Apple OS X 10.4.5 .tiff "LZWDecodeVector ()" Heap Overflow

Release Date:
April 3rd, 2006

Severity:
Medium

Vendor:
Apple

Versions Affected:
Apple OS X 10.4.5 and prior

Overview:
TIFF is a file format used mainly for storing images, including photographs and line art. Every TIFF file begins with a 2-byte field that indicates byte ordering: "II" for little endian and "MM" for big endian. The following two bytes contain the constant value 42. These values are followed by additional header fields and image data.

Technical Details:
When processing a malformed .tiff image file, the LZWDecodeVector() function does not properly parse the malformed data causing the application which it was opened with to crash. This issue is within the core .tiff parsing engine making Preview, Finder, QuickTime, and Safari potential attack vectors for this issue.

Below the crash is triggered on OS X (PPC) 10.4.5 using Safari within gdb:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x32783fff
0x91be05a4 in LZWDecodeVector ()
(gdb) bt
#0 0x91be05a4 in LZWDecodeVector ()
#1 0x91bdf7d0 in _cg_TIFFReadEncodedStrip ()
#2 0x919904d4 in getBandProcTIFF ()
#3 0x9197b87c in CGImagePlusUpdateCache ()
#4 0x9197b590 in CGImagePlusCreateImage ()
#5 0x956a59bc in -[WebImageData _cacheImages:allImages:] ()
#6 0x956a5908 in -[WebImageData imageAtIndex:] ()
#7 0x956a6034 in -[WebImageData
drawImageAtIndex:inRect:fromRect:adjustedSize:compositeOperation:context:] ()
#8 0x956a5f18 in -[WebImageData drawImageAtIndex:inRect:fromRect:compositeOperation:context:] ()
#9 0x956a5e64 in -[WebImageRenderer drawImageInRect:fromRect:compositeOperator:context:] ()
#10 0x959307d8 in QPainter::drawFloatPixmap ()
#11 0x959305dc in QPainter::drawPixmap ()
#12 0x959304e8 in QPainter::drawPixmap ()
#13 0x95930490 in QPainter::drawPixmap ()
#14 0x959301f4 in khtml::RenderImage::paint ()
#15 0x95931520 in khtml::InlineBox::paint ()
#16 0x95930c08 in khtml::InlineFlowBox::paint ()
#17 0x959309b8 in khtml::RootInlineBox::paint ()
#18 0x9592f5f8 in khtml::RenderFlow::paintLines ()
#19 0x9592c538 in khtml::RenderBlock::paintObject ()
#20 0x9592c440 in khtml::RenderBlock::paint ()
#21 0x9592de4c in khtml::RenderBlock::paintChildren ()
#22 0x9592c548 in khtml::RenderBlock::paintObject ()
#23 0x9592c440 in khtml::RenderBlock::paint ()
#24 0x9592ae10 in khtml::RenderLayer::paintLayer ()
#25 0x9592aee0 in khtml::RenderLayer::paintLayer ()
#26 0x9592aa30 in KWQKHTMLPart::paint ()
#27 0x9592a968 in -[WebCoreBridge drawRect:withPainter:] ()
#28 0x9592a6f8 in -[WebCoreBridge drawRect:] ()
#29 0x956a5298 in -[WebHTMLView drawRect:] ()
#30 0x936c0e78 in -[NSView _drawRect:clip:] ()
#31 0x936c0438 in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] ()
#32 0x956a220c in -[WebHTMLView(WebPrivate) _recursiveDisplayAllDirtyWithLockFocus:visRect:] ()
#33 0x936c3180 in _recursiveDisplayInRect2 ()
#34 0x9076d960 in CFArrayApplyFunction ()
#35 0x936c054c in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] ()
#36 0x936c3180 in _recursiveDisplayInRect2 ()
#37 0x9076d960 in CFArrayApplyFunction ()
#38 0x936c054c in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] ()
#39 0x936bfa00 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#40 0x936bffc8 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#41 0x936bffc8 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#42 0x936bffc8 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#43 0x936bffc8 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#44 0x936bffc8 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#45 0x936e0664 in -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#46 0x936b9674 in -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] ()
#47 0x936ae968 in -[NSView displayIfNeeded] ()
#48 0x936ae7d8 in -[NSWindow displayIfNeeded] ()
#49 0x0001acb0 in ?? ()
#50 0x936ae684 in _handleWindowNeedsDisplay ()
#51 0x9075dcd8 in __CFRunLoopDoObservers ()
#52 0x9075df78 in __CFRunLoopRun ()
#53 0x9075da18 in CFRunLoopRunSpecific ()
#54 0x9317d1e0 in RunCurrentEventLoopInMode ()
#55 0x9317c7ec in ReceiveNextEventCommon ()
#56 0x9317c6e0 in BlockUntilNextEventMatchingListInMode ()
#57 0x9367b104 in _DPSNextEvent ()
#58 0x9367adc8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#59 0x00006e74 in ?? ()
#60 0x9367730c in -[NSApplication run] ()
#61 0x93767e68 in NSApplicationMain ()
#62 0x0005cbf0 in ?? ()
#63 0x0005ca94 in ?? ()
(gdb)

Solution:
This issue was silently fixed by Apple in update 10.4.6.
http://docs.info.apple.com/article.html?artnum=303411

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://www.security-protocols.com/poc/sp-x24.tiff
http://www.security-protocols.com/sp-x24-advisory.php
http://www.security-protocols.com/modules.php?name=News&file=article&sid=3227
http://www.apple.com/macosx/

Security-Protocols.com :: 1999-2008