crash in tiff loader

The upstream bug report is here:

http://bugzilla.gnome.org/show_bug.cgi?id=307159

I cannot reproduce the crash on Hoary. I attached the picture to a mail and
displayed it in evolution, which works just fine. I also tested the picture with
tiffinfo, gthumb, and a few other programs without a crash (tiffinfo also on Warty).

Do you use Warty or Hoary? Can you please install "libtiff-tools" and check whether

  tiffinfo FemBusiness28mei2005.tif

crashes?

I'm using hoary with the latest updates. I have libtiff4 Version
3.6.1-5ubuntu0.1, which is the latest as far as I know.
Gdb output:

; gdb tiffinfo

GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-linux"...(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

(gdb) run FemBusiness28mei2005.tif
Starting program: /usr/bin/tiffinfo FemBusiness28mei2005.tif
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
TIFFReadDirectory: Warning, FemBusiness28mei2005.tif: unknown field with tag 513
(0x201) encountered.
TIFFReadDirectory: Warning, FemBusiness28mei2005.tif: unknown field with tag 514
(0x202) encountered.
TIFFReadDirectory: Warning, FemBusiness28mei2005.tif: unknown field with tag
37679 (0x932f) encountered.
TIFFReadDirectory: Warning, FemBusiness28mei2005.tif: unknown field with tag
37680 (0x9330) encountered.
TIFFReadDirectory: Warning, FemBusiness28mei2005.tif: unknown field with tag
37681 (0x9331) encountered.

Program received signal SIGFPE, Arithmetic exception.
0xb7fbcc7a in TIFFVStripSize () from /usr/lib/libtiff.so.4
(gdb) bt
#0 0xb7fbcc7a in TIFFVStripSize () from /usr/lib/libtiff.so.4
#1 0xb7fbcd94 in TIFFStripSize () from /usr/lib/libtiff.so.4
#2 0xb7f9d00a in TIFFReadDirectory () from /usr/lib/libtiff.so.4
#3 0xb7fb4f64 in TIFFClientOpen () from /usr/lib/libtiff.so.4
#4 0xb7fbda1e in TIFFFdOpen () from /usr/lib/libtiff.so.4
#5 0xb7fbda93 in TIFFOpen () from /usr/lib/libtiff.so.4
#6 0x08048efa in ?? ()
#7 0xbffffb46 in ?? ()
#8 0x08049bd6 in _IO_stdin_used ()
#9 0x08049ba8 in _IO_stdin_used ()
#10 0x08048a2d in _init ()
#11 0xb7e2c8c8 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
#12 0x08048c91 in ?? ()

(In reply to comment #3)
> I'm using hoary with the latest updates. I have libtiff4 Version
> 3.6.1-5ubuntu0.1, which is the latest as far as I know.

I can repeat the problem with the same version of the programs and the
same TIFF image. Here's the same gdb but with symbolic information.

    (gdb) run /tmp/bug18289/FemBusiness28mei2005.tif
    Starting program: /home/ralph/src/libtiff4/tiff-3.6.1/tools/tiffinfo
/tmp/bug18289/FemBusiness28mei2005.tif
    TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 513 (0x201) encountered.
    TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 514 (0x202) encountered.
    TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 37679 (0x932f) encountered.
    TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 37680 (0x9330) encountered.
    TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 37681 (0x9331) encountered.

    Program received signal SIGFPE, Arithmetic exception.
    0xb7fc5867 in TIFFVStripSize (tif=0x804c008, nrows=2338) at
../libtiff/tif_strip.c:133
    133 nrows = TIFFroundup(nrows, ycbcrsubsampling[1]);
    (gdb) bt
    #0 0xb7fc5867 in TIFFVStripSize (tif=0x804c008, nrows=2338) at
../libtiff/tif_strip.c:133
    #1 0xb7fc59a2 in TIFFStripSize (tif=0x921) at ../libtiff/tif_strip.c:181
    #2 0xb7fa43ac in TIFFReadDirectory (tif=0x804c008) at
../libtiff/tif_dirread.c:637
    #3 0xb7fbd4ea in TIFFClientOpen (name=0xbffff99a
"/tmp/bug18289/FemBusiness28mei2005.tif", mode=0x8049c96 "rc", clientdata=0x6,
        readproc=0xb7fc6590 <_tiffReadProc>, writeproc=0xb7fc65d0
<_tiffWriteProc>, seekproc=0xb7fc6610 <_tiffSeekProc>,
        closeproc=0xb7fc6650 <_tiffCloseProc>, sizeproc=0xb7fc6680
<_tiffSizeProc>, mapproc=0xb7fc66c0 <_tiffMapProc>,
        unmapproc=0xb7fc66d0 <_tiffUnmapProc>) at ../libtiff/tif_open.c:367
    #4 0xb7fc6756 in TIFFFdOpen (fd=6, name=0x921 <Address 0x921 out of
bounds>, mode=0x921 <Address 0x921 out of bounds>)
        at ../libtiff/tif_unix.c:129
    #5 0xb7fc67d5 in TIFFOpen (name=0xbffff99a
"/tmp/bug18289/FemBusiness28mei2005.tif", mode=0x8049c96 "rc") at
../libtiff/tif_unix.c:170
    #6 0x08048efe in main (argc=2, argv=0xbffff834) at ../tools/tiffinfo.c:113
    (gdb)

libtiff/tif_strip.c:

        /*
         * Packed YCbCr data contain one Cb+Cr for every
         * HorizontalSampling*VerticalSampling Y values.
         * Must also roundup width and height when calculating
         * since images that are not a multiple of the
         * horizontal/vertical subsampling area include
         * YCbCr data for the extended image.
         */
        uint16 ycbcrsubsampling[2];
        tsize_t w, scanline, samplingarea;

        TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
                      ycbcrsubsampling + 0,
                      ycbcrsubsampling + 1 );

        w = TIFFroundup(td->td_imagewidth, ycbcrsubsampling[0]);
        scanline = TIFFhowmany8(multiply(tif, w, td->td_bitspersample,
                                         "TIFFVStripS...

Thanks for your great analysis and the backtrace. I'm still unable to get the
crash, I tried on the same architecture as you (i386, libc6-686 installed).

For the record, I forwarded this bug to upstream and vendor-sec.

To reproduce, try the following:
- boot ubuntu hoary live cd
- apt-get update
- apt-get install libtiff-tools libtiff4 (libtiff4 is the only relevant package
that was updated)
- wget http://www.blub.net/~wouter/FemBusiness28mei2005.tif
- tiffinfo FemBusiness28mei2005.tif

Fixed Warty and Hoary in USN-156-1, Breezy is not affected.

Just for the record:

This issue was reported first time on 20 Oct 2004 (right after libtiff 3.7.0
release) by Vladimir Nadvornik of SuSE.

It was fixed by Vladimir Nadvornik of SuSE and Dmitry V. Levin of ALT Linux,
the patch was applied upstream on 26 Oct 2004, see
"cvs diff -up -r1.12 -r1.13 libtiff/tif_strip.c" and
"cvs diff -up -r1.8 -r1.9 libtiff/tif_tile.c".

That is, libtiff-3.7.2 handles test image properly:
$ tiffinfo FemBusiness28mei2005.tif
TIFFReadDirectory: Warning, FemBusiness28mei2005.tif: unknown field with tag 513
(0x201) encountered.
[...]
TIFFReadDirectory: Warning, FemBusiness28mei2005.tif: unknown field with tag
37681 (0x9331) encountered.
FemBusiness28mei2005.tif: Invalid YCbCr subsampling.
TIFFReadDirectory: FemBusiness28mei2005.tif: cannot handle zero strip size.

Looks like almost all vendors just missed this fix made in October of 2004.

Martin, the description of the CVE page for this bug
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2452) is buggy,
"libtiff 4.0" should read as "libtiff up to 3.7.0".

Could you contact responsible person to fix the page, please?

> Looks like almost all vendors just missed this fix made in October of 2004.

Yes, just yesterday and today I saw a lot of advisories from other distros about
this. That's rather odd, I notified vendor-sec timely.

(In reply to comment #9)
> Martin, the description of the CVE page for this bug
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2452) is buggy,
> "libtiff 4.0" should read as "libtiff up to 3.7.0".

Already corrected. Thanks for spotting.

My brother emails me tiffs of magazine articles from work generated by the scanning system they have in place there. They always have this problem. He's not very tech-savvy, so he may not be able to configure the system to generate proper tiffs.

Anyway, I've gone through the trouble of compiling libtiff with the "old jpeg" support after patching and recompiling libjpeg. After doing this, I still can't view the file:
burner@firefighter:/tmp$ /tmp/jpg/bin/tiffinfo ~/Desktop/WELL\ LET\ ME.tif
TIFFReadDirectory: Warning, /home/burner/Desktop/WELL LET ME.tif: unknown field with tag 37679 (0x932f) encountered.
TIFFReadDirectory: Warning, /home/burner/Desktop/WELL LET ME.tif: unknown field with tag 37680 (0x9330) encountered.
TIFFReadDirectory: Warning, /home/burner/Desktop/WELL LET ME.tif: unknown field with tag 37681 (0x9331) encountered.
/home/burner/Desktop/WELL LET ME.tif: Invalid YCbCr subsampling.
TIFFReadDirectory: /home/burner/Desktop/WELL LET ME.tif: cannot handle zero strip size.

As you can see, the last 3 unknown fields are present, but I've managed to get libtiff to understand the takes 513 and 514. Sadly, I still can't get the data out.

I've collected information on this from the following links (for those that may find this bug report in the future):
http://bugzilla.remotesensing.org/show_bug.cgi?id=156
http://www.awaresystems.be/imaging/tiff/tifftags/jpeginterchangeformat.html
http://www.remotesensing.org/libtiff/TIFFTechNote2.html

I've gone so far as to run Windows' own tiff viewer, and that still couldn't extract the image data.

End result: if you get your hands on one of these "old style jpeg in tiff" files, you're pretty much out of luck. You'll have to negotiate with the file supplier to provide it in a different format.

OK, maybe you won't be out of luck. After reading Pete Savage's blog post about recovering data, I was able to extract the jpeg living inside my tiff and finally view the image as intended. Others may find the "foremost" program helpful: https://launchpad.net/distros/ubuntu/+source/foremost

foremost was able to discover 2 jpegs (one thumbnail as well as the original scan) and an OLE document inside the evil TIFF, and it extracted them into their own files.
Just run it like so: "foremost evil.tiff" and it'll put all the files it finds underneath and "output" directory.