2010.06.25 12:27 "Re: [Tiff] Use of uninitialised value in tiled jpeg tiff", by Andrey Kiselev

On Wed, Jun 23, 2010 at 01:11:39PM +0100, jcupitt@gmail.com wrote:

I noticed a small problem in libtiff-3.9.2 with tiled jpeg images. If the image to be written is smaller than a tile, the jpeg compressor appears to read beyond the end of the available data.

For example:

$ tiffinfo tiny.tif

TIFF Directory at offset 0x9008 (36872)
    Image Width: 128 Image Length: 96
    Resolution: 1.25, 1.25 pixels/cm
    Bits/Sample: 8
    Compression Scheme: None
    Photometric Interpretation: RGB color
    Orientation: row 0 top, col 0 lhs
    Samples/Pixel: 3
    Rows/Strip: 16
    Planar Configuration: single image plane

$ valgrind tiffcp -t -c jpeg tiny.tif test.tif
==2872== Use of uninitialised value of size 8

==2872==    at 0x50987B8: rgb_ycc_convert (jccolor.c:159)
==2872==    by 0x50977B3: pre_process_data (jcprepct.c:145)
==2872==    by 0x509730D: process_data_simple_main (jcmainct.c:122)
==2872==    by 0x5093F1B: jpeg_write_scanlines (jcapistd.c:108)
==2872==    by 0x4E4EE0B: ??? (in /usr/lib/libtiff.so.4.3.2)
==2872==    by 0x4E4EE9B: ??? (in /usr/lib/libtiff.so.4.3.2)
==2872==    by 0x4E66111: TIFFWriteEncodedTile (in /usr/lib/libtiff.so.4.3.2)
==2872==    by 0x40508B: ??? (in /usr/bin/tiffcp)
==2872==    by 0x4041AD: ??? (in /usr/bin/tiffcp)
==2872==    by 0x404420: ??? (in /usr/bin/tiffcp)
==2872==    by 0x40340D: ??? (in /usr/bin/tiffcp)
==2872==    by 0x576CC4C: (below main) (libc-start.c:226)

This happens not only for JPEG case, but for any conversion when output tile is larger than the image size. I have checked in the code to initialize the allocated buffers (memset to 0) in tiffcp, that should fix the issue.

--
Andrey V. Kiselev