Comment 4 for bug 18289

Revision history for this message
Ralph Corderoy (ralph-inputplus) wrote :

(In reply to comment #3)
> I'm using hoary with the latest updates. I have libtiff4 Version
> 3.6.1-5ubuntu0.1, which is the latest as far as I know.

I can repeat the problem with the same version of the programs and the
same TIFF image. Here's the same gdb but with symbolic information.

    (gdb) run /tmp/bug18289/FemBusiness28mei2005.tif
    Starting program: /home/ralph/src/libtiff4/tiff-3.6.1/tools/tiffinfo
/tmp/bug18289/FemBusiness28mei2005.tif
    TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 513 (0x201) encountered.
    TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 514 (0x202) encountered.
    TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 37679 (0x932f) encountered.
    TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 37680 (0x9330) encountered.
    TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 37681 (0x9331) encountered.

    Program received signal SIGFPE, Arithmetic exception.
    0xb7fc5867 in TIFFVStripSize (tif=0x804c008, nrows=2338) at
../libtiff/tif_strip.c:133
    133 nrows = TIFFroundup(nrows, ycbcrsubsampling[1]);
    (gdb) bt
    #0 0xb7fc5867 in TIFFVStripSize (tif=0x804c008, nrows=2338) at
../libtiff/tif_strip.c:133
    #1 0xb7fc59a2 in TIFFStripSize (tif=0x921) at ../libtiff/tif_strip.c:181
    #2 0xb7fa43ac in TIFFReadDirectory (tif=0x804c008) at
../libtiff/tif_dirread.c:637
    #3 0xb7fbd4ea in TIFFClientOpen (name=0xbffff99a
"/tmp/bug18289/FemBusiness28mei2005.tif", mode=0x8049c96 "rc", clientdata=0x6,
        readproc=0xb7fc6590 <_tiffReadProc>, writeproc=0xb7fc65d0
<_tiffWriteProc>, seekproc=0xb7fc6610 <_tiffSeekProc>,
        closeproc=0xb7fc6650 <_tiffCloseProc>, sizeproc=0xb7fc6680
<_tiffSizeProc>, mapproc=0xb7fc66c0 <_tiffMapProc>,
        unmapproc=0xb7fc66d0 <_tiffUnmapProc>) at ../libtiff/tif_open.c:367
    #4 0xb7fc6756 in TIFFFdOpen (fd=6, name=0x921 <Address 0x921 out of
bounds>, mode=0x921 <Address 0x921 out of bounds>)
        at ../libtiff/tif_unix.c:129
    #5 0xb7fc67d5 in TIFFOpen (name=0xbffff99a
"/tmp/bug18289/FemBusiness28mei2005.tif", mode=0x8049c96 "rc") at
../libtiff/tif_unix.c:170
    #6 0x08048efe in main (argc=2, argv=0xbffff834) at ../tools/tiffinfo.c:113
    (gdb)

libtiff/tif_strip.c:

        /*
         * Packed YCbCr data contain one Cb+Cr for every
         * HorizontalSampling*VerticalSampling Y values.
         * Must also roundup width and height when calculating
         * since images that are not a multiple of the
         * horizontal/vertical subsampling area include
         * YCbCr data for the extended image.
         */
        uint16 ycbcrsubsampling[2];
        tsize_t w, scanline, samplingarea;

        TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING,
                      ycbcrsubsampling + 0,
                      ycbcrsubsampling + 1 );

        w = TIFFroundup(td->td_imagewidth, ycbcrsubsampling[0]);
        scanline = TIFFhowmany8(multiply(tif, w, td->td_bitspersample,
                                         "TIFFVStripSize"));
        samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1];
133: nrows = TIFFroundup(nrows, ycbcrsubsampling[1]);

It's a `division by zero', I think.

    (gdb) p nrows
    $1 = 2338
    (gdb) p ycbcrsubsampling
    $2 = {2338, 0}

Parameter `y' to TIFFroundup is 0.

    #define TIFFhowmany(x, y) ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y)))
    #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y))

Even if the TIFF image is corrupt in some way, libtiff should guard
against ycbcrsubsampling[1] being 0.