LibTiff Mailing List

Hi all,

I noticed a small problem in libtiff-3.9.2 with tiled jpeg images. If
the image to be written is smaller than a tile, the jpeg compressor
appears to read beyond the end of the available data.

For example:

$ tiffinfo tiny.tif
TIFF Directory at offset 0x9008 (36872)
  Image Width: 128 Image Length: 96
  Resolution: 1.25, 1.25 pixels/cm
  Bits/Sample: 8
  Compression Scheme: None
  Photometric Interpretation: RGB color
  Orientation: row 0 top, col 0 lhs
  Samples/Pixel: 3
  Rows/Strip: 16
  Planar Configuration: single image plane
$ valgrind tiffcp -t -c jpeg tiny.tif test.tif
==2872== Use of uninitialised value of size 8
==2872==    at 0x50987B8: rgb_ycc_convert (jccolor.c:159)
==2872==    by 0x50977B3: pre_process_data (jcprepct.c:145)
==2872==    by 0x509730D: process_data_simple_main (jcmainct.c:122)
==2872==    by 0x5093F1B: jpeg_write_scanlines (jcapistd.c:108)
==2872==    by 0x4E4EE0B: ??? (in /usr/lib/libtiff.so.4.3.2)
==2872==    by 0x4E4EE9B: ??? (in /usr/lib/libtiff.so.4.3.2)
==2872==    by 0x4E66111: TIFFWriteEncodedTile (in /usr/lib/libtiff.so.4.3.2)
==2872==    by 0x40508B: ??? (in /usr/bin/tiffcp)
==2872==    by 0x4041AD: ??? (in /usr/bin/tiffcp)
==2872==    by 0x404420: ??? (in /usr/bin/tiffcp)
==2872==    by 0x40340D: ??? (in /usr/bin/tiffcp)
==2872==    by 0x576CC4C: (below main) (libc-start.c:226)

... and 3 more similar errors ... snip ...

==2872== ERROR SUMMARY: 212992 errors from 4 contexts (suppressed: 4 from 4)

If you calculate 4 * (256 * 256 - 128 * 96) you get 212992, the number
of reported errors, so it looks like it is jpeg-compressing the whole
256 x 256 tile, even though there are only 128 x 96 actual pixels.

Interestingly, it works fine if the source image ls larger than a tile
and not a multiple of the tile size. In other words, fractional tiles
at image edges are handled correctly.

I imagine this is not a security problem, though I'm not an expert, to
say the least, but I thought the list might be interested.

John


AWARE [SYSTEMS]		Imaging expertise for the Delphi developer
		TIFF and LibTiff Mailing List Archive
	LibTiff Mailing List TIFF and LibTiff Mailing List Archive June 2010 Previous Thread Next Thread Previous by Thread Next by Thread Previous by Date Next by Date Contact The TIFF Mailing List Homepage This list is run by Frank Warmerdam Archive maintained by AWare Systems	Thread 2010.06.23 12:11 "Use of uninitialised value in tiled jpeg tiff", by <jcupitt@gmail.com> 2010.06.25 12:27 "Re: Use of uninitialised value in tiled jpeg tiff", by Andrey Kiselev 2010.06.23 12:11 "Use of uninitialised value in tiled jpeg tiff", by <jcupitt@gmail.com> Hi all, I noticed a small problem in libtiff-3.9.2 with tiled jpeg images. If the image to be written is smaller than a tile, the jpeg compressor appears to read beyond the end of the available data. For example: $ tiffinfo tiny.tif TIFF Directory at offset 0x9008 (36872) Image Width: 128 Image Length: 96 Resolution: 1.25, 1.25 pixels/cm Bits/Sample: 8 Compression Scheme: None Photometric Interpretation: RGB color Orientation: row 0 top, col 0 lhs Samples/Pixel: 3 Rows/Strip: 16 Planar Configuration: single image plane $ valgrind tiffcp -t -c jpeg tiny.tif test.tif ==2872== Use of uninitialised value of size 8 ==2872== at 0x50987B8: rgb_ycc_convert (jccolor.c:159) ==2872== by 0x50977B3: pre_process_data (jcprepct.c:145) ==2872== by 0x509730D: process_data_simple_main (jcmainct.c:122) ==2872== by 0x5093F1B: jpeg_write_scanlines (jcapistd.c:108) ==2872== by 0x4E4EE0B: ??? (in /usr/lib/libtiff.so.4.3.2) ==2872== by 0x4E4EE9B: ??? (in /usr/lib/libtiff.so.4.3.2) ==2872== by 0x4E66111: TIFFWriteEncodedTile (in /usr/lib/libtiff.so.4.3.2) ==2872== by 0x40508B: ??? (in /usr/bin/tiffcp) ==2872== by 0x4041AD: ??? (in /usr/bin/tiffcp) ==2872== by 0x404420: ??? (in /usr/bin/tiffcp) ==2872== by 0x40340D: ??? (in /usr/bin/tiffcp) ==2872== by 0x576CC4C: (below main) (libc-start.c:226) ... and 3 more similar errors ... snip ... ==2872== ERROR SUMMARY: 212992 errors from 4 contexts (suppressed: 4 from 4) If you calculate 4 * (256 * 256 - 128 * 96) you get 212992, the number of reported errors, so it looks like it is jpeg-compressing the whole 256 x 256 tile, even though there are only 128 x 96 actual pixels. Interestingly, it works fine if the source image ls larger than a tile and not a multiple of the tile size. In other words, fractional tiles at image edges are handled correctly. I imagine this is not a security problem, though I'm not an expert, to say the least, but I thought the list might be interested. John

LibTiff Mailing List

Thread

2010.06.23 12:11 "Use of uninitialised value in tiled jpeg tiff", by <jcupitt@gmail.com>