603024 – libtiff: OJPEGReadBufferFill() NULL pointer deref

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 603024 - libtiff: OJPEGReadBufferFill() NULL pointer deref

Summary: libtiff: OJPEGReadBufferFill() NULL pointer deref

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	libtiff
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tom Lane
QA Contact:	Martin Cermak
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-06-11 10:30 UTC by Tomas Hoger
Modified:	2019-06-11 11:38 UTC (History)
CC List:	3 users (show)
Fixed In Version:	libtiff-3.9.4-1.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-11-10 21:04:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Reproducer (3.36 KB, application/x-gzip) 2010-06-11 10:32 UTC, Tomas Hoger	no flags	Details
Upstream patch (1.07 KB, patch) 2010-06-11 10:33 UTC, Tomas Hoger	no flags	Details \| Diff
Extra check for td_stripbytecount (594 bytes, patch) 2010-06-22 13:50 UTC, Tomas Hoger	thoger: review? (tgl)	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	589145	0	None	None	None	Never
Launchpad	597246	0	None	None	None	Never

Description Tomas Hoger 2010-06-11 10:30:34 UTC

Description of problem:
Originally reported by Sauli Pahlman in Launchpad:
  https://bugs.launchpad.net/bugs/589145

Attached tif file triggers NULL pointer dereference in OJPEG handling code.

Version-Release number of selected component (if applicable):
libtiff-3.9.2-3.el6.i686

Steps to Reproduce:
tiff2rgba lp589145-sample.tif /dev/null

Additional info:

Program received signal SIGSEGV, Segmentation fault.
0x00962250 in OJPEGReadBufferFill (sp=0x804cbf8) at tif_ojpeg.c:1912
1912						sp->in_buffer_file_pos=sp->tif->tif_dir.td_stripoffset[sp->in_buffer_next_strile];  

(gdb) print sp->tif->tif_dir.td_stripoffset
$1 = (toff_t *) 0x0

(gdb) bt
#0  0x00962250 in OJPEGReadBufferFill (sp=0x804cbf8) at tif_ojpeg.c:1912
#1  0x00963327 in OJPEGReadBytePeek (byte=<value optimized out>, sp=<value optimized out>) at tif_ojpeg.c:1956
#2  OJPEGReadHeaderInfoSec (byte=<value optimized out>, sp=<value optimized out>) at tif_ojpeg.c:1231
#3  0x00964319 in OJPEGSubsamplingCorrect (tif=0x804c548) at tif_ojpeg.c:959
#4  0x00964586 in OJPEGVGetField (tif=<value optimized out>, tag=<value optimized out>, ap=<value optimized out>)
    at tif_ojpeg.c:466
#5  0x00942fbb in TIFFVGetField (tif=<value optimized out>, tag=<value optimized out>, ap=<value optimized out>)
    at tif_dir.c:966
#6  0x00943a1c in TIFFGetField (tif=<value optimized out>, tag=<value optimized out>) at tif_dir.c:950
#7  0x00970204 in TIFFScanlineSize (tif=<value optimized out>) at tif_strip.c:237
#8  0x0094876b in TIFFReadDirectory (tif=<value optimized out>) at tif_dirread.c:713
#9  0x0096670c in TIFFClientOpen (name=<value optimized out>, mode=<value optimized out>, 
    clientdata=<value optimized out>, readproc=<value optimized out>, writeproc=<value optimized out>, 
    seekproc=<value optimized out>, closeproc=<value optimized out>, sizeproc=<value optimized out>, 
    mapproc=<value optimized out>, unmapproc=<value optimized out>) at tif_open.c:436
#10 0x009714c3 in TIFFFdOpen (fd=<value optimized out>, name=<value optimized out>, mode=<value optimized out>)
    at tif_unix.c:139
#11 0x0097154d in TIFFOpen (name=<value optimized out>, mode=<value optimized out>) at tif_unix.c:178
#12 0x08048d24 in main (argc=<value optimized out>, argv=<value optimized out>) at tiff2rgba.c:112

Comment 1 Tomas Hoger 2010-06-11 10:32:45 UTC

Created attachment 423231 [details]
Reproducer

Test file from https://bugs.launchpad.net/bugs/589145

Adding as private for now, while Launchpad bug is private.

Comment 2 Tomas Hoger 2010-06-11 10:33:20 UTC

Created attachment 423232 [details]
Upstream patch

Comment 3 Tomas Hoger 2010-06-11 10:34:55 UTC

With the patch applied, this file still crashes rgb2ycbcr.  Crash seems similar to bug #583081.

Comment 4 RHEL Program Management 2010-06-11 10:43:10 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 5 Tomas Hoger 2010-06-11 13:28:28 UTC

(In reply to comment #3)
> With the patch applied, this file still crashes rgb2ycbcr.  Crash seems similar
> to bug #583081.    

There's no crash after applying patch from:
  http://bugzilla.maptools.org/show_bug.cgi?id=2207

Comment 6 Tom Lane 2010-06-11 15:51:17 UTC

Proposed patch looks sane to me.

This appears to be just a null-pointer-dereference crash and not exploitable for ACE, but still possibly should be considered a security issue on DoS grounds.

Comment 7 Tomas Hoger 2010-06-14 07:31:45 UTC

(In reply to comment #2)
> Created an attachment (id=423232) [details]
> Upstream patch    

This patch is included in new upstream version 3.9.3:

    * libtiff/tif_ojpeg.c (OJPEGReadBufferFill): Report an error and
    avoid a crash if the input file is so broken that the strip
    offsets are not defined.

Comment 8 Tomas Hoger 2010-06-15 07:11:11 UTC

Opening bug, original launchpad bug is now public, and fix is included in tiff 3.9.3 (see comment #7).

Comment 9 Tomas Hoger 2010-06-22 13:50:54 UTC

Created attachment 425925 [details]
Extra check for td_stripbytecount

There's similar problem with td_stripbytecount that can be NULL few lines below the td_stripoffset check added in upstream patch.  Attached fix extends check to td_stripbytecount and return error in a similar way to upstream patch in comment #2.

Comment 11 Tom Lane 2010-06-23 04:26:47 UTC

Re comment #9: I've included that patch in the Fedora packages just posted.  RHEL-6 build is awaiting ACKs on a couple of other bugs.

Comment 12 Tomas Hoger 2010-06-23 06:54:12 UTC

(In reply to comment #11)
> Re comment #9: I've included that patch in the Fedora packages just posted. 
> RHEL-6 build is awaiting ACKs on a couple of other bugs.    

Can you upstream bug for that issue too?  I don't have an account in their BZ.  TY!

Comment 13 Tomas Hoger 2010-06-23 09:23:50 UTC

Oh, reported in http://bugzilla.maptools.org/show_bug.cgi?id=1996 already.

Comment 17 Martin Cermak 2010-09-08 07:15:28 UTC

=> VERIFIED

Comment 18 releng-rhel@redhat.com 2010-11-10 21:04:37 UTC

Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.