LibTIFF

eog crashed with SIGSEGV in TIFFRGBAImageGet()

Bug #591605 reported by smpahlman on 2010-06-09

270

This bug affects 1 person

	Status	Importance	Assigned to
LibTIFF	Fix Released	Medium	auto-bugzilla.maptools.org #2216
tiff (Debian)	Fix Released	Unknown	debbugs #595064
tiff (Ubuntu)	Fix Released	Medium	Unassigned
Lucid	Fix Released	Medium	Kees Cook
Maverick	Fix Released	Medium	Unassigned

Bug Description

Binary package hint: libtiff4

A crash in libtiff when opening the attached TIFF image.

==19393== Memcheck, a memory error detector
==19393== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==19393== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==19393== Command: eog /home/sauli/radamsa/tiffdst/flipr-8210.tif
==19393==
==19393== Thread 2:
==19393== Invalid read of size 1
==19393== at 0x7C91C88: TIFFYCbCrtoRGB (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4D3C: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA73EE: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393== Address 0xdca3a13 is not stack'd, malloc'd or (recently) free'd
==19393==
==19393== Invalid read of size 1
==19393== at 0x7CA4D15: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA73EE: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393== by 0x4B0ADEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==19393== Address 0xdcbab7a is 2 bytes after a block of size 80,640 alloc'd
==19393== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==19393== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA72B4: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393==
==19393== Invalid read of size 1
==19393== at 0x7CA4D1D: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA73EE: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393== by 0x4B0ADEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==19393== Address 0xdcbab79 is 1 bytes after a block of size 80,640 alloc'd
==19393== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==19393== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA72B4: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393==
==19393== Invalid read of size 1
==19393== at 0x7CA4D25: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA73EE: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393== by 0x4B0ADEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==19393== Address 0xdcbab78 is 0 bytes after a block of size 80,640 alloc'd
==19393== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==19393== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA72B4: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393==
==19393==
==19393== Process terminating with default action of signal 11 (SIGSEGV)
==19393== Access not within mapped region at address 0xDCC5002
==19393== at 0x7CA4D15: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA73EE: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393== by 0x4B0ADEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==19393== If you believe this happened as a result of a stack
==19393== overflow in your program's main thread (unlikely but
==19393== possible), you can try to increase the size of the
==19393== main thread stack using the --main-stacksize= flag.
==19393== The main thread stack size used in this run was 8388608.
==19393==
==19393== HEAP SUMMARY:
==19393== in use at exit: 34,346,693 bytes in 451,265 blocks
==19393== total heap usage: 2,791,590 allocs, 2,340,325 frees, 120,283,290 bytes allocated
==19393==
==19393== LEAK SUMMARY:
==19393== definitely lost: 191 bytes in 3 blocks
==19393== indirectly lost: 120 bytes in 10 blocks
==19393== possibly lost: 32,786,764 bytes in 445,202 blocks
==19393== still reachable: 1,559,618 bytes in 6,050 blocks
==19393== suppressed: 0 bytes in 0 blocks
==19393== Rerun with --leak-check=full to see details of leaked memory
==19393==
==19393== For counts of detected and suppressed errors, rerun with: -v
==19393== ERROR SUMMARY: 78597 errors from 4 contexts (suppressed: 200 from 13)
Killed

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: eog 2.30.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-22.36-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
CrashCounter: 1
Date: Wed Jun 9 09:49:48 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: eog /home/username/radamsa/tiffdst/flipr-8210.tif
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.utf8
SegvAnalysis:
Segfault happened at: 0x39d8d15: movzbl 0x2(%esi),%eax
PC (0x039d8d15) ok
source "0x2(%esi)" (0xb5bb0002) in non-readable VMA region: 0xb5bb0000-0xb5c00000 ---p None
destination "%eax" ok
SegvReason: reading VMA None
Signal: 11
SourcePackage: eog
StacktraceTop:
?? () from /usr/lib/libtiff.so.4
?? () from /usr/lib/libtiff.so.4
TIFFRGBAImageGet () from /usr/lib/libtiff.so.4
TIFFReadRGBAImageOriented () from /usr/lib/libtiff.so.4
tiff_image_parse (tiff=0xb5b856e8,
Title: eog crashed with SIGSEGV in TIFFRGBAImageGet()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
(polkit-gnome-authentication-agent-1:9303): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
(gnome-terminal:9409): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

Tags:

Related branches

lp:ubuntu/maverick-security/tiff

CVE References

Revision history for this message

smpahlman (sauli-pahlman) wrote on 2010-06-09:

Reproducer Edit (7.6 KiB, image/tiff)
Dependencies.txt Edit (4.6 KiB, text/plain; charset="utf-8")
Disassembly.txt Edit (582 bytes, text/plain; charset="utf-8")
ProcMaps.txt Edit (25.9 KiB, text/plain; charset="utf-8")
ProcStatus.txt Edit (774 bytes, text/plain; charset="utf-8")
Registers.txt Edit (509 bytes, text/plain; charset="utf-8")
Stacktrace.txt Edit (3.5 KiB, text/plain; charset="utf-8")
ThreadStacktrace.txt Edit (5.5 KiB, text/plain; charset="utf-8")

Revision history for this message

Tomas Hoger (thoger) wrote on 2010-06-10:

This seems to be crashing on buffer over-read in putcontig8bitYCbCr11tile(). gtTileContig() allocates buffer buf with size returned by TIFFTileSize() (80640 in this case). putcontig8bitYCbCr11tile() tries to read w*h*3 bytes out of it (234*213*3 = 149526 in this case).

Changed in tiff (Ubuntu):
status:	New → Confirmed

Revision history for this message

Apport retracing service (apport) wrote on 2010-06-10:

StacktraceTop:
putcontig8bitYCbCr11tile (img=0xb7688b88, cp=0xb5b856e8,
gtTileContig (img=0xb7688b88, raster=0xb5b64708, w=234,
TIFFRGBAImageGet (img=0xb7688b88, raster=0xb5b64708, w=234,
TIFFReadRGBAImageOriented (tif=0xb5b62c30, rwidth=234,
?? ()

Revision history for this message

Apport retracing service (apport) wrote on 2010-06-10: Stacktrace.txt

Stacktrace.txt Edit (2.8 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2010-06-10: ThreadStacktrace.txt

ThreadStacktrace.txt Edit (4.1 KiB, text/plain)

Changed in tiff (Ubuntu):
importance:	Undecided → Medium
tags:	removed: need-i386-retrace

Revision history for this message

Kees Cook (kees) wrote on 2010-06-14:

This is only a problem in Lucid and later. Has an upstream bug report been opened for this issue?

Revision history for this message

Tomas Hoger (thoger) wrote on 2010-06-15:

This was mailed upstream, but they don't seem to treat is as much of a priority as it should not affect 4.0-beta. I've CCed you on rhbz#603081 which has a proposed patch.

Kees Cook (kees) on 2010-06-16

visibility:	private → public
Changed in tiff (Ubuntu Lucid):
status:	New → Fix Committed
importance:	Undecided → Medium
Changed in tiff (Ubuntu Maverick):
assignee:	nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Lucid):
assignee:	nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Maverick):
assignee:	Kees Cook (kees) → nobody

Revision history for this message

Kees Cook (kees) wrote on 2010-06-21:

https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-June/001109.html

Changed in tiff (Ubuntu Lucid):
status:	Fix Committed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2010-08-31

Changed in libtiff:
status:	Unknown → Fix Released

Bug Watch Updater (bug-watch-updater) on 2010-10-12

Changed in tiff (Debian):
status:	Unknown → Fix Released

Bug Watch Updater (bug-watch-updater) on 2011-02-04

Changed in libtiff:
importance:	Unknown → Medium

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-03-07:

This bug was fixed in the package tiff - 3.9.4-2ubuntu0.1

---------------
tiff (3.9.4-2ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: denial of service via invalid td_stripbytecount field
    (LP: #597246)
    - debian/patches/CVE-2010-2482.patch: look for missing strip byte
      counts in libtiff/tif_ojpeg.c, tools/tiffsplit.c.
    - CVE-2010-2482
  * SECURITY UPDATE: denial of service via invalid combination of
    SamplesPerPixel and Photometric values (LP: #591605)
    - debian/patches/CVE-2010-2483.patch: validate samplesperpixel in
      libtiff/tif_getimage.c.
    - CVE-2010-2483
  * SECURITY UPDATE: denial of service via invalid ReferenceBlackWhite
    values
    - debian/patches/CVE-2010-2595.patch: validate values in
      libtiff/tif_color.c.
    - CVE-2010-2595
  * SECURITY UPDATE: denial of service via devide-by-zero (LP: #593067)
    - debian/patches/CVE-2010-2597.patch: properly initialize fields in
      libtiff/tif_strip.c.
    - CVE-2010-2597
    - CVE-2010-2598
  * SECURITY UPDATE: denial of service via out-of-order tags
    - debian/patches/CVE-2010-2630.patch: correctly handle order in
      libtiff/tif_dirread.c.
    - CVE-2010-2630
  * SECURITY UPDATE: denial of service and possible code execution via
    heap corruption in JPEGDecodeRaw
    - debian/patches/CVE-2010-3087.patch: check for overflows in
      libtiff/tif_jpeg.c, libtiff/tif_strip.c.
    - CVE-2010-3087
  * SECURITY UPDATE: denial of service and possible code execution via
    buffer overflow in Fax4Decode
    - debian/patches/CVE-2011-0192.patch: check length in
      libtiff/tif_fax3.h.
    - CVE-2011-0192
-- Marc Deslauriers <email address hidden> Thu, 03 Mar 2011 12:16:19 -0500

Changed in tiff (Ubuntu Maverick):
status:	Confirmed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-04-27:

#10

This was fixed in Debian as of 3.9.4-4, and natty has 3.9.4-5ubuntu6.

Changed in tiff (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

Bug #593328

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #595064
[done grave patch] Edit
auto-bugzilla.maptools.org #2216
[RESOLVED FIXED] Edit

Bug watches keep track of this bug in other bug trackers.

LibTIFF

eog crashed with SIGSEGV in TIFFRGBAImageGet()

Bug Description

Related branches

CVE References

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches