2000.03.15 17:44 "Some CCITT Group 3 TIFFs crash libtiff", by Jason Summers

2000.03.15 18:36 "Re: Some CCITT Group 3 TIFFs crash libtiff", by Helge Blischke

I've encountered several CCITT Group 3-compressed TIFF images that cause programs compiled with libtiff 3.5.4 to crash with an IPF/segmentation fault. The crash occurs both in my Windows program and in utilities like tiffcp on Linux.

The crash occurs in tif_fax3.c, at either line 397:

             *lp++ = 0L;

or line 436:

           *lp++ = -1L;

The crash does not occur when using libtiff 3.4beta37, even though the tif_fax3.c file is effectively identical.

I haven't investigated this too deeply, in the hopes that someone may already know a simple fix. I placed several files that exhibit the problem at: http://home.mieweb.com/jason/testbed/tif/

I don't know (or really care) if those files are perfectly valid TIFFs, I just want to prevent a crash. Any help would be appreciated.

The files are corrupt. Here an error log from tiffcp (from the 3.4beta37 distribution):

Fax3Decode2D: Warning, fax03697.tif: Premature EOL at scanline 289 (x 428).
Fax3Decode2D: Warning, fax03697.tif: Premature EOL at scanline 291 (x 333).
Fax3Decode2D: Warning, fax03697.tif: Premature EOL at scanline 1047 (x 241).
Fax3Decode2D: Warning, fax03697.tif: Premature EOL at scanline 1056 (x 358).
Fax3Decode1D: fax03697.tif: Bad code word at scanline 1059 (x 1054).
Fax3Decode2D: Warning, fax03697.tif: Premature EOL at scanline 1437 (x 265).
Fax3Decode2D: fax03697.tif: Bad 2D code word at scanline 1460.
Fax3Decode1D: Warning, fax03697.tif: Premature EOL at scanline 1483 (x 1716).
Fax3Decode1D: Warning, fax03697.tif: Premature EOL at scanline 1495 (x 1578).
Fax3Decode2D: Warning, fax03697.tif: Premature EOL at scanline 1497 (x 688).
Fax3Decode1D: fax03697.tif: Bad code word at scanline 1924 (x 1626).
Fax3Decode1D: Warning, fax03697.tif: Premature EOL at scanline 2291 (x 0).
Fax3Decode1D: Warning, fax03697.tif: Premature EOL at scanline 2292 (x 0).
Fax3Decode1D: Warning, fax03697.tif: Premature EOL at scanline 2293 (x 0).
Fax3Decode1D: Warning, fax03697.tif: Premature EOL at scanline 2294 (x 0).
Fax3Decode1D: Warning, fax03697.tif: Premature EOL at scanline 2295 (x 0).
Fax3Decode1D: Warning, fax03697.tif: Premature EOF at scanline 2296 (x 0).

but the output of tiffcp seems formally correct.

Another bug is in the TIFF header:

fax03697.tif:
Magic: 0x4949 <little-endian> Version: 0x2a
Directory 0: offset 91672 (0x16618) next 0 (0)
SubFileType (254) LONG (4) 1<2>
ImageWidth (256) SHORT (3) 1<1728>
ImageLength (257) SHORT (3) 1<2300>
BitsPerSample (258) SHORT (3) 1<1>
Compression (259) SHORT (3) 1<3>
Photometric (262) SHORT (3) 1<0>
FillOrder (266) SHORT (3) 1<2>
ImageDescription (270) ASCII (2) 1<\000>
Make (271) ASCII (2) 6<ZYXEL\000>
Model (272) ASCII (2) 7<U1496E\000>
StripOffsets (273) LONG (4) 1<8>
Orientation (274) SHORT (3) 1<1>
SamplesPerPixel (277) SHORT (3) 1<1>
RowsPerStrip (278) LONG (4) 1<4294967295> <--- where does this bogus value come from?
StripByteCounts (279) LONG (4) 1<91664>
XResolution (282) RATIONAL (5) 1<204>
YResolution (283) RATIONAL (5) 1<196>
PlanarConfig (284) SHORT (3) 1<1>
Group3Options (292) LONG (4) 1<1>
ResolutionUnit (296) SHORT (3) 1<2>
Software (305) ASCII (2) 28<HylaFAX (tm) Version 4.0pl2\000>
DateTime (306) ASCII (2) 20<2000:01:06 14:30:15\000>
HostComputer (316) ASCII (2) 9<faxlinux\000>
CleanFaxData (327) SHORT (3) 1<0>
34908 (0x885c) LONG (4) 1<775>
34910 (0x885e) LONG (4) 1<78>

Helge

H.Blischke@srz-berlin.de
H.Blischke@srz-berlin.com
H.Blischke@acm.org