2013.08.31 11:39 "[Tiff] Slightly corrupted tiff image causes libtiff to crash with double free or corruption", by Konstantin

2013.08.31 11:39 "[Tiff] Slightly corrupted tiff image causes libtiff to crash with double free or corruption", by Konstantin

Hi,

on a tiff image received per fax one of the pages has some strange corruption which causes libtiff (and any program using it) to crash in a strange way. If only the corrupted page is processed or it is processed first, there is no problem. But if more pages are processed and the corrupted one is not the first one, an error like the following appears:

*** glibc detected *** tiffcp: double free or corruption (!prev): 0x095b4eb8 *** ======= Backtrace: ========= /lib/libc.so.6[0x444306e1] /usr/lib/libtiff.so.5(_TIFFfree+0x1a)[0x47cc4d40]

tiffcp[0x804af7a]
tiffcp[0x804a33a]
/lib/libc.so.6(__libc_start_main+0xe6)[0x443da572]
tiffcp[0x804a415]

It seems to me as there is some data structure that is not initialized correctly between the iterations when processing the pages.

If anyone is interested in finding this bug please let me know so I can send you a good and the bad page (24kB each). Otherwise I will discard the bad images in a while. Here the tiffinfo output:

TIFF Directory at offset 0x5a08 (23048)
    Subfile Type: multi-page document (2 = 0x2)
    Image Width: 1728 Image Length: 1152
    Resolution: 200, 100 pixels/inch
    Bits/Sample: 1
    Compression Scheme: ISO JBIG
    Photometric Interpretation: min-is-white
    FillOrder: lsb-to-msb
    Orientation: row 0 top, col 0 lhs
    Samples/Pixel: 1
    Rows/Strip: (infinite)
    Planar Configuration: single image plane

  ImageDescription: +49 7625 13237162
  Make: VER. 1.26 VOM 18.07.97
  Model: 282
  Software: HylaFAX (tm) Version 6.0.3
  DateTime: 2013:08:27 13:21:55
  HostComputer: router
  FaxRecvParams: 2170920
  FaxRecvTime: 18
  FaxDcs: 00 44 1F 21 01 11 01 01 01 02