(In reply to comment #3)
> I'm using hoary with the latest updates. I have libtiff4 Version
> 3.6.1-5ubuntu0.1, which is the latest as far as I know.
I can repeat the problem with the same version of the programs and the
same TIFF image. Here's the same gdb but with symbolic information.
(gdb) run /tmp/bug18289/FemBusiness28mei2005.tif
Starting program: /home/ralph/src/libtiff4/tiff-3.6.1/tools/tiffinfo
/tmp/bug18289/FemBusiness28mei2005.tif
TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 513 (0x201) encountered.
TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 514 (0x202) encountered.
TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 37679 (0x932f) encountered.
TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 37680 (0x9330) encountered.
TIFFReadDirectory: Warning, /tmp/bug18289/FemBusiness28mei2005.tif: unknown
field with tag 37681 (0x9331) encountered.
Program received signal SIGFPE, Arithmetic exception.
0xb7fc5867 in TIFFVStripSize (tif=0x804c008, nrows=2338) at
../libtiff/tif_strip.c:133
133 nrows = TIFFroundup(nrows, ycbcrsubsampling[1]);
(gdb) bt
#0 0xb7fc5867 in TIFFVStripSize (tif=0x804c008, nrows=2338) at
../libtiff/tif_strip.c:133
#1 0xb7fc59a2 in TIFFStripSize (tif=0x921) at ../libtiff/tif_strip.c:181
#2 0xb7fa43ac in TIFFReadDirectory (tif=0x804c008) at
../libtiff/tif_dirread.c:637
#3 0xb7fbd4ea in TIFFClientOpen (name=0xbffff99a
"/tmp/bug18289/FemBusiness28mei2005.tif", mode=0x8049c96 "rc", clientdata=0x6, readproc=0xb7fc6590 <_tiffReadProc>, writeproc=0xb7fc65d0
<_tiffWriteProc>, seekproc=0xb7fc6610 <_tiffSeekProc>, closeproc=0xb7fc6650 <_tiffCloseProc>, sizeproc=0xb7fc6680
<_tiffSizeProc>, mapproc=0xb7fc66c0 <_tiffMapProc>, unmapproc=0xb7fc66d0 <_tiffUnmapProc>) at ../libtiff/tif_open.c:367
#4 0xb7fc6756 in TIFFFdOpen (fd=6, name=0x921 <Address 0x921 out of
bounds>, mode=0x921 <Address 0x921 out of bounds>)
at ../libtiff/tif_unix.c:129
#5 0xb7fc67d5 in TIFFOpen (name=0xbffff99a
"/tmp/bug18289/FemBusiness28mei2005.tif", mode=0x8049c96 "rc") at
../libtiff/tif_unix.c:170
#6 0x08048efe in main (argc=2, argv=0xbffff834) at ../tools/tiffinfo.c:113
(gdb)
libtiff/tif_strip.c:
/*
* Packed YCbCr data contain one Cb+Cr for every
* HorizontalSampling*VerticalSampling Y values.
* Must also roundup width and height when calculating
* since images that are not a multiple of the
* horizontal/vertical subsampling area include
* YCbCr data for the extended image.
*/
uint16 ycbcrsubsampling[2];
tsize_t w, scanline, samplingarea;
(In reply to comment #3)
> I'm using hoary with the latest updates. I have libtiff4 Version
> 3.6.1-5ubuntu0.1, which is the latest as far as I know.
I can repeat the problem with the same version of the programs and the
same TIFF image. Here's the same gdb but with symbolic information.
(gdb) run /tmp/bug18289/FemBusiness28m ei2005. tif src/libtiff4/ tiff-3. 6.1/tools/ tiffinfo ei2005. tif ectory: Warning, /tmp/bug18289/FemBusiness28m ei2005. tif: unknown ectory: Warning, /tmp/bug18289/FemBusiness28m ei2005. tif: unknown ectory: Warning, /tmp/bug18289/FemBusiness28m ei2005. tif: unknown ectory: Warning, /tmp/bug18289/FemBusiness28m ei2005. tif: unknown ectory: Warning, /tmp/bug18289/FemBusiness28m ei2005. tif: unknown
Starting program: /home/ralph/
/tmp/bug18289/FemBusiness28m
TIFFReadDir
field with tag 513 (0x201) encountered.
TIFFReadDir
field with tag 514 (0x202) encountered.
TIFFReadDir
field with tag 37679 (0x932f) encountered.
TIFFReadDir
field with tag 37680 (0x9330) encountered.
TIFFReadDir
field with tag 37681 (0x9331) encountered.
Program received signal SIGFPE, Arithmetic exception. tif_strip. c:133 g[1]); tif_strip. c:133 tif_strip. c:181 tif_dirread. c:637 ei2005. tif", mode=0x8049c96 "rc", clientdata=0x6,
readproc= 0xb7fc6590 <_tiffReadProc>, writeproc= 0xb7fc65d0
closeproc= 0xb7fc6650 <_tiffCloseProc>, sizeproc=0xb7fc6680
unmapproc= 0xb7fc66d0 <_tiffUnmapProc>) at ../libtiff/ tif_open. c:367 tif_unix. c:129 ei2005. tif", mode=0x8049c96 "rc") at tif_unix. c:170 tiffinfo. c:113
0xb7fc5867 in TIFFVStripSize (tif=0x804c008, nrows=2338) at
../libtiff/
133 nrows = TIFFroundup(nrows, ycbcrsubsamplin
(gdb) bt
#0 0xb7fc5867 in TIFFVStripSize (tif=0x804c008, nrows=2338) at
../libtiff/
#1 0xb7fc59a2 in TIFFStripSize (tif=0x921) at ../libtiff/
#2 0xb7fa43ac in TIFFReadDirectory (tif=0x804c008) at
../libtiff/
#3 0xb7fbd4ea in TIFFClientOpen (name=0xbffff99a
"/tmp/bug18289/FemBusiness28m
<_tiffWriteProc>, seekproc=0xb7fc6610 <_tiffSeekProc>,
<_tiffSizeProc>, mapproc=0xb7fc66c0 <_tiffMapProc>,
#4 0xb7fc6756 in TIFFFdOpen (fd=6, name=0x921 <Address 0x921 out of
bounds>, mode=0x921 <Address 0x921 out of bounds>)
at ../libtiff/
#5 0xb7fc67d5 in TIFFOpen (name=0xbffff99a
"/tmp/bug18289/FemBusiness28m
../libtiff/
#6 0x08048efe in main (argc=2, argv=0xbffff834) at ../tools/
(gdb)
libtiff/ tif_strip. c:
/* ing*VerticalSam pling Y values. g[2];
* Packed YCbCr data contain one Cb+Cr for every
* HorizontalSampl
* Must also roundup width and height when calculating
* since images that are not a multiple of the
* horizontal/vertical subsampling area include
* YCbCr data for the extended image.
*/
uint16 ycbcrsubsamplin
tsize_t w, scanline, samplingarea;
w = TIFFroundup( td->td_ imagewidth, ycbcrsubsamplin g[0]); multiply( tif, w, td->td_ bitspersample,
" TIFFVStripSize" ));
samplingarea = ycbcrsubsamplin g[0]*ycbcrsubsa mpling[ 1]; g[1]);
scanline = TIFFhowmany8(
133: nrows = TIFFroundup(nrows, ycbcrsubsamplin
It's a `division by zero', I think.
(gdb) p nrows
$1 = 2338
(gdb) p ycbcrsubsampling
$2 = {2338, 0}
Parameter `y' to TIFFroundup is 0.
#define TIFFhowmany(x, y) ((((uint32) (x))+(( (uint32) (y))-1) )/((uint32) (y))) x,y)*(y) )
#define TIFFroundup(x, y) (TIFFhowmany(
Even if the TIFF image is corrupt in some way, libtiff should guard
against ycbcrsubsampling[1] being 0.