Mailinglist Archive: opensuse-bugs (4227 mails)

< Previous Next >
[Bug 1017688] New: VUL-0: libtiff: NULL pointer dereference in TIFFReadRawData (tiffinfo.c)
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Sun, 01 Jan 2017 17:50:44 +0000
  • Message-id: <>

Bug ID: 1017688
Summary: VUL-0: libtiff: NULL pointer dereference in
TIFFReadRawData (tiffinfo.c)
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: mikhail.kasimov@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Libtiff is a software that provides support for the Tag Image File Format
(TIFF), a widely used format for storing image data.

A crafted tiff file revealed a NULL pointer access.

The complete ASan output:

# tiffinfo -Dijr $FILE

TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 384 (0x180) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1093 (0x445) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null
byte in value; value incorrectly truncated during reading due to
implementation limitations.
TIFFFetchNormalTag: Warning, Incorrect count for "JpegProc"; tag ignored.
TIFFReadDirectory: Warning, Photometric tag value assumed incorrect, assuming
data is YCbCr instead of RGB.
TIFFReadDirectory: Warning, SamplesPerPixel tag is missing, applying correct
SamplesPerPixel value of 3.
_TIFFVSetField: Warning, SamplesPerPixel tag value is changing, but
SMinSampleValue tag was read with a different value. Cancelling it.
==15897==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x00000050d8ad bp 0x7ffc4a3eaf90 sp 0x7ffc4a3eaec0 T0)
==15897==The signal is caused by a READ memory access.
==15897==Hint: address points to the zero page.
#0 0x50d8ac in TIFFReadRawData /tmp/portage/media-
#1 0x50b2de in tiffinfo /tmp/portage/media-
#2 0x50a999 in main /tmp/portage/media-
#3 0x7f6258f0961f in __libc_start_main /var/tmp/portage/sys-
#4 0x419f38 in _init (/usr/bin/tiffinfo+0x419f38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffinfo.c:421:29 in TIFFReadRawData
TIFF Directory at offset 0xc (12)
Image Width: 128 Image Length: 1
Bits/Sample: 32189
Compression Scheme: Old-style JPEG
Photometric Interpretation: YCbCr
YCbCr Subsampling: 2, 2
Samples/Pixel: 3
Rows/Strip: 2048
Planar Configuration: single image plane
Tag 384: 16779264

Affected version:

Fixed version:

Commit fix:

This bug was discovered by Agostino Sarubbo of Gentoo.



2016-11-22: bug discovered and reported to upstream
2016-12-03: upstream released a patch
2017-01-01: blog post about the issue

This bug was found with American Fuzzy Lop.


Agostino Sarubbo
Gentoo Linux Developer

TW: 4.0.7
42.2: 4.0.6
42.1: 4.0.6
13.2: 4.0.7

You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
This Thread
  • No further messages