LibTiff Mailing List

Folks, 

I am forwarding this bug report in case anyone else wants to apply Nick's
patch to their local libtiff versions.  I have verified the bug, and Nick's
patch and applied it to CVS.  A sample file demonstrating the problem can be
found in the bug system at:

  http://bugzilla.remotesensing.org/show_bug.cgi?id=10

Best regards,

---------------------------------------+--------------------------------------
I set the clouds in motion - turn up   | Frank Warmerdam, warmerda@home.com
light and sound - activate the windows | http://members.home.com/warmerda
and watch the world go round - Rush    | Geospatial Programmer for Rent

----- Forwarded message from Nick Lamb <njl98r@ecs.soton.ac.uk> -----

Date: Sun, 6 Aug 2000 11:12:23 +0100
From: Nick Lamb <njl98r@ecs.soton.ac.uk>
To: tiff@olympiakos.com
Subject: libTIFF bug in YCbCr handling

In the course of trying to fix a user-reported bug in Gimp, I have
found what I _think_ is a libtiff bug. The last version of the
library in which I've _personally_ confirmed the bug is 3.5.4, but
I don't see a fix for this bug mentioned in the 3.5.5 relnotes.

I do not have time to join more mailing lists (already PNG, Gimp
and many others) but would appreciate confirmation if this is
a genuine libtiff bug, and notification when a fixed libtiff is
in public circulation (that will then become the resolution for
this Gimp bug and I can get some sleep).

Here's the bug.. I try to load a TIFF so:

  Photometric Interpretation: YCbCr
  YCbCr Subsampling: 1, 1
  YCbCr Positioning: centered
  YCbCr Coefficients: 0.299, 0.587, 0.114

Gimp calls TIFFReadRGBAImage() and that eventually calls a function

putcontig8bitYCbCr11tile in tif_getimage.c

This function seems have been pasted from the 2,1 sub-sampling
function and then altered. Unfortunately this has left the line:

x = w>>1;

What's this doing? There's no subsampling in the image, so it
wrongly calculates width! Soon after this a buffer over-run occurs
and we have a security vulnerability in any software which tries
to examine such a TIFF.

Unless I'm too stupid to understand your code, I think this should
be changed to x = w; and then everything will work.

Looking forward to hearing from you ASAP

PS I can provide such a TIFF, tell me if you want it, but the bug
is self-explanatory anyway, IMHO.

Nick. Gimp TIFF loader maintenance <sigh>

----- End forwarded message -----


AWARE [SYSTEMS]		Imaging expertise for the Delphi developer
		TIFF and LibTiff Mailing List Archive
	LibTiff Mailing List TIFF and LibTiff Mailing List Archive September 2000 Previous Thread Next Thread Previous by Thread Next by Thread Previous by Date Next by Date Contact The TIFF Mailing List Homepage This list is run by Frank Warmerdam Archive maintained by AWare Systems	2000.09.25 15:02 "TIFFReadRGBAImage() bug in YCbCr handling", by Frank Warmerdam Folks, I am forwarding this bug report in case anyone else wants to apply Nick's patch to their local libtiff versions. I have verified the bug, and Nick's patch and applied it to CVS. A sample file demonstrating the problem can be found in the bug system at: http://bugzilla.remotesensing.org/show_bug.cgi?id=10 Best regards, ---------------------------------------+-------------------------------------- I set the clouds in motion - turn up \| Frank Warmerdam, warmerda@home.com light and sound - activate the windows \| http://members.home.com/warmerda and watch the world go round - Rush \| Geospatial Programmer for Rent ----- Forwarded message from Nick Lamb <njl98r@ecs.soton.ac.uk> ----- Date: Sun, 6 Aug 2000 11:12:23 +0100 From: Nick Lamb <njl98r@ecs.soton.ac.uk> To: tiff@olympiakos.com Subject: libTIFF bug in YCbCr handling In the course of trying to fix a user-reported bug in Gimp, I have found what I _think_ is a libtiff bug. The last version of the library in which I've _personally_ confirmed the bug is 3.5.4, but I don't see a fix for this bug mentioned in the 3.5.5 relnotes. I do not have time to join more mailing lists (already PNG, Gimp and many others) but would appreciate confirmation if this is a genuine libtiff bug, and notification when a fixed libtiff is in public circulation (that will then become the resolution for this Gimp bug and I can get some sleep). Here's the bug.. I try to load a TIFF so: Photometric Interpretation: YCbCr YCbCr Subsampling: 1, 1 YCbCr Positioning: centered YCbCr Coefficients: 0.299, 0.587, 0.114 Gimp calls TIFFReadRGBAImage() and that eventually calls a function putcontig8bitYCbCr11tile in tif_getimage.c This function seems have been pasted from the 2,1 sub-sampling function and then altered. Unfortunately this has left the line: x = w>>1; What's this doing? There's no subsampling in the image, so it wrongly calculates width! Soon after this a buffer over-run occurs and we have a security vulnerability in any software which tries to examine such a TIFF. Unless I'm too stupid to understand your code, I think this should be changed to x = w; and then everything will work. Looking forward to hearing from you ASAP PS I can provide such a TIFF, tell me if you want it, but the bug is self-explanatory anyway, IMHO. Nick. Gimp TIFF loader maintenance <sigh> ----- End forwarded message -----

LibTiff Mailing List

2000.09.25 15:02 "TIFFReadRGBAImage() bug in YCbCr handling", by Frank Warmerdam