Bug 603081

Summary: libtiff: OOB read in putcontig8bitYCbCr11tile
Product: Red Hat Enterprise Linux 6 Reporter: Tomas Hoger <thoger>
Component: libtiffAssignee: Tom Lane <tgl>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Cermak <mcermak>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0CC: azelinka, herrold, hhorak, kees, mcermak, vdanen
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libtiff-3.9.4-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-10 21:04:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 611900    
Attachments:
Description Flags
Reproducer
none
patch none

Description Tomas Hoger 2010-06-11 13:45:32 UTC 
Description of problem:
Originally reported by Sauli Pahlman in Launchpad:
  https://bugs.launchpad.net/bugs/591605

Attached tif file triggers out-of-bounds read in putcontig8bitYCbCr11tile.

pp points to buffer allocated in gtTileContig with the size of TIFFTileSize(tif).  For this file, it's 80640.  putcontig8bitYCbCr11tile tries to read w*h*3 bytes out of it (234*213*3 == 149526).

Version-Release number of selected component (if applicable):
libtiff-3.9.2-3.el6.i686

Additional info:

Program received signal SIGSEGV, Segmentation fault.
0x008a7e15 in putcontig8bitYCbCr11tile (img=<value optimized out>, cp=0xb7fed420, x=<value optimized out>, 
    y=<value optimized out>, w=<value optimized out>, h=<value optimized out>, fromskew=<value optimized out>, 
    toskew=<value optimized out>, pp=0x806d000 <Address 0x806d000 out of bounds>) at tif_getimage.c:1986
1986				YCbCrtoRGB(*cp++, pp[0]);

(gdb) bt
#0  0x008a7e15 in putcontig8bitYCbCr11tile (img=<value optimized out>, cp=0xb7fed420, x=<value optimized out>, 
    y=<value optimized out>, w=<value optimized out>, h=<value optimized out>, fromskew=<value optimized out>, 
    toskew=<value optimized out>, pp=0x806d000 <Address 0x806d000 out of bounds>) at tif_getimage.c:1986
#1  0x008aa52e in gtTileContig (img=<value optimized out>, raster=<value optimized out>, w=<value optimized out>, 
    h=<value optimized out>) at tif_getimage.c:629
#2  0x008a7103 in TIFFRGBAImageGet (img=<value optimized out>, raster=<value optimized out>, w=<value optimized out>, 
    h=<value optimized out>) at tif_getimage.c:461
#3  0x008ac750 in TIFFReadRGBAImageOriented (tif=<value optimized out>, rwidth=<value optimized out>, 
    rheight=<value optimized out>, raster=<value optimized out>, orientation=<value optimized out>, 
    stop=<value optimized out>) at tif_getimage.c:480
#4  0x080495c8 in cvt_whole_image (out=<value optimized out>, in=<value optimized out>) at tiff2rgba.c:401
#5  tiffcvt (out=<value optimized out>, in=<value optimized out>) at tiff2rgba.c:519
#6  main (out=<value optimized out>, in=<value optimized out>) at tiff2rgba.c:115

This may be related to bug #583081, however patches linked there do not address this problem.
Comment 1 Tomas Hoger 2010-06-11 13:50:53 UTC 
Created attachment 423278 [details]
Reproducer

Test file from: https://bugs.launchpad.net/bugs/591605

Adding as private for now, while Launchpad bug is private.
Comment 4 RHEL Program Management 2010-06-11 14:13:06 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 6 Tom Lane 2010-06-11 16:17:19 UTC 
Created attachment 423329 [details]
patch

Specifically, what we need is this patch, which duplicates into PickContigCase() a safety check that already existed in PickSeparateCase().
Comment 7 Tom Lane 2010-06-11 16:22:56 UTC 
Comment #0 fails to spell out a test case ... try this:

tiff2rgba lp591605-sample.tif /dev/null
Comment 8 Tomas Hoger 2010-06-16 18:20:36 UTC 
Opening bug, original launchpad report is public now.
Comment 9 Tom Lane 2010-06-16 22:30:22 UTC 
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216
Comment 11 Vincent Danen 2010-07-06 14:52:19 UTC 
This issue was assigned CVE-2010-2483
Comment 14 Martin Cermak 2010-09-08 14:10:02 UTC 
=> VERIFIED
Comment 15 releng-rhel@redhat.com 2010-11-10 21:04:39 UTC 
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.