eog crashed with SIGSEGV in __memset_sse2()

Bug #593067 reported by smpahlman on 2010-06-12
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tiff (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: eog

eog crashes occasionally when opening the attached reproducer. The file probably makes some branch depend on some unitialized data since the segfault takes place only occasionally and the backtrace changes from time to time.

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: eog 2.30.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-22.36-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Sat Jun 12 17:50:04 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: eog /home/username/radamsa/tiffdst/flipr-12498.tif
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.utf8
SegvAnalysis:
 Segfault happened at: 0x4f3f1b8 <__memset_sse2+712>: movntdq %xmm0,0x70(%edx)
 PC (0x04f3f1b8) ok
 source "%xmm0" ok
 destination "0x70(%edx)" (0xb50dc000) not located in a known VMA region (needed writable region)!
SegvReason: writing unknown VMA
Signal: 11
SourcePackage: eog
StacktraceTop:
 __memset_sse2 () at ../sysdeps/i386/i686/multiarch/memset-sse2.S:384
 _TIFFmemset () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 TIFFRGBAImageGet () from /usr/lib/libtiff.so.4
 TIFFReadRGBAImageOriented () from /usr/lib/libtiff.so.4
Title: eog crashed with SIGSEGV in __memset_sse2()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
 (polkit-gnome-authentication-agent-1:9303): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (gnome-terminal:9409): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

smpahlman (sauli-pahlman) wrote :
affects: eog (Ubuntu) → tiff (Ubuntu)

StacktraceTop:
 ?? () from /lib/tls/i686/cmov/libc.so.6
 _TIFFmemset (p=0xb11df008, v=0, c=82253054)
 gtStripContig (img=0xb7724b88, raster=0x9a6eb68, w=512,
 TIFFRGBAImageGet (img=0xb7724b88, raster=0x9a6eb68, w=512,
 TIFFReadRGBAImageOriented (tif=0x9fa4f00, rwidth=512,

Changed in tiff (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Kees Cook (kees) on 2010-06-24
visibility: private → public
Tomas Hoger (thoger) on 2010-06-29
Changed in tiff (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.9.4-5ubuntu2

---------------
tiff (3.9.4-5ubuntu2) natty; urgency=low

  * SECURITY UPDATE: denial of service via invalid td_stripbytecount field
    (LP: #597246)
    - debian/patches/CVE-2010-2482.patch: look for missing strip byte
      counts in libtiff/tif_ojpeg.c, tools/tiffsplit.c.
    - CVE-2010-2482
  * SECURITY UPDATE: denial of service via invalid ReferenceBlackWhite
    values
    - debian/patches/CVE-2010-2595.patch: validate values in
      libtiff/tif_color.c.
    - CVE-2010-2595
  * SECURITY UPDATE: denial of service via devide-by-zero (LP: #593067)
    - debian/patches/CVE-2010-2597.patch: properly initialize fields in
      libtiff/tif_strip.c.
    - CVE-2010-2597
    - CVE-2010-2598
  * SECURITY UPDATE: denial of service via out-of-order tags
    - debian/patches/CVE-2010-2630.patch: correctly handle order in
      libtiff/tif_dirread.c.
    - CVE-2010-2630
  * SECURITY UPDATE: denial of service and possible code execution via
    buffer overflow in Fax4Decode
    - debian/patches/CVE-2011-0192.patch: check length in
      libtiff/tif_fax3.h.
    - CVE-2011-0192
 -- Marc Deslauriers <email address hidden> Thu, 03 Mar 2011 10:52:21 -0500

Changed in tiff (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.