eog crashed with SIGSEGV in __memset_sse2()

Bug #593067 reported by smpahlman on 2010-06-12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tiff (Ubuntu)

Bug Description

Binary package hint: eog

eog crashes occasionally when opening the attached reproducer. The file probably makes some branch depend on some unitialized data since the segfault takes place only occasionally and the backtrace changes from time to time.

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: eog 2.30.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-22.36-generic
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Sat Jun 12 17:50:04 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: eog /home/username/radamsa/tiffdst/flipr-12498.tif
 Segfault happened at: 0x4f3f1b8 <__memset_sse2+712>: movntdq %xmm0,0x70(%edx)
 PC (0x04f3f1b8) ok
 source "%xmm0" ok
 destination "0x70(%edx)" (0xb50dc000) not located in a known VMA region (needed writable region)!
SegvReason: writing unknown VMA
Signal: 11
SourcePackage: eog
 __memset_sse2 () at ../sysdeps/i386/i686/multiarch/memset-sse2.S:384
 _TIFFmemset () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 TIFFRGBAImageGet () from /usr/lib/libtiff.so.4
 TIFFReadRGBAImageOriented () from /usr/lib/libtiff.so.4
Title: eog crashed with SIGSEGV in __memset_sse2()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
 (polkit-gnome-authentication-agent-1:9303): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (gnome-terminal:9409): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

smpahlman (sauli-pahlman) wrote :
affects: eog (Ubuntu) → tiff (Ubuntu)

 ?? () from /lib/tls/i686/cmov/libc.so.6
 _TIFFmemset (p=0xb11df008, v=0, c=82253054)
 gtStripContig (img=0xb7724b88, raster=0x9a6eb68, w=512,
 TIFFRGBAImageGet (img=0xb7724b88, raster=0x9a6eb68, w=512,
 TIFFReadRGBAImageOriented (tif=0x9fa4f00, rwidth=512,

Changed in tiff (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Kees Cook (kees) on 2010-06-24
visibility: private → public
Tomas Hoger (thoger) on 2010-06-29
Changed in tiff (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.9.4-5ubuntu2

tiff (3.9.4-5ubuntu2) natty; urgency=low

  * SECURITY UPDATE: denial of service via invalid td_stripbytecount field
    (LP: #597246)
    - debian/patches/CVE-2010-2482.patch: look for missing strip byte
      counts in libtiff/tif_ojpeg.c, tools/tiffsplit.c.
    - CVE-2010-2482
  * SECURITY UPDATE: denial of service via invalid ReferenceBlackWhite
    - debian/patches/CVE-2010-2595.patch: validate values in
    - CVE-2010-2595
  * SECURITY UPDATE: denial of service via devide-by-zero (LP: #593067)
    - debian/patches/CVE-2010-2597.patch: properly initialize fields in
    - CVE-2010-2597
    - CVE-2010-2598
  * SECURITY UPDATE: denial of service via out-of-order tags
    - debian/patches/CVE-2010-2630.patch: correctly handle order in
    - CVE-2010-2630
  * SECURITY UPDATE: denial of service and possible code execution via
    buffer overflow in Fax4Decode
    - debian/patches/CVE-2011-0192.patch: check length in
    - CVE-2011-0192
 -- Marc Deslauriers <email address hidden> Thu, 03 Mar 2011 10:52:21 -0500

Changed in tiff (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.