Apple OS X 10.4.7 .tiff "TIFFFetchAnyArray ()" DoS
June 29th, 2006
Apple OS X 10.4.7 and prior
TIFF is a file format used mainly for storing images, including photographs and line art. Every TIFF file begins with a 2-byte field that indicates byte ordering: "II" for little endian and "MM" for big endian. The following two bytes contain the constant value 42. These values are followed by additional header fields and image data.
When processing a malformed .tiff image file, the TIFFFetchAnyArray () function does not properly parse an invalid tag causing the application which it was opened with to crash. This issue is within the ImageIO parsing engine making Preview, Finder, QuickTime, and Safari potential attack vectors for this issue.
Below the crash is triggered on OS X (PPC) 10.4.7 using Preview within gdb:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x90002f48 in strlen ()
#0 0x90002f48 in strlen ()
#1 0x90011d7c in __vfprintf ()
#2 0x900e4248 in vsnprintf_l ()
#3 0x90498c00 in default_log_message ()
#4 0x90498b94 in CGPostErrorWithArguments ()
#5 0x91a0ca8c in myErrorHandler ()
#6 0x91c7d51c in TIFFError ()
#7 0x91c7c6b0 in TIFFFetchAnyArray ()
#8 0x91c7c88c in TIFFFetchPerSampleAnys ()
#9 0x91c712c0 in TIFFReadDirectory ()
#10 0x91c70630 in _cg_TIFFClientOpen ()
#11 0x919f2d38 in _CGImagePluginImageCountTIFF ()
#12 0x919f2b8c in CGImageSourceGetCount ()
== snip ==
05/15/2006 - Vendor is notified
06/05/2006 - Vendor acknowlegdes that the flaw has no security impact, and no patch will be released.
06/29/2006 - Advisory released
Currently no patch has been released for this issue.