An exploitable out-of-bounds write exists in the TIFF-parsing functionality of Canvas Draw version 5.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.
ACDSystems Canvas Draw 5.0.0
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787: Out-of-Bounds Write
Canvas Draw 5 is a graphics-editing tool used to create and edit images, as well as other graphic design functions. This product has a sizable user base and is popular in the graphic design field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics-editing projects, thus making it a very common file format for such an application.
The vulnerability arises in the parsing of a tiled TIFF image with the Adobe Deflate compression scheme. This compression algorithm is not part of the TIFF standard algorithm, but was added as an extension from Adobe and uses a lossless Deflate compression scheme utilizing the zlib compressed data format. The Canvas Draw application supports this compression format and is able to handle files using it. The vulnerability arises in attempting to build a Huffman table. Huffman coding is one of the two things that make up the deflate encoding scheme.
When using the deflate encoding scheme the application takes user data directly from the TIFF image without validation. The initial crash is shown below.
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7ffeefc00eac) frame #0: 0x0000000102001245 ImageGear18`_DFL_huff_table_build + 364 ImageGear18`_DFL_huff_table_build: 0x102001245 <+364>: movzx edx, word ptr [rbp + 2*rcx - 0x100]  0x10200124d <+372>: lea esi, [rdx + 0x1]  0x102001250 <+375>: mov word ptr [rbp + 2*rcx - 0x100], si  0x102001258 <+383>: mov word ptr [r12], dx
The value inside of RCX at  is controlled via the compressed data inside the TIFF image. It then uses the value given and loads it into ESI, . The value is then used again at , where a user-controlled value is written, too. This leads to an exploitable out-of-bounds write condition. An attacker could gain code execution through this vulnerability by using specially crafted data.
Crashed thread log = : Dispatch queue: com.apple.main-thread 0 ImageGear18 0x000000010cd9a245 _DFL_huff_table_build + 364 1 ImageGear18 0x000000010cd9a8af _DFL_dynamic_huffman_get + 1437 2 ImageGear18 0x000000010cd9aaa6 DFL_uncompress + 281 3 ImageGear18 0x000000010cf0ac1d _TIF_read + 3642 4 ImageGear18 0x000000010cf09d85 TIF_read + 261 5 ImageGear18 0x000000010ce06dfd GPb_fltrm_READ_call_param + 178 6 ImageGear18 0x000000010ce06d45 GPb_fltrm_READ_call + 21 7 ImageGear18 0x000000010cdddbbf iIG_load_FD_CB_ex + 411 8 ImageGear18 0x000000010cf4f3b6 IG_load_FD_CB_ex + 91 9 com.acdsystem.canvastool.ImageIO 0x00000001766eeba1 CIGReadFile_CB_ext::readFile() + 651 10 com.acdsystem.canvastool.ImageIO 0x000000017671bc1b ImageGearAcquireProc(short, AcquireRecord*, int*, short*) + 915 11 com.acdsystem.canvastool.ImageIO 0x000000017671c104 ImageIORunAcquireProc(_ImageIOAcquireState*) + 744 12 com.acdsystem.canvastool.ImageIO 0x000000017671997b 0x17669a000 + 522619 13 com.acdsystem.canvastool.ImageIO 0x000000017671b49d DoImportFile(ImportFileMsg*) + 1121 14 com.acdsystem.canvastool.ImageIO 0x00000001766ceab3 toolmain() + 970 15 com.acdsystem.canvastool.ImageIO 0x00000001766fa8d7 stdtool(TToolCallBlock*) + 119 16 com.acdsystem.canvastool.ImageIO 0x00000001766fa859 cvtool_main(TToolCallBlock*) + 9 17 com.canvasgfx.Canvas-Draw5 0x000000010af84138 0x10ae1b000 + 1478968 18 com.canvasgfx.Canvas-Draw5 0x000000010bb1ff9a 0x10ae1b000 + 13651866 19 com.canvasgfx.Canvas-Draw5 0x000000010bb1f748 0x10ae1b000 + 13649736 20 com.canvasgfx.Canvas-Draw5 0x000000010bc9e18d 0x10ae1b000 + 15217037 21 com.apple.AppKit 0x00007fff36306214 -[NSApplication _doOpenFile:ok:tryTemp:] + 376 22 com.apple.AppKit 0x00007fff35ee5337 -[NSApplication finishLaunching] + 2438 23 com.apple.AppKit 0x00007fff35ee4683 -[NSApplication run] + 250 24 com.apple.AppKit 0x00007fff35eb3a72 NSApplicationMain + 804 25 libdyld.dylib 0x00007fff60761015 start + 1 log name is: ./crashlogs/1.crashlog.txt --- exception=EXC_BAD_ACCESS:signal=11:is_exploitable= yes:instruction_disassembly=movzwl %si,CONSTANT(%rbp,%rcx,2),:instruction_address=0x000000010cd9a245:access_type=write:access_address=0x00007ffee4dea15c: Crash accessing invalid address.
2018-08-06 - Vendor Disclosure
2019-01-18 - Vendor Patched
2019-01-30 - Public Release
Discovered by Tyler Bohan of Cisco Talos.