Red Hat Bugzilla – Bug 603081
libtiff: OOB read in putcontig8bitYCbCr11tile
Last modified: 2013-07-02 23:29:47 EDT
Description of problem: Originally reported by Sauli Pahlman in Launchpad: https://bugs.launchpad.net/bugs/591605 Attached tif file triggers out-of-bounds read in putcontig8bitYCbCr11tile. pp points to buffer allocated in gtTileContig with the size of TIFFTileSize(tif). For this file, it's 80640. putcontig8bitYCbCr11tile tries to read w*h*3 bytes out of it (234*213*3 == 149526). Version-Release number of selected component (if applicable): libtiff-3.9.2-3.el6.i686 Additional info: Program received signal SIGSEGV, Segmentation fault. 0x008a7e15 in putcontig8bitYCbCr11tile (img=<value optimized out>, cp=0xb7fed420, x=<value optimized out>, y=<value optimized out>, w=<value optimized out>, h=<value optimized out>, fromskew=<value optimized out>, toskew=<value optimized out>, pp=0x806d000 <Address 0x806d000 out of bounds>) at tif_getimage.c:1986 1986 YCbCrtoRGB(*cp++, pp[0]); (gdb) bt #0 0x008a7e15 in putcontig8bitYCbCr11tile (img=<value optimized out>, cp=0xb7fed420, x=<value optimized out>, y=<value optimized out>, w=<value optimized out>, h=<value optimized out>, fromskew=<value optimized out>, toskew=<value optimized out>, pp=0x806d000 <Address 0x806d000 out of bounds>) at tif_getimage.c:1986 #1 0x008aa52e in gtTileContig (img=<value optimized out>, raster=<value optimized out>, w=<value optimized out>, h=<value optimized out>) at tif_getimage.c:629 #2 0x008a7103 in TIFFRGBAImageGet (img=<value optimized out>, raster=<value optimized out>, w=<value optimized out>, h=<value optimized out>) at tif_getimage.c:461 #3 0x008ac750 in TIFFReadRGBAImageOriented (tif=<value optimized out>, rwidth=<value optimized out>, rheight=<value optimized out>, raster=<value optimized out>, orientation=<value optimized out>, stop=<value optimized out>) at tif_getimage.c:480 #4 0x080495c8 in cvt_whole_image (out=<value optimized out>, in=<value optimized out>) at tiff2rgba.c:401 #5 tiffcvt (out=<value optimized out>, in=<value optimized out>) at tiff2rgba.c:519 #6 main (out=<value optimized out>, in=<value optimized out>) at tiff2rgba.c:115 This may be related to bug #583081, however patches linked there do not address this problem.
Created attachment 423278 [details] Reproducer Test file from: https://bugs.launchpad.net/bugs/591605 Adding as private for now, while Launchpad bug is private.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion.
Created attachment 423329 [details] patch Specifically, what we need is this patch, which duplicates into PickContigCase() a safety check that already existed in PickSeparateCase().
Comment #0 fails to spell out a test case ... try this: tiff2rgba lp591605-sample.tif /dev/null
Opening bug, original launchpad report is public now.
Filed upstream at http://bugzilla.maptools.org/show_bug.cgi?id=2216
This issue was assigned CVE-2010-2483
=> VERIFIED
Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you.