GitLab

Initial report:

Hi,

Hereby, I am reporting a small vulnerability that I have discovered in evince.

The vulnerability is that uninitialized heap memory is blit to display on an invalid tiff image.

This is due to missing error checking at [1].

A worst case scenario is that an attacker may use this to guess addresses on heap or see images that have previously been loaded to heap.

Attached is a script that produces a tiff file which has enough fields to get to this codepath.

To observe the effect of uninitialized memory, open the image in evince and press CTRL+R to reload the image.

For discovery credits, please use "Andy Nguyen of ETH Zurich".

Kindly let me know how I can help you.

Best regards, Andy Nguyen

[1] https://gitlab.gnome.org/GNOME/evince/blob/master/backend/tiff/tiff-document.c#L303

Follow-up:

Hi Michael and German,

We must abort and return error if TIFFReadRGBAImageOriented returns 0 (see [1]). There's another call to TIFFReadRGBAImageOriented is at [2] which must be fixed too.

Furthermore, I have just noticed that certain PostScript files show the same behaviour. Open [3] with evince and zoom in/out to see how different images show up. I have not yet analyzed this one, and don't know if it's also due to missing error checking, or if it's an error within libspectre.

Best regards, Andy Nguyen

[1] https://gitlab.com/libtiff/libtiff/blob/master/tools/tiff2pdf.c#L2663 [2] https://gitlab.gnome.org/GNOME/evince/blob/master/backend/tiff/tiff-document.c#L390 [3] https://www.tug.org/svn/texlive/trunk/Build/source/texk/dvipsk/special.lpro?revision=36880&view=markup