Ubuntu
tiff package

eog crashed with SIGSEGV in __memcpy_ssse3()

Bug #589565 reported by smpahlman
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tiff (Ubuntu)
Fix Released
Medium
Unassigned
Lucid
Fix Released
Medium
Unassigned
Maverick
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: libtiff4

Any application using libtiff will segfault because of a null dereference when opening the attached TIFF-file. Valgrind seems to crash when debugging eog with the attached file, but the output until the crash was:

==10652== Invalid write of size 1
==10652== at 0x402689F: memcpy (mc_replace_strmem.c:497)
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF767: TIFFReadEncodedStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA717A: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==10652== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x97bba3e is 2 bytes before a block of size 0 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==10652== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBE7D9: TIFFReadBufferSetup (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF1AB: TIFFFillStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF767: TIFFReadEncodedStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA717A: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==10652== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652==
==10652== Invalid write of size 1
==10652== at 0x40268A7: memcpy (mc_replace_strmem.c:497)
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF767: TIFFReadEncodedStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA717A: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==10652== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x97bba3d is 3 bytes before a block of size 0 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==10652== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBE7D9: TIFFReadBufferSetup (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF1AB: TIFFFillStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF767: TIFFReadEncodedStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA717A: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==10652== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652==
==10652== Invalid write of size 1
==10652== at 0x40268B0: memcpy (mc_replace_strmem.c:497)
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF767: TIFFReadEncodedStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA717A: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==10652== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x97bba3c is 4 bytes before a block of size 0 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==10652== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBE7D9: TIFFReadBufferSetup (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF1AB: TIFFFillStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF767: TIFFReadEncodedStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA717A: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==10652== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652==
==10652== Invalid write of size 1
==10652== at 0x40268B9: memcpy (mc_replace_strmem.c:497)
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF767: TIFFReadEncodedStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA717A: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==10652== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x97bba3b is 5 bytes before a block of size 0 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==10652== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBE7D9: TIFFReadBufferSetup (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF1AB: TIFFFillStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF767: TIFFReadEncodedStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA717A: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==10652== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652==
==10652== Invalid read of size 1
==10652== at 0x40268B4: memcpy (mc_replace_strmem.c:497)
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF767: TIFFReadEncodedStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA717A: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==10652== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x8af4e17 is 1 bytes before a block of size 16,384 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==10652== by 0x4024FAA: realloc (vg_replace_malloc.c:525)
==10652== by 0x4AE8DEF: g_try_realloc (in /lib/libglib-2.0.so.0.2400.1)
==10652== by 0x647EBBC: gdk_pixbuf__tiff_image_load_increment (io-tiff.c:538)
==10652== by 0x477ED1D: gdk_pixbuf_loader_write (gdk-pixbuf-loader.c:473)
==10652== by 0x807C323: eog_image_load (eog-image.c:991)
==10652== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==10652== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==10652== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==10652== by 0x4B0ADEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==10652== by 0x4A4C96D: start_thread (pthread_create.c:300)
==10652== by 0x4EBAA4D: clone (clone.S:130)
==10652==
==10652== Invalid read of size 1
==10652== at 0x4026898: memcpy (mc_replace_strmem.c:497)
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF767: TIFFReadEncodedStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA717A: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==10652== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x8af4e16 is 2 bytes before a block of size 16,384 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==10652== by 0x4024FAA: realloc (vg_replace_malloc.c:525)
==10652== by 0x4AE8DEF: g_try_realloc (in /lib/libglib-2.0.so.0.2400.1)
==10652== by 0x647EBBC: gdk_pixbuf__tiff_image_load_increment (io-tiff.c:538)
==10652== by 0x477ED1D: gdk_pixbuf_loader_write (gdk-pixbuf-loader.c:473)
==10652== by 0x807C323: eog_image_load (eog-image.c:991)
==10652== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==10652== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==10652== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==10652== by 0x4B0ADEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==10652== by 0x4A4C96D: start_thread (pthread_create.c:300)
==10652== by 0x4EBAA4D: clone (clone.S:130)
==10652==
==10652== Invalid read of size 1
==10652== at 0x40268A2: memcpy (mc_replace_strmem.c:497)
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF767: TIFFReadEncodedStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA717A: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==10652== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x8af4e15 is 3 bytes before a block of size 16,384 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==10652== by 0x4024FAA: realloc (vg_replace_malloc.c:525)
==10652== by 0x4AE8DEF: g_try_realloc (in /lib/libglib-2.0.so.0.2400.1)
==10652== by 0x647EBBC: gdk_pixbuf__tiff_image_load_increment (io-tiff.c:538)
==10652== by 0x477ED1D: gdk_pixbuf_loader_write (gdk-pixbuf-loader.c:473)
==10652== by 0x807C323: eog_image_load (eog-image.c:991)
==10652== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==10652== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==10652== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==10652== by 0x4B0ADEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==10652== by 0x4A4C96D: start_thread (pthread_create.c:300)
==10652== by 0x4EBAA4D: clone (clone.S:130)
==10652==
==10652== Invalid read of size 1
==10652== at 0x40268AB: memcpy (mc_replace_strmem.c:497)
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF767: TIFFReadEncodedStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA717A: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==10652== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== Address 0x8af4e14 is 4 bytes before a block of size 16,384 alloc'd
==10652== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==10652== by 0x4024FAA: realloc (vg_replace_malloc.c:525)
==10652== by 0x4AE8DEF: g_try_realloc (in /lib/libglib-2.0.so.0.2400.1)
==10652== by 0x647EBBC: gdk_pixbuf__tiff_image_load_increment (io-tiff.c:538)
==10652== by 0x477ED1D: gdk_pixbuf_loader_write (gdk-pixbuf-loader.c:473)
==10652== by 0x807C323: eog_image_load (eog-image.c:991)
==10652== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==10652== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==10652== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==10652== by 0x4B0ADEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==10652== by 0x4A4C96D: start_thread (pthread_create.c:300)
==10652== by 0x4EBAA4D: clone (clone.S:130)
==10652==
==10652==
==10652== Process terminating with default action of signal 11 (SIGSEGV)
==10652== Access not within mapped region at address 0x88BFFFF
==10652== at 0x40268B4: memcpy (mc_replace_strmem.c:497)
==10652== by 0x647EA85: tiff_load_read (string3.h:52)
==10652== by 0x7CBF022: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF1D5: TIFFFillStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CBF767: TIFFReadEncodedStrip (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA717A: ??? (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==10652== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==10652== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==10652== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==10652== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==10652== If you believe this happened as a result of a stack
==10652== overflow in your program's main thread (unlikely but
==10652== possible), you can try to increase the size of the
==10652== main thread stack using the --main-stacksize= flag.
==10652== The main thread stack size used in this run was 8388608.
--10652-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--10652-- si_code=1; Faulting address: 0x6E656D75; sp: 0x62d59094

valgrind: the 'impossible' happened:
   Killed by fatal signal
==10652== at 0x38033D7E: mkFreeBlock (m_mallocfree.c:244)
==10652== by 0x380355A9: vgPlain_arena_free (m_mallocfree.c:1478)
==10652== by 0x38064818: vgPlain_cli_free (replacemalloc_core.c:95)
==10652== by 0x38001F61: die_and_free_mem (mc_malloc_wrappers.c:123)
==10652== by 0x38002A37: vgMemCheck_free (mc_malloc_wrappers.c:324)
==10652== by 0x3806715F: vgPlain_scheduler (scheduler.c:1384)
==10652== by 0x38030E66: final_tidyup (m_main.c:2590)
==10652== by 0x38030FBC: shutdown_actions_NORETURN (m_main.c:2396)
==10652== by 0x3809429B: run_a_thread_NORETURN (syswrap-linux.c:146)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==10652== at 0x4024B3A: free (vg_replace_malloc.c:366)
==10652== by 0x4F09BB7: ??? (in /lib/tls/i686/cmov/libc-2.11.1.so)
==10652== by 0x4F098A6: ??? (in /lib/tls/i686/cmov/libc-2.11.1.so)
==10652== by 0x4F0A119: ??? (in /lib/tls/i686/cmov/libc-2.11.1.so)
==10652== by 0x401F4F3: _vgnU_freeres (vg_preloaded.c:62)
==10652== by 0x7B18BB7: ???
==10652== by 0x4514D1B: gtk_tree_model_get_flags (gtktreemodel.c:922)
==10652== by 0x43F38A6: gtk_icon_view_set_cell_data (gtkiconview.c:4474)
==10652== by 0x43F443C: gtk_icon_view_calculate_item_size (gtkiconview.c:2988)
==10652== by 0x43F9AD6: gtk_icon_view_layout (gtkiconview.c:2815)
==10652== by 0x43F9B87: layout_callback (gtkiconview.c:3385)
==10652== by 0x46D7357: gdk_threads_dispatch (gdk.c:512)
==10652== by 0x4ADE660: ??? (in /lib/libglib-2.0.so.0.2400.1)
==10652== by 0x4AE05E4: g_main_context_dispatch (in /lib/libglib-2.0.so.0.2400.1)
==10652== by 0x4AE42D7: ??? (in /lib/libglib-2.0.so.0.2400.1)
==10652== by 0x4AE4816: g_main_loop_run (in /lib/libglib-2.0.so.0.2400.1)
==10652== by 0x4423308: gtk_main (gtkmain.c:1219)
==10652== by 0x8060800: main (main.c:239)

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: eog 2.30.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Fri Jun 4 10:31:42 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: eog /home/username/radamsa/tiffdst/permu-826.tif
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.utf8
SegvAnalysis:
 Segfault happened at: 0x6b17bbe <__memcpy_ssse3+3006>: fmull 0x488bdc4a(%ecx)
 PC (0x06b17bbe) ok
 source "0x488bdc4a(%ecx)" (0x488bdc49) not located in a known VMA region (needed readable region)!
SegvReason: reading unknown VMA
Signal: 11
SourcePackage: eog
StacktraceTop:
 __memcpy_ssse3 ()
 ?? ()
 ?? () from /usr/lib/libtiff.so.4
 TIFFFillStrip () from /usr/lib/libtiff.so.4
 TIFFReadEncodedStrip () from /usr/lib/libtiff.so.4
Title: eog crashed with SIGSEGV in __memcpy_ssse3()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
 (polkit-gnome-authentication-agent-1:5468): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (gnome-terminal:5577): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

CVE References

Revision history for this message
smpahlman (sauli-pahlman) wrote :
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 ?? () from /lib/tls/i686/cmov/libc.so.6
 ?? ()
 TIFFReadRawStrip1 (tif=0xffffffff, strip=185877048,
 TIFFFillStrip (tif=0xaabb8b0, strip=0) at tif_read.c:348
 TIFFReadEncodedStrip (tif=0xaabb8b0, strip=0,

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in tiff (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Revision history for this message
Tomas Hoger (thoger) wrote :

I don't see a NULL deref here. There is a TIFFroundup() integer overflow in TIFFFillStrip() (as bytecount is 0xffffffff), that causes TIFFReadBufferSetup() to be called with size==0, so it does tif->tif_rawdata = malloc(0). Hence TIFFReadRawStrip1() is called with insufficiently sized buffer and negative size argument (uint32 -> tsize_t/int32 cast). It calls application-provided read callback, gtk+'s tiff_load_read() in this case, which tries to memcpy way too much data.

Revision history for this message
smpahlman (sauli-pahlman) wrote :

Sorry, classifying as null deref was my mistake. I accidentally left that in this report when I copy-pasted the report description from another bug report.

Revision history for this message
Tomas Hoger (thoger) wrote :

This should not affect libtiff 3.8.2 and earlier, as they use tsize_t (signed int32) type for bytecount and hence values that can overflow in TIFFroundup are rejected earlier. Type change was done in tif_read.c CVS rev 1.16, according to commit message, in response to request to support files with 2+GB size (bug http://bugzilla.remotesensing.org/show_bug.cgi?id=890 , but that bugzilla instance is no longer running, new libtiff BZ has different bug under id 890).

Looking at the 4.0 development code, it seems this file should no longer trigger a crash there, as it uses 64bit types. Same problem should occur there if bytecount value provided by the file is 2^64-1 instead of 2^32-1 (I've not checked if (Big)TIFF format allows that, just reading the code). That version also contains following integer overflow check: ((uint64)bytecountm!=bytecount) , but it seems that check can only catch some problems (but not this one) on systems where sizeof(tmsize_t) != sizeof(uint64).

Revision history for this message
Tomas Hoger (thoger) wrote :

I forgot to list this link to some mailing list posts related to libtiff bz890:
  http://www.asmail.be/msg0055287979.html

Scratch my 4.0 note too, I missed the check in TIFFReadBufferSetup that makes sure TIFFroundup_64 result is not 0, and which seems to be sufficient on both 32- and 64-bit Linux systems.

Revision history for this message
Tomas Hoger (thoger) wrote :

This patch is inspired by libtiff 4.0 code. It does not do TIFFroundup() in TIFFFillStrip() (and TIFFFillTile()), as it's done in TIFFReadBufferSetup() anyway. Patch adds TIFFroundup() return value check to TIFFReadBufferSetup().

Revision history for this message
Tomas Hoger (thoger) wrote :
Revision history for this message
Tomas Hoger (thoger) wrote :

Updated upstream CVS fix.

Tomas Hoger (thoger)
Changed in tiff (Ubuntu):
status: New → Confirmed
Revision history for this message
Tomas Hoger (thoger) wrote :

Upstream patch attached in comment #11 now included in version 3.9.3.

Revision history for this message
Kees Cook (kees) wrote :

CVE-2010-2065

Kees Cook (kees)
visibility: private → public
Kees Cook (kees)
Changed in tiff (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in tiff (Ubuntu Lucid):
status: New → Fix Committed
importance: Undecided → Medium
Revision history for this message
Kees Cook (kees) wrote :

https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-June/001109.html

Changed in tiff (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.