Apple OS X 10.4.6 .tiff "_cg_TIFFSetField ()" DoS

Release Date:
April 19th, 2006

Severity:
Medium

Vendor:
Apple

Versions Affected:
Apple OS X 10.4.6 and prior

Overview:
TIFF is a file format used mainly for storing images, including photographs and line art. Every TIFF file begins with a 2-byte field that indicates byte ordering: "II" for little endian and "MM" for big endian. The following two bytes contain the constant value 42. These values are followed by additional header fields and image data.

Technical Details:
When processing a malformed .tiff image file, the _cg_TIFFSetField () function does not properly parse the malformed data causing the application which it was opened with to crash. This issue is within the core .tiff parsing engine making Preview, Finder, QuickTime, and Safari potential attack vectors for this issue.

Below the crash is triggered on OS X (PPC) 10.4.6 using Safari within gdb:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x00000000 in ?? ()
(gdb) bt
#0 0x00000000 in ?? ()
Cannot access memory at address 0x0
Cannot access memory at address 0x0
Cannot access memory at address 0x0
#1 0x91c71da4 in _cg_TIFFSetField ()
Cannot access memory at address 0x0
#2 0x91c73390 in TIFFFetchNormalTag ()
#3 0x91c7104c in TIFFReadDirectory ()
#4 0x91c706b0 in _cg_TIFFClientOpen ()
#5 0x919f2db8 in _CGImagePluginImageCountTIFF ()
#6 0x919f2c0c in CGImageSourceGetCount ()
== snip ==

Vendor Status:
Apple was notified.

Solution:
This issue has been fixed in Security Update 2006-003

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://www.security-protocols.com/poc/sp-x29.html
http://www.apple.com/macosx/

Security-Protocols.com :: 1999-2008