You need to log in before you can comment on or make changes to this bug.
case1: [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV TIFFReadRawStrip1 (module=0x81c5d33 <module.4041> "TIFFReadRawStrip", size=0x1, buf=0xb6c95008, strip=0x0, tif=0x81f8008) at tif_read.c:402 402 ma=(tmsize_t)td->td_stripoffset[strip]; gdb-peda$ bt #0 TIFFReadRawStrip1 (module=0x81c5d33 <module.4041> "TIFFReadRawStrip", size=0x1, buf=0xb6c95008, strip=0x0, tif=0x81f8008) at tif_read.c:402 #1 TIFFReadRawStrip (tif=tif@entry=0x81f8008, strip=strip@entry=0x0, buf=buf@entry=0xb6c95008, size=0x1) at tif_read.c:482 #2 0x0804be14 in cpStrips (out=0x81f8ab8, in=0x81f8008) at tiffsplit.c:252 #3 tiffcp (out=0x81f8ab8, in=0x81f8008) at tiffsplit.c:227 #4 main (argc=0x2, argv=0xbfffeec4) at tiffsplit.c:89 #5 0xb7db072e in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6 #6 0x0804e1d2 in _start () gdb-peda$ case2: Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x08051c62 in _TIFFVGetField (tif=0x81f8008, tag=0x146, ap=0xbfffeda0 "\030\211\037\b\300\355\377\277\360\206\004\bx3\037\b\031") at tif_dir.c:1056 1056 *va_arg(ap, void **) = tv->value; gdb-peda$ bt #0 0x08051c62 in _TIFFVGetField (tif=0x81f8008, tag=0x146, ap=0xbfffeda0 "\030\211\037\b\300\355\377\277\360\206\004\bx3\037\b\031") at tif_dir.c:1056 #1 0x0805bad1 in TIFFVGetField (ap=0xbfffed98 "\354\355\377\277\001", tag=0x146, tif=0x81f8008) at tif_dir.c:1174 #2 TIFFGetField (tif=tif@entry=0x81f8008, tag=tag@entry=0x146) at tif_dir.c:1158 #3 0x0804b864 in tiffcp (out=0x81f8940, in=0x81f8008) at tiffsplit.c:217 #4 main (argc=0x2, argv=0xbfffeeb4) at tiffsplit.c:89 #5 0xb7db072e in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6 #6 0x0804e1d2 in _start ()
Created an attachment (id=640) [details] bug1
Created an attachment (id=641) [details] bug2
also:asan msg ASAN:SIGSEGV ================================================================= ==20690== ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x080a9aba sp 0xbfba20b0 bp 0x00000000 T0) AddressSanitizer can not provide additional info. #0 0x80a9ab9 (/usr/local/bin/tiffsplit+0x80a9ab9) #1 0x804be13 (/usr/local/bin/tiffsplit+0x804be13) #2 0xb5f0a72d (/lib/i386-linux-gnu/libc-2.21.so+0x1872d) #3 0x804e1d1 (/usr/local/bin/tiffsplit+0x804e1d1) ==20690== ABORTING ASAN:SIGSEGV ================================================================= ==375== ERROR: AddressSanitizer: SEGV on unknown address 0x00000001 (pc 0x08051c62 sp 0xbfd1e990 bp 0xb5a00790 T0) AddressSanitizer can not provide additional info. #0 0x8051c61 (/usr/local/bin/tiffsplit+0x8051c61) #1 0x805bad0 (/usr/local/bin/tiffsplit+0x805bad0) #2 0x804b863 (/usr/local/bin/tiffsplit+0x804b863) #3 0xb5f0c72d (/lib/i386-linux-gnu/libc-2.21.so+0x1872d) #4 0x804e1d1 (/usr/local/bin/tiffsplit+0x804e1d1) ==375== ABORTING
When the libtiff was built no optimization(-O0), this bug may lead to write violation. In my case, the affected registers could be controlled by the Field Tag value. Program received signal SIGSEGV, Segmentation fault. 0x0000000000409c86 in _TIFFVGetField (tif=0x66b930, tag=326, ap=0x7fffffffe078) at tif_dir.c:1116 1116 *va_arg(ap, void **) = tv->value; 0x0000000000409c6f <+6647>: lea 0x8(%rdx),%rcx 0x0000000000409c73 <+6651>: mov -0x68(%rbp),%rdx 0x0000000000409c77 <+6655>: mov %rcx,0x8(%rdx) 0x0000000000409c7b <+6659>: mov (%rax),%rax 0x0000000000409c7e <+6662>: mov -0x10(%rbp),%rdx 0x0000000000409c82 <+6666>: mov 0x10(%rdx),%rdx => 0x0000000000409c86 <+6670>: mov %rdx,(%rax) (gdb) info reg rax 0x146 326 # this is rbx 0x0 0 rcx 0x20 32 rdx 0x66c1a0 6734240
Created an attachment (id=818) [details] bug2
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.
