Use-after-free in TIFFSetField()
Use-after-free in TIFFSetField()
More details and faulting test case: http://bugzilla.maptools.org/show_bug.cgi?id=2730
Regards,
Kamil Frankowicz
Kamil Frankowicz
Re: Use-after-free in TIFFSetField()
The stack trace shows the fault occurs withing the libTIFF delegate library. ImageMagick calls libTIFF's TIFFGetField() to obtain a private tag profile 37724 (used by Adobe). TIFFGetField() returns success with a length of 9908 bytes and a data buffer to the location of the profile. Unfortunately the data buffer is corrupt. The fix to this problem lies within the TIFF delegate library, libTIFF. If the 37724 profile is corrupt, libTIFF should return something other than success (1) for TIFFGetField(). If it does return success, the associated data buffer should be valid and subsequently touching it would not return a fault.
Re: Use-after-free in TIFFSetField()
Reply from LibTIFF developer: http://bugzilla.maptools.org/show_bug.cgi?id=2730#c3
Regards,
Kamil Frankowicz
Kamil Frankowicz
Re: Use-after-free in TIFFSetField()
Can you try the latest release of ImageMagick, 6.9.9-11? We tried your test case and it returned gracefully:
Code: Select all
$ convert tiff_uaf_TIFFSetField test.tif
convert: Incorrect value for "ICC Profile"; tag ignored. `TIFFFetchNormalTag' @ warning/tiff.c/TIFFWarnings/921.
convert: unable to decompress image `tiff_uaf_TIFFSetField' @ error/psd.c/ReadPSDChannel/1385.