eog crashed with SIGSEGV in TIFFRGBAImageGet()

Bug #591605 reported by smpahlman on 2010-06-09
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
LibTIFF
Fix Released
Medium
tiff (Debian)
Fix Released
Unknown
tiff (Ubuntu)
Medium
Unassigned
Lucid
Medium
Kees Cook
Maverick
Medium
Unassigned

Bug Description

Binary package hint: libtiff4

A crash in libtiff when opening the attached TIFF image.

==19393== Memcheck, a memory error detector
==19393== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==19393== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info
==19393== Command: eog /home/sauli/radamsa/tiffdst/flipr-8210.tif
==19393==
==19393== Thread 2:
==19393== Invalid read of size 1
==19393== at 0x7C91C88: TIFFYCbCrtoRGB (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4D3C: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA73EE: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393== Address 0xdca3a13 is not stack'd, malloc'd or (recently) free'd
==19393==
==19393== Invalid read of size 1
==19393== at 0x7CA4D15: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA73EE: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393== by 0x4B0ADEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==19393== Address 0xdcbab7a is 2 bytes after a block of size 80,640 alloc'd
==19393== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==19393== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA72B4: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393==
==19393== Invalid read of size 1
==19393== at 0x7CA4D1D: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA73EE: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393== by 0x4B0ADEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==19393== Address 0xdcbab79 is 1 bytes after a block of size 80,640 alloc'd
==19393== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==19393== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA72B4: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393==
==19393== Invalid read of size 1
==19393== at 0x7CA4D25: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA73EE: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393== by 0x4B0ADEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==19393== Address 0xdcbab78 is 0 bytes after a block of size 80,640 alloc'd
==19393== at 0x4024F20: malloc (vg_replace_malloc.c:236)
==19393== by 0x7CC0FCC: _TIFFmalloc (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA72B4: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393==
==19393==
==19393== Process terminating with default action of signal 11 (SIGSEGV)
==19393== Access not within mapped region at address 0xDCC5002
==19393== at 0x7CA4D15: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA73EE: ??? (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA4011: TIFFRGBAImageGet (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x7CA95FF: TIFFReadRGBAImageOriented (in /usr/lib/libtiff.so.4.3.2)
==19393== by 0x647EEF9: tiff_image_parse (io-tiff.c:292)
==19393== by 0x647F2FE: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:498)
==19393== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==19393== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==19393== by 0x808804F: eog_job_load_run (eog-jobs.c:336)
==19393== by 0x8087DA3: eog_job_run (eog-jobs.c:153)
==19393== by 0x80877D6: eog_render_thread (eog-job-queue.c:77)
==19393== by 0x4B0ADEE: ??? (in /lib/libglib-2.0.so.0.2400.1)
==19393== If you believe this happened as a result of a stack
==19393== overflow in your program's main thread (unlikely but
==19393== possible), you can try to increase the size of the
==19393== main thread stack using the --main-stacksize= flag.
==19393== The main thread stack size used in this run was 8388608.
==19393==
==19393== HEAP SUMMARY:
==19393== in use at exit: 34,346,693 bytes in 451,265 blocks
==19393== total heap usage: 2,791,590 allocs, 2,340,325 frees, 120,283,290 bytes allocated
==19393==
==19393== LEAK SUMMARY:
==19393== definitely lost: 191 bytes in 3 blocks
==19393== indirectly lost: 120 bytes in 10 blocks
==19393== possibly lost: 32,786,764 bytes in 445,202 blocks
==19393== still reachable: 1,559,618 bytes in 6,050 blocks
==19393== suppressed: 0 bytes in 0 blocks
==19393== Rerun with --leak-check=full to see details of leaked memory
==19393==
==19393== For counts of detected and suppressed errors, rerun with: -v
==19393== ERROR SUMMARY: 78597 errors from 4 contexts (suppressed: 200 from 13)
Killed

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: eog 2.30.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-22.36-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
CrashCounter: 1
Date: Wed Jun 9 09:49:48 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: eog /home/username/radamsa/tiffdst/flipr-8210.tif
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.utf8
SegvAnalysis:
 Segfault happened at: 0x39d8d15: movzbl 0x2(%esi),%eax
 PC (0x039d8d15) ok
 source "0x2(%esi)" (0xb5bb0002) in non-readable VMA region: 0xb5bb0000-0xb5c00000 ---p None
 destination "%eax" ok
SegvReason: reading VMA None
Signal: 11
SourcePackage: eog
StacktraceTop:
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 TIFFRGBAImageGet () from /usr/lib/libtiff.so.4
 TIFFReadRGBAImageOriented () from /usr/lib/libtiff.so.4
 tiff_image_parse (tiff=0xb5b856e8,
Title: eog crashed with SIGSEGV in TIFFRGBAImageGet()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
 (polkit-gnome-authentication-agent-1:9303): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (gnome-terminal:9409): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

smpahlman (sauli-pahlman) wrote :
Tomas Hoger (thoger) wrote :

This seems to be crashing on buffer over-read in putcontig8bitYCbCr11tile(). gtTileContig() allocates buffer buf with size returned by TIFFTileSize() (80640 in this case). putcontig8bitYCbCr11tile() tries to read w*h*3 bytes out of it (234*213*3 = 149526 in this case).

Changed in tiff (Ubuntu):
status: New → Confirmed

StacktraceTop:
 putcontig8bitYCbCr11tile (img=0xb7688b88, cp=0xb5b856e8,
 gtTileContig (img=0xb7688b88, raster=0xb5b64708, w=234,
 TIFFRGBAImageGet (img=0xb7688b88, raster=0xb5b64708, w=234,
 TIFFReadRGBAImageOriented (tif=0xb5b62c30, rwidth=234,
 ?? ()

Changed in tiff (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Kees Cook (kees) wrote :

This is only a problem in Lucid and later. Has an upstream bug report been opened for this issue?

Tomas Hoger (thoger) wrote :

This was mailed upstream, but they don't seem to treat is as much of a priority as it should not affect 4.0-beta. I've CCed you on rhbz#603081 which has a proposed patch.

Kees Cook (kees) on 2010-06-16
visibility: private → public
Changed in tiff (Ubuntu Lucid):
status: New → Fix Committed
importance: Undecided → Medium
Changed in tiff (Ubuntu Maverick):
assignee: nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Lucid):
assignee: nobody → Kees Cook (kees)
Changed in tiff (Ubuntu Maverick):
assignee: Kees Cook (kees) → nobody
Kees Cook (kees) wrote :
Changed in tiff (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in libtiff:
status: Unknown → Fix Released
Changed in tiff (Debian):
status: Unknown → Fix Released
Changed in libtiff:
importance: Unknown → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.9.4-2ubuntu0.1

---------------
tiff (3.9.4-2ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: denial of service via invalid td_stripbytecount field
    (LP: #597246)
    - debian/patches/CVE-2010-2482.patch: look for missing strip byte
      counts in libtiff/tif_ojpeg.c, tools/tiffsplit.c.
    - CVE-2010-2482
  * SECURITY UPDATE: denial of service via invalid combination of
    SamplesPerPixel and Photometric values (LP: #591605)
    - debian/patches/CVE-2010-2483.patch: validate samplesperpixel in
      libtiff/tif_getimage.c.
    - CVE-2010-2483
  * SECURITY UPDATE: denial of service via invalid ReferenceBlackWhite
    values
    - debian/patches/CVE-2010-2595.patch: validate values in
      libtiff/tif_color.c.
    - CVE-2010-2595
  * SECURITY UPDATE: denial of service via devide-by-zero (LP: #593067)
    - debian/patches/CVE-2010-2597.patch: properly initialize fields in
      libtiff/tif_strip.c.
    - CVE-2010-2597
    - CVE-2010-2598
  * SECURITY UPDATE: denial of service via out-of-order tags
    - debian/patches/CVE-2010-2630.patch: correctly handle order in
      libtiff/tif_dirread.c.
    - CVE-2010-2630
  * SECURITY UPDATE: denial of service and possible code execution via
    heap corruption in JPEGDecodeRaw
    - debian/patches/CVE-2010-3087.patch: check for overflows in
      libtiff/tif_jpeg.c, libtiff/tif_strip.c.
    - CVE-2010-3087
  * SECURITY UPDATE: denial of service and possible code execution via
    buffer overflow in Fax4Decode
    - debian/patches/CVE-2011-0192.patch: check length in
      libtiff/tif_fax3.h.
    - CVE-2011-0192
 -- Marc Deslauriers <email address hidden> Thu, 03 Mar 2011 12:16:19 -0500

Changed in tiff (Ubuntu Maverick):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

This was fixed in Debian as of 3.9.4-4, and natty has 3.9.4-5ubuntu6.

Changed in tiff (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.