Bug 603024 - libtiff: OJPEGReadBufferFill() NULL pointer deref
libtiff: OJPEGReadBufferFill() NULL pointer deref
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libtiff (Show other bugs)
6.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Tom Lane
Martin Cermak
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-11 06:30 EDT by Tomas Hoger
Modified: 2013-07-02 23:29 EDT (History)
3 users (show)

See Also:
Fixed In Version: libtiff-3.9.4-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-10 16:04:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Reproducer (3.36 KB, application/x-gzip)
2010-06-11 06:32 EDT, Tomas Hoger
no flags Details
Upstream patch (1.07 KB, patch)
2010-06-11 06:33 EDT, Tomas Hoger
no flags Details | Diff
Extra check for td_stripbytecount (594 bytes, patch)
2010-06-22 09:50 EDT, Tomas Hoger
thoger: review? (tgl)
Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 589145 None None None Never
Launchpad 597246 None None None Never

  None (edit)
Description Tomas Hoger 2010-06-11 06:30:34 EDT
Description of problem:
Originally reported by Sauli Pahlman in Launchpad:
  https://bugs.launchpad.net/bugs/589145

Attached tif file triggers NULL pointer dereference in OJPEG handling code.

Version-Release number of selected component (if applicable):
libtiff-3.9.2-3.el6.i686

Steps to Reproduce:
tiff2rgba lp589145-sample.tif /dev/null

Additional info:

Program received signal SIGSEGV, Segmentation fault.
0x00962250 in OJPEGReadBufferFill (sp=0x804cbf8) at tif_ojpeg.c:1912
1912						sp->in_buffer_file_pos=sp->tif->tif_dir.td_stripoffset[sp->in_buffer_next_strile];  

(gdb) print sp->tif->tif_dir.td_stripoffset
$1 = (toff_t *) 0x0

(gdb) bt
#0  0x00962250 in OJPEGReadBufferFill (sp=0x804cbf8) at tif_ojpeg.c:1912
#1  0x00963327 in OJPEGReadBytePeek (byte=<value optimized out>, sp=<value optimized out>) at tif_ojpeg.c:1956
#2  OJPEGReadHeaderInfoSec (byte=<value optimized out>, sp=<value optimized out>) at tif_ojpeg.c:1231
#3  0x00964319 in OJPEGSubsamplingCorrect (tif=0x804c548) at tif_ojpeg.c:959
#4  0x00964586 in OJPEGVGetField (tif=<value optimized out>, tag=<value optimized out>, ap=<value optimized out>)
    at tif_ojpeg.c:466
#5  0x00942fbb in TIFFVGetField (tif=<value optimized out>, tag=<value optimized out>, ap=<value optimized out>)
    at tif_dir.c:966
#6  0x00943a1c in TIFFGetField (tif=<value optimized out>, tag=<value optimized out>) at tif_dir.c:950
#7  0x00970204 in TIFFScanlineSize (tif=<value optimized out>) at tif_strip.c:237
#8  0x0094876b in TIFFReadDirectory (tif=<value optimized out>) at tif_dirread.c:713
#9  0x0096670c in TIFFClientOpen (name=<value optimized out>, mode=<value optimized out>, 
    clientdata=<value optimized out>, readproc=<value optimized out>, writeproc=<value optimized out>, 
    seekproc=<value optimized out>, closeproc=<value optimized out>, sizeproc=<value optimized out>, 
    mapproc=<value optimized out>, unmapproc=<value optimized out>) at tif_open.c:436
#10 0x009714c3 in TIFFFdOpen (fd=<value optimized out>, name=<value optimized out>, mode=<value optimized out>)
    at tif_unix.c:139
#11 0x0097154d in TIFFOpen (name=<value optimized out>, mode=<value optimized out>) at tif_unix.c:178
#12 0x08048d24 in main (argc=<value optimized out>, argv=<value optimized out>) at tiff2rgba.c:112
Comment 1 Tomas Hoger 2010-06-11 06:32:45 EDT
Created attachment 423231 [details]
Reproducer

Test file from https://bugs.launchpad.net/bugs/589145

Adding as private for now, while Launchpad bug is private.
Comment 2 Tomas Hoger 2010-06-11 06:33:20 EDT
Created attachment 423232 [details]
Upstream patch
Comment 3 Tomas Hoger 2010-06-11 06:34:55 EDT
With the patch applied, this file still crashes rgb2ycbcr.  Crash seems similar to bug #583081.
Comment 4 RHEL Product and Program Management 2010-06-11 06:43:10 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 5 Tomas Hoger 2010-06-11 09:28:28 EDT
(In reply to comment #3)
> With the patch applied, this file still crashes rgb2ycbcr.  Crash seems similar
> to bug #583081.    

There's no crash after applying patch from:
  http://bugzilla.maptools.org/show_bug.cgi?id=2207
Comment 6 Tom Lane 2010-06-11 11:51:17 EDT
Proposed patch looks sane to me.

This appears to be just a null-pointer-dereference crash and not exploitable for ACE, but still possibly should be considered a security issue on DoS grounds.
Comment 7 Tomas Hoger 2010-06-14 03:31:45 EDT
(In reply to comment #2)
> Created an attachment (id=423232) [details]
> Upstream patch    

This patch is included in new upstream version 3.9.3:

    * libtiff/tif_ojpeg.c (OJPEGReadBufferFill): Report an error and
    avoid a crash if the input file is so broken that the strip
    offsets are not defined.
Comment 8 Tomas Hoger 2010-06-15 03:11:11 EDT
Opening bug, original launchpad bug is now public, and fix is included in tiff 3.9.3 (see comment #7).
Comment 9 Tomas Hoger 2010-06-22 09:50:54 EDT
Created attachment 425925 [details]
Extra check for td_stripbytecount

There's similar problem with td_stripbytecount that can be NULL few lines below the td_stripoffset check added in upstream patch.  Attached fix extends check to td_stripbytecount and return error in a similar way to upstream patch in comment #2.
Comment 11 Tom Lane 2010-06-23 00:26:47 EDT
Re comment #9: I've included that patch in the Fedora packages just posted.  RHEL-6 build is awaiting ACKs on a couple of other bugs.
Comment 12 Tomas Hoger 2010-06-23 02:54:12 EDT
(In reply to comment #11)
> Re comment #9: I've included that patch in the Fedora packages just posted. 
> RHEL-6 build is awaiting ACKs on a couple of other bugs.    

Can you upstream bug for that issue too?  I don't have an account in their BZ.  TY!
Comment 13 Tomas Hoger 2010-06-23 05:23:50 EDT
Oh, reported in http://bugzilla.maptools.org/show_bug.cgi?id=1996 already.
Comment 17 Martin Cermak 2010-09-08 03:15:28 EDT
=> VERIFIED
Comment 18 releng-rhel@redhat.com 2010-11-10 16:04:37 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.