7, with a new and improved TIFF decoder.
Thanks again for the report.