2010.06.23 12:11 "[Tiff] Use of uninitialised value in tiled jpeg tiff", by John

2010.06.23 12:11 "[Tiff] Use of uninitialised value in tiled jpeg tiff", by John

Hi all,

I noticed a small problem in libtiff-3.9.2 with tiled jpeg images. If the image to be written is smaller than a tile, the jpeg compressor appears to read beyond the end of the available data.

For example:

$ tiffinfo tiny.tif

TIFF Directory at offset 0x9008 (36872)
    Image Width: 128 Image Length: 96
    Resolution: 1.25, 1.25 pixels/cm
    Bits/Sample: 8
    Compression Scheme: None
    Photometric Interpretation: RGB color
    Orientation: row 0 top, col 0 lhs
    Samples/Pixel: 3
    Rows/Strip: 16
    Planar Configuration: single image plane

$ valgrind tiffcp -t -c jpeg tiny.tif test.tif
==2872== Use of uninitialised value of size 8

==2872==    at 0x50987B8: rgb_ycc_convert (jccolor.c:159)
==2872==    by 0x50977B3: pre_process_data (jcprepct.c:145)
==2872==    by 0x509730D: process_data_simple_main (jcmainct.c:122)
==2872==    by 0x5093F1B: jpeg_write_scanlines (jcapistd.c:108)
==2872==    by 0x4E4EE0B: ??? (in /usr/lib/libtiff.so.4.3.2)
==2872==    by 0x4E4EE9B: ??? (in /usr/lib/libtiff.so.4.3.2)
==2872==    by 0x4E66111: TIFFWriteEncodedTile (in /usr/lib/libtiff.so.4.3.2)
==2872==    by 0x40508B: ??? (in /usr/bin/tiffcp)
==2872==    by 0x4041AD: ??? (in /usr/bin/tiffcp)
==2872==    by 0x404420: ??? (in /usr/bin/tiffcp)
==2872==    by 0x40340D: ??? (in /usr/bin/tiffcp)
==2872==    by 0x576CC4C: (below main) (libc-start.c:226)

... and 3 more similar errors... snip...

==2872== ERROR SUMMARY: 212992 errors from 4 contexts (suppressed: 4 from 4)

If you calculate 4 * (256 * 256 - 128 * 96) you get 212992, the number of reported errors, so it looks like it is jpeg-compressing the whole 256 x 256 tile, even though there are only 128 x 96 actual pixels.

Interestingly, it works fine if the source image ls larger than a tile and not a multiple of the tile size. In other words, fractional tiles at image edges are handled correctly.

I imagine this is not a security problem, though I'm not an expert, to say the least, but I thought the list might be interested.

John