#65 Integer Overflow Bug while parsing TIFF input file

[Jaeseung Choi]

There is an integer overflow vulnerability found in optipng. When a victim runs optipng with a maliciously crafted TIFF input file, arbitrary code may be executed in the victim's system. The latest version (0.7.6) of optipng is vulnerable to this bug in 32bit OS.

• Vulnerability description

The vulnerability resides in minitiff/tiffread.c file. In line 353 of tiffread.c, the program allocates
a buffer and store it to 'tiff_ptr->strip_offsets' field. Memory allocation size is calculated by
multiplying 'sizeof(long)' to 'tiff_ptr->strip_offsets_count'. And 'strip_offsets_count' field was
set with the value derived from input TIFF file, in line 240.

192 if (fread(buf, 12, 1, fp) != 1)
...
196 count = (size_t)getter.get_ulong(buf + 4);
...
...
239 case TIFF_TAG_STRIP_OFFSETS:
240 tiff_ptr->strip_offsets_count = count;
...
...
350 count = tiff_ptr->strip_offsets_count;
351 if (count == 0 || count > tiff_ptr->height)
352 goto err_invalid;
353 tiff_ptr->strip_offsets = (long )malloc(count * sizeof(long));
...
358 if (read_ulong_values(&getter, strip_offsets_tag_type,
359 (unsigned long )tiff_ptr->strip_offsets, count, fp) != count)

Although there is a code in line 351 that checks if 'count' is larger than 'tiff_ptr->height', the value of
'tiff_ptr->height' isn't sanitized either, so it can have arbitrary value. Therefore multiplication in line 353
may result in integer overflow, and lead to a small heap block being allocated. This eventually leads to
a buffer overrun when this buffer is subsequently used to read in data in line 358.

• POC

We attach a maliciously crafted TIFF file (poc.tiff) which crashes the optipng like below.

jason@ubuntu:~/optipng-0.7.6/src/optipng$ ./optipng poc.tiff
Segmentation fault (core dumped)

[Cosmin Truta]

Confirmed. The fix shall consist in checking whether count does not exceed maximum size_t divided by sizeof(long), right before using malloc.

Thank you very much for your insightful report and test data.

[Markus Koschany]

Hi,

has this issue been fixed in the meantime?

[Sebastian Pipping]

Here's a patch candidate for review.

Output with the patch applied from a Debian sid i386 chroot:

$ ./src/optipng/optipng poc.tiff 
** Processing: poc.tiff
Error: Out of memory

** Status report
1 file(s) have been processed.
1 error(s) have been encountered.

[Markus Koschany]

Thank you for the patch. Do you also intend to make a new release?

[Cosmin Truta]

Thank you, Sebastian, for the patch.
I have a few changes piled up for the next release (v0.7.7). I can't publish the release right now, but if all goes well, I may be able to do so, hopefully by the end of this year.

[Sebastian Pipping]

Adding CVE link https://nvd.nist.gov/vuln/detail/CVE-2017-1000229 for completeness.

[Cosmin Truta]

Thanks.

[Cosmin Truta]

Fixed in OptiPNG version 0.7.7, with a new and improved TIFF decoder.
Thanks again for the report.