Ubuntu
tiff package

eog crashed with SIGSEGV in TIFFVGetField()

Bug #597246 reported by smpahlman on 2010-06-22

264

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tiff (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

eog crashes when opening the attached file. This looks a bit like a duplicate of: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589145 but even the fixed version has this crash. The valgrind output is below.

==21981== Thread 2:
==21981== Invalid read of size 4
==21981== at 0x7CB2346: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB32FE: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB42E8: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB4555: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7C92E79: TIFFVGetField (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7C9391A: TIFFGetField (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CC014B: TIFFScanlineSize (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7C9879F: TIFFReadDirectory (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB665B: TIFFClientOpen (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x647F205: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:485)
==21981== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==21981== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==21981== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==21981==
==21981==
==21981== Process terminating with default action of signal 11 (SIGSEGV)
==21981== Access not within mapped region at address 0x0
==21981== at 0x7CB2346: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB32FE: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB42E8: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB4555: ??? (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7C92E79: TIFFVGetField (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7C9391A: TIFFGetField (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CC014B: TIFFScanlineSize (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7C9879F: TIFFReadDirectory (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x7CB665B: TIFFClientOpen (in /usr/lib/libtiff.so.4.3.2)
==21981== by 0x647F205: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:485)
==21981== by 0x477E7A0: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:719)
==21981== by 0x807C6F1: eog_image_load (eog-image.c:1056)
==21981== If you believe this happened as a result of a stack
==21981== overflow in your program's main thread (unlikely but
==21981== possible), you can try to increase the size of the
==21981== main thread stack using the --main-stacksize= flag.
==21981== The main thread stack size used in this run was 8388608.
==21981==
==21981== HEAP SUMMARY:
==21981== in use at exit: 15,078,006 bytes in 202,407 blocks
==21981== total heap usage: 1,140,583 allocs, 938,176 frees, 45,737,907 bytes allocated
==21981==
==21981== LEAK SUMMARY:
==21981== definitely lost: 191 bytes in 3 blocks
==21981== indirectly lost: 120 bytes in 10 blocks
==21981== possibly lost: 14,259,592 bytes in 196,900 blocks
==21981== still reachable: 818,103 bytes in 5,494 blocks
==21981== suppressed: 0 bytes in 0 blocks
==21981== Rerun with --leak-check=full to see details of leaked memory
==21981==
==21981== For counts of detected and suppressed errors, rerun with: -v
==21981== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 200 from 13)
Killed

ProblemType: Crash
DistroRelease: Ubuntu 10.04
Package: eog 2.30.0-0ubuntu1
ProcVersionSignature: Ubuntu 2.6.32-22.36-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Tue Jun 22 15:36:59 2010
EcryptfsInUse: Yes
ExecutablePath: /usr/bin/eog
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Alpha i386 (20100113)
ProcCmdline: eog /home/username/radamsa/tiffdst/fubwt-11649.tif
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.utf8
SegvAnalysis:
Segfault happened at: 0x727d346: mov (%edx,%eax,4),%edx
PC (0x0727d346) ok
source "(%edx,%eax,4)" (0x00000000) not located in a known VMA region (needed readable region)!
destination "%edx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: eog
StacktraceTop:
?? () from /usr/lib/libtiff.so.4
?? () from /usr/lib/libtiff.so.4
?? () from /usr/lib/libtiff.so.4
?? () from /usr/lib/libtiff.so.4
TIFFVGetField () from /usr/lib/libtiff.so.4
Title: eog crashed with SIGSEGV in TIFFVGetField()
UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XsessionErrors:
(polkit-gnome-authentication-agent-1:1377): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
(gnome-terminal:1540): Gtk-CRITICAL **: gtk_accel_map_unlock_path: assertion `entry != NULL && entry->lock_count > 0' failed

Tags:

Related branches

lp://staging/ubuntu/natty/tiff

lp://staging/ubuntu/lucid-security/tiff

lp://staging/ubuntu/maverick-security/tiff

CVE References

Revision history for this message

smpahlman (sauli-pahlman) wrote on 2010-06-22:

Reproducer Edit (4.0 KiB, image/tiff)
CoreDump.gz Edit (3.1 MiB, application/x-gzip)
Dependencies.txt Edit (4.6 KiB, text/plain; charset="utf-8")
Disassembly.txt Edit (539 bytes, text/plain; charset="utf-8")
ProcMaps.txt Edit (25.8 KiB, text/plain; charset="utf-8")
ProcStatus.txt Edit (776 bytes, text/plain; charset="utf-8")
Registers.txt Edit (469 bytes, text/plain; charset="utf-8")
Stacktrace.txt Edit (3.3 KiB, text/plain; charset="utf-8")
ThreadStacktrace.txt Edit (5.5 KiB, text/plain; charset="utf-8")

Revision history for this message

Apport retracing service (apport) wrote on 2010-06-22:

StacktraceTop:
?? () from /usr/lib/libtiff.so.4
?? () from /usr/lib/libtiff.so.4
?? () from /usr/lib/libtiff.so.4
?? () from /usr/lib/libtiff.so.4
TIFFVGetField () from /usr/lib/libtiff.so.4

Revision history for this message

Apport retracing service (apport) wrote on 2010-06-22: Stacktrace.txt

Stacktrace.txt Edit (1.8 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2010-06-22: ThreadStacktrace.txt

ThreadStacktrace.txt Edit (3.2 KiB, text/plain)

tags:	added: apport-failed-retrace
tags:	removed: need-i386-retrace

Revision history for this message

Tomas Hoger (thoger) wrote on 2010-06-22:

Yeah, similar to bug #589145, now with NULL td_stripbytecount instead of td_stripoffset.

Changed in tiff (Ubuntu):
status:	New → Confirmed

smpahlman (sauli-pahlman) on 2010-08-15

visibility:

private → public

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-03-04:

This bug was fixed in the package tiff - 3.9.4-5ubuntu2

---------------
tiff (3.9.4-5ubuntu2) natty; urgency=low

  * SECURITY UPDATE: denial of service via invalid td_stripbytecount field
    (LP: #597246)
    - debian/patches/CVE-2010-2482.patch: look for missing strip byte
      counts in libtiff/tif_ojpeg.c, tools/tiffsplit.c.
    - CVE-2010-2482
  * SECURITY UPDATE: denial of service via invalid ReferenceBlackWhite
    values
    - debian/patches/CVE-2010-2595.patch: validate values in
      libtiff/tif_color.c.
    - CVE-2010-2595
  * SECURITY UPDATE: denial of service via devide-by-zero (LP: #593067)
    - debian/patches/CVE-2010-2597.patch: properly initialize fields in
      libtiff/tif_strip.c.
    - CVE-2010-2597
    - CVE-2010-2598
  * SECURITY UPDATE: denial of service via out-of-order tags
    - debian/patches/CVE-2010-2630.patch: correctly handle order in
      libtiff/tif_dirread.c.
    - CVE-2010-2630
  * SECURITY UPDATE: denial of service and possible code execution via
    buffer overflow in Fax4Decode
    - debian/patches/CVE-2011-0192.patch: check length in
      libtiff/tif_fax3.h.
    - CVE-2011-0192
-- Marc Deslauriers <email address hidden> Thu, 03 Mar 2011 10:52:21 -0500

Changed in tiff (Ubuntu):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntutiff package

eog crashed with SIGSEGV in TIFFVGetField()

Bug Description

Related branches

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
tiff package