Apple OS X 10.4.6 .tiff "PredictorVSetField ()" Heap Overflow

Release Date:
April 19th, 2006

Severity:
Medium

Vendor:
Apple

Versions Affected:
Apple OS X 10.4.6 and prior

Overview:
TIFF is a file format used mainly for storing images, including photographs and line art. Every TIFF file begins with a 2-byte field that indicates byte ordering: "II" for little endian and "MM" for big endian. The following two bytes contain the constant value 42. These values are followed by additional header fields and image data.

Technical Details:
When processing a malformed .tiff image file, the PredictorVSetField () function does not properly parse the malformed data causing the application which it was opened with to crash. This issue is within the core .tiff parsing engine making Preview, Finder, QuickTime, and Safari potential attack vectors for this issue.

Below the crash is triggered on OS X (PPC) 10.4.6 using Preview within gdb:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000020
0x91c738f8 in PredictorVSetField ()
(gdb) bt
#0 0x91c738f8 in PredictorVSetField ()
#1 0x91c71da4 in _cg_TIFFSetField ()
#2 0x91c734b4 in TIFFFetchNormalTag ()
#3 0x91c7104c in TIFFReadDirectory ()
#4 0x91c706b0 in _cg_TIFFClientOpen ()
#5 0x919f2db8 in _CGImagePluginImageCountTIFF ()
#6 0x919f2c0c in CGImageSourceGetCount ()
== snip ==

Vendor Status:
Apple was notified.

Solution:
This issue has been fixed in Security Update 2006-003

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://www.security-protocols.com/poc/sp-x30.html
http://www.apple.com/macosx/

Security-Protocols.com :: 1999-2008