Ref: http://seclists.org/oss-sec/2017/q1/2
===========================================
Description:
Libtiff is a software that provides support for the Tag Image File Format 
(TIFF), a widely used format for storing image data.

Some crafted images, through a fuzzing revealed multiple division by zero. 
Since the number of the issues, I will post the relevant part of the 
stacktrace.

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1
Reproducer:
https://github.com/asarubbo/poc/blob/master/00064-libtiff-fpe-TIFFReadEncodedStrip
Relevant part of the stacktrace:

# tiffcp $FILE /tmp/foo
==12079==ERROR: AddressSanitizer: FPE on unknown address 0x7fd319436251 (pc 
0x7fd319436251 bp 0x7fff851e3d80 sp 0x7fff851e3d30 T0)
    #0 0x7fd319436250 in TIFFReadEncodedStrip /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_read.c:351:22

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec
Reproducer:
https://github.com/asarubbo/poc/blob/master/00083-libtiff-fpe-OJPEGDecodeRaw
Relevant part of the stacktrace:

# tiffmedia $FILE /tmp/foo
==28106==ERROR: AddressSanitizer: FPE on unknown address 0x7faeae7f744e (pc 
0x7faeae7f744e bp 0x7ffceab45e40 sp 0x7ffceab45ce0 T0)
    #0 0x7faeae7f744d in OJPEGDecodeRaw /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_ojpeg.c:816:8

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/d3c5426395dc53e3345712ac7246c29db9fed8fa
Reproducer:
https://github.com/asarubbo/poc/blob/master/00099-libtiff-fpe-readSeparateStripsIntoBuffer
Relevant part of the stacktrace:

# tiffcrop $FILE /tmp/foo
==19098==ERROR: AddressSanitizer: FPE on unknown address 0x000000523acf (pc 
0x000000523acf bp 0x7ffcb22ada30 sp 0x7ffcb22ad780 T0)
    #0 0x523ace in readSeparateStripsIntoBuffer /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcrop.c:4841:36

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/a87eb62049f446204ed62c939f965eb76bd98001
Reproducer:
https://github.com/asarubbo/poc/blob/master/00065-libtiff-fpe-readSeparateTilesIntoBuffer
Relevant part of the stacktrace:

# tiffcp $FILE /tmp/foo
==13262==ERROR: AddressSanitizer: FPE on unknown address 0x00000051c43b (pc 
0x00000051c43b bp 0x7ffdc8d81d70 sp 0x7ffdc8d81b20 T0)
    #0 0x51c43a in readSeparateTilesIntoBuffer /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1434:9

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/296803e79542f5523be1009d64574507b9acc239
Reproducer:
https://github.com/asarubbo/poc/blob/master/00073-libtiff-fpe-writeBufferToSeparateTiles
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==3614==ERROR: AddressSanitizer: FPE on unknown address 0x00000051650a (pc 
0x00000051650a bp 0x7fff41587d30 sp 0x7fff41587b00 T0)
    #0 0x516509 in writeBufferToSeparateTiles /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1591:13


Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-11-20: started to post the issues to upstream
2017-01-01: blog post about the issue

Note:
These bugs were found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero

-- 
Agostino Sarubbo
Gentoo Linux Developer
===========================================

https://software.opensuse.org/package/libtiff5

TW: 4.0.7
42.2: 4.0.6
42.1: 4.0.6
13.2: 4.0.7