eog crashed with SIGSEGV in TIFFVGetField()

Bug #597246 reported by smpahlman on 2010-06-22
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tiff (Ubuntu)
Undecided
Unassigned

Bug Description

eog crashes when opening the attached file. This looks a bit like a duplicate of: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589145 but even the fixed version has this crash. The valgrind output is below.

==21981== Thread 2:
==21981== Invalid read of size 4
==21981== at 0x7CB2346: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB32FE: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB42E8: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB4555: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7C92E79: TIFFVGetField (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7C9391A: TIFFGetField (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CC014B: TIFFScanlineSize (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7C9879F: TIFFReadDirectory (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB665B: TIFFClientOpen (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x647F205: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:485)
==21981== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==21981== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==21981== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==21981==
==21981==
==21981== Process terminating with default action of signal 11 (SIGSEGV)
==21981== Access not within mapped region at address 0x0
==21981== at 0x7CB2346: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB32FE: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB42E8: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB4555: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7C92E79: TIFFVGetField (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7C9391A: TIFFGetField (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CC014B: TIFFScanlineSize (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7C9879F: TIFFReadDirectory (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB665B: TIFFClientOpen (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x647F205: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:485)
==21981== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==21981== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==21981== If you believe this happened as a result of a stack
==21981== overflow in your program's main thread (unlikely but
==21981== possible), you can try to increase the size of the
==21981== main thread stack using the --main-stacksize= flag.
==21981== The main thread stack size used in this run was 8388608.
==21981==
==21981== HEAP SUMMARY:
==21981== in use at exit: 15,078,006 bytes in 202,407 blocks
==21981== total heap usage: 1,140,583 allocs, 938,176 frees, 45,737,907 bytes allocated
==21981==
==21981== LEAK SUMMARY:
==21981== definitely lost: 191 bytes in 3 blocks
==21981== indirectly lost: 120 bytes in 10 blocks
==21981== possibly lost: 14,259,592 bytes in 196,900 blocks
==21981== still reachable: 818,103 bytes in 5,494 blocks
==21981== suppressed: 0 bytes in 0 blocks
==21981== Rerun with --leak-check=full to see details of leaked memory
==21981==
==21981== For counts of detected and suppressed errors, rerun with: -v
==21981== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 200 from 13)
Killed

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: eog 2.30.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-22.36-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Tue Jun 22 15:36:59 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: eog /home/username/radamsa/tiffdst/fubwt-11649.tif
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.utf8
SegvAnalysis:
 Segfault happened at: 0x727d346: mov (%edx,%eax,4),%edx
 PC (0x0727d346) ok
 source "(%edx,%eax,4)" (0x00000000) not located in a known VMA region (needed readable region)!
 destination "%edx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: eog
StacktraceTop:
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 TIFFVGetField () from /usr/lib/libtiff.so.4
Title: eog crashed with SIGSEGV in TIFFVGetField()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
 (polkit-gnome-authentication-agent-1:1377): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
 (gnome-terminal:1540): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

smpahlman (sauli-pahlman) wrote :

StacktraceTop:
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 ?? () from /usr/lib/libtiff.so.4
 TIFFVGetField () from /usr/lib/libtiff.so.4

tags: added: apport-failed-retrace
tags: removed: need-i386-retrace
Tomas Hoger (thoger) wrote :

Yeah, similar to bug #589145, now with NULL td_stripbytecount instead of td_stripoffset.

Changed in tiff (Ubuntu):
status: New → Confirmed
visibility: private → public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tiff - 3.9.4-5ubuntu2

---------------
tiff (3.9.4-5ubuntu2) natty; urgency=low

  * SECURITY UPDATE: denial of service via invalid td_stripbytecount field
    (LP: #597246)
    - debian/patches/CVE-2010-2482.patch: look for missing strip byte
      counts in libtiff/tif_ojpeg.c, tools/tiffsplit.c.
    - CVE-2010-2482
  * SECURITY UPDATE: denial of service via invalid ReferenceBlackWhite
    values
    - debian/patches/CVE-2010-2595.patch: validate values in
      libtiff/tif_color.c.
    - CVE-2010-2595
  * SECURITY UPDATE: denial of service via devide-by-zero (LP: #593067)
    - debian/patches/CVE-2010-2597.patch: properly initialize fields in
      libtiff/tif_strip.c.
    - CVE-2010-2597
    - CVE-2010-2598
  * SECURITY UPDATE: denial of service via out-of-order tags
    - debian/patches/CVE-2010-2630.patch: correctly handle order in
      libtiff/tif_dirread.c.
    - CVE-2010-2630
  * SECURITY UPDATE: denial of service and possible code execution via
    buffer overflow in Fax4Decode
    - debian/patches/CVE-2011-0192.patch: check length in
      libtiff/tif_fax3.h.
    - CVE-2011-0192
 -- Marc Deslauriers <email address hidden> Thu, 03 Mar 2011 10:52:21 -0500

Changed in tiff (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers