Bug 603024 - libtiff: OJPEGReadBufferFill() NULL pointer deref
Summary: libtiff: OJPEGReadBufferFill() NULL pointer deref
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libtiff
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Tom Lane
QA Contact: Martin Cermak
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-11 10:30 UTC by Tomas Hoger
Modified: 2019-06-11 11:38 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2010-11-10 21:04:37 UTC


Attachments (Terms of Use)
Reproducer (3.36 KB, application/x-gzip)
2010-06-11 10:32 UTC, Tomas Hoger
no flags Details
Upstream patch (1.07 KB, patch)
2010-06-11 10:33 UTC, Tomas Hoger
no flags Details | Diff
Extra check for td_stripbytecount (594 bytes, patch)
2010-06-22 13:50 UTC, Tomas Hoger
thoger: review? (tgl)
Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 589145 None None None Never
Launchpad 597246 None None None Never

Description Tomas Hoger 2010-06-11 10:30:34 UTC
Description of problem:
Originally reported by Sauli Pahlman in Launchpad:
  https://bugs.launchpad.net/bugs/589145

Attached tif file triggers NULL pointer dereference in OJPEG handling code.

Version-Release number of selected component (if applicable):
libtiff-3.9.2-3.el6.i686

Steps to Reproduce:
tiff2rgba lp589145-sample.tif /dev/null

Additional info:

Program received signal SIGSEGV, Segmentation fault.
0x00962250 in OJPEGReadBufferFill (sp=0x804cbf8) at tif_ojpeg.c:1912
1912						sp->in_buffer_file_pos=sp->tif->tif_dir.td_stripoffset[sp->in_buffer_next_strile];  

(gdb) print sp->tif->tif_dir.td_stripoffset
$1 = (toff_t *) 0x0

(gdb) bt
#0  0x00962250 in OJPEGReadBufferFill (sp=0x804cbf8) at tif_ojpeg.c:1912
#1  0x00963327 in OJPEGReadBytePeek (byte=<value optimized out>, sp=<value optimized out>) at tif_ojpeg.c:1956
#2  OJPEGReadHeaderInfoSec (byte=<value optimized out>, sp=<value optimized out>) at tif_ojpeg.c:1231
#3  0x00964319 in OJPEGSubsamplingCorrect (tif=0x804c548) at tif_ojpeg.c:959
#4  0x00964586 in OJPEGVGetField (tif=<value optimized out>, tag=<value optimized out>, ap=<value optimized out>)
    at tif_ojpeg.c:466
#5  0x00942fbb in TIFFVGetField (tif=<value optimized out>, tag=<value optimized out>, ap=<value optimized out>)
    at tif_dir.c:966
#6  0x00943a1c in TIFFGetField (tif=<value optimized out>, tag=<value optimized out>) at tif_dir.c:950
#7  0x00970204 in TIFFScanlineSize (tif=<value optimized out>) at tif_strip.c:237
#8  0x0094876b in TIFFReadDirectory (tif=<value optimized out>) at tif_dirread.c:713
#9  0x0096670c in TIFFClientOpen (name=<value optimized out>, mode=<value optimized out>, 
    clientdata=<value optimized out>, readproc=<value optimized out>, writeproc=<value optimized out>, 
    seekproc=<value optimized out>, closeproc=<value optimized out>, sizeproc=<value optimized out>, 
    mapproc=<value optimized out>, unmapproc=<value optimized out>) at tif_open.c:436
#10 0x009714c3 in TIFFFdOpen (fd=<value optimized out>, name=<value optimized out>, mode=<value optimized out>)
    at tif_unix.c:139
#11 0x0097154d in TIFFOpen (name=<value optimized out>, mode=<value optimized out>) at tif_unix.c:178
#12 0x08048d24 in main (argc=<value optimized out>, argv=<value optimized out>) at tiff2rgba.c:112

Comment 1 Tomas Hoger 2010-06-11 10:32:45 UTC
Created attachment 423231 [details]
Reproducer

Test file from https://bugs.launchpad.net/bugs/589145

Adding as private for now, while Launchpad bug is private.

Comment 2 Tomas Hoger 2010-06-11 10:33:20 UTC
Created attachment 423232 [details]
Upstream patch

Comment 3 Tomas Hoger 2010-06-11 10:34:55 UTC
With the patch applied, this file still crashes rgb2ycbcr.  Crash seems similar to bug #583081.

Comment 4 RHEL Product and Program Management 2010-06-11 10:43:10 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 5 Tomas Hoger 2010-06-11 13:28:28 UTC
(In reply to comment #3)
> With the patch applied, this file still crashes rgb2ycbcr.  Crash seems similar
> to bug #583081.    

There's no crash after applying patch from:
  http://bugzilla.maptools.org/show_bug.cgi?id=2207

Comment 6 Tom Lane 2010-06-11 15:51:17 UTC
Proposed patch looks sane to me.

This appears to be just a null-pointer-dereference crash and not exploitable for ACE, but still possibly should be considered a security issue on DoS grounds.

Comment 7 Tomas Hoger 2010-06-14 07:31:45 UTC
(In reply to comment #2)
> Created an attachment (id=423232) [details]
> Upstream patch    

This patch is included in new upstream version 3.9.3:

    * libtiff/tif_ojpeg.c (OJPEGReadBufferFill): Report an error and
    avoid a crash if the input file is so broken that the strip
    offsets are not defined.

Comment 8 Tomas Hoger 2010-06-15 07:11:11 UTC
Opening bug, original launchpad bug is now public, and fix is included in tiff 3.9.3 (see comment #7).

Comment 9 Tomas Hoger 2010-06-22 13:50:54 UTC
Created attachment 425925 [details]
Extra check for td_stripbytecount

There's similar problem with td_stripbytecount that can be NULL few lines below the td_stripoffset check added in upstream patch.  Attached fix extends check to td_stripbytecount and return error in a similar way to upstream patch in comment #2.

Comment 11 Tom Lane 2010-06-23 04:26:47 UTC
Re comment #9: I've included that patch in the Fedora packages just posted.  RHEL-6 build is awaiting ACKs on a couple of other bugs.

Comment 12 Tomas Hoger 2010-06-23 06:54:12 UTC
(In reply to comment #11)
> Re comment #9: I've included that patch in the Fedora packages just posted. 
> RHEL-6 build is awaiting ACKs on a couple of other bugs.    

Can you upstream bug for that issue too?  I don't have an account in their BZ.  TY!

Comment 13 Tomas Hoger 2010-06-23 09:23:50 UTC
Oh, reported in http://bugzilla.maptools.org/show_bug.cgi?id=1996 already.

Comment 17 Martin Cermak 2010-09-08 07:15:28 UTC
=> VERIFIED

Comment 18 releng-rhel@redhat.com 2010-11-10 21:04:37 UTC
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.