2000.09.25 15:02 "TIFFReadRGBAImage() bug in YCbCr handling", by Frank Warmerdam

Folks,

I am forwarding this bug report in case anyone else wants to apply Nick's patch to their local libtiff versions. I have verified the bug, and Nick's patch and applied it to CVS. A sample file demonstrating the problem can be found in the bug system at:

http://bugzilla.remotesensing.org/show_bug.cgi?id=10

Best regards,

---------------------------------------+--------------------------------------
I set the clouds in motion - turn up   | Frank Warmerdam, warmerda@home.com
light and sound - activate the windows | http://members.home.com/warmerda
and watch the world go round - Rush    | Geospatial Programmer for Rent

----- Forwarded message from Nick Lamb <njl98r@ecs.soton.ac.uk> -----

Date: Sun, 6 Aug 2000 11:12:23 +0100
From: Nick Lamb <njl98r@ecs.soton.ac.uk>
To: tiff@olympiakos.com
Subject: libTIFF bug in YCbCr handling

In the course of trying to fix a user-reported bug in Gimp, I have found what I _think_ is a libtiff bug. The last version of the library in which I've _personally_ confirmed the bug is 3.5.4, but I don't see a fix for this bug mentioned in the 3.5.5 relnotes.

I do not have time to join more mailing lists (already PNG, Gimp and many others) but would appreciate confirmation if this is a genuine libtiff bug, and notification when a fixed libtiff is in public circulation (that will then become the resolution for this Gimp bug and I can get some sleep).

Here's the bug.. I try to load a TIFF so:

Photometric Interpretation: YCbCr
YCbCr Subsampling: 1, 1
YCbCr Positioning: centered
YCbCr Coefficients: 0.299, 0.587, 0.114

Gimp calls TIFFReadRGBAImage() and that eventually calls a function putcontig8bitYCbCr11tile in tif_getimage.c

This function seems have been pasted from the 2,1 sub-sampling function and then altered. Unfortunately this has left the line:

x = w>>1;

What's this doing? There's no subsampling in the image, so it wrongly calculates width! Soon after this a buffer over-run occurs and we have a security vulnerability in any software which tries to examine such a TIFF.

Unless I'm too stupid to understand your code, I think this should be changed to x = w; and then everything will work.

Looking forward to hearing from you ASAP

PS I can provide such a TIFF, tell me if you want it, but the bug is self-explanatory anyway, IMHO.

Nick. Gimp TIFF loader maintenance <sigh>

----- End forwarded message -----