Bug#784795: marked as done (gamera.plugins.tiff_support: out-of-bounds read)

[Debian Bug Tracking System]

Your message dated Thu, 14 May 2015 10:52:15 +0000
with message-id <e1ysqkr-0001uc...@franck.debian.org>
and subject line Bug#784795: fixed in gamera 3.4.2+svn1431-1
has caused the Debian Bug report #784795,
regarding gamera.plugins.tiff_support: out-of-bounds read
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
784795: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784795
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: python-gamera
Version: 3.4.1+svn1423-4
Usertags: afl

Gamera crashes when trying to load the attached image:

$ python -c 'from gamera.plugins.tiff_support import load_tiff; 
load_tiff("crash.tiff")'
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag 
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag 
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag 
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag 
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag 
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag 
ignored.
Segmentation fault


GDB says it's an out-of-bounds read:

Program received signal SIGSEGV, Segmentation fault.
tiff_load_rgb<Gamera::ImageView<Gamera::ImageData<Gamera::Rgb<unsigned char> > > > 
(filename=<optimized out>, info=..., matrix=...) at include/plugins/tiff_support.hpp:193
193             (*mj).red(data[j]);
(gdb) print data[j]
Cannot access memory at address 0xad5000
(gdb) bt
#0  tiff_load_rgb<Gamera::ImageView<Gamera::ImageData<Gamera::Rgb<unsigned char> > > 
> (filename=<optimized out>, info=..., matrix=...) at include/plugins/tiff_support.hpp:193
#1  Gamera::load_tiff (filename=<optimized out>, storage=<optimized out>) at 
include/plugins/tiff_support.hpp:364
#2  0x00007ffff61968ea in call_load_tiff (self=<optimized out>, 
args=('crash.tiff', 0)) at 
/build/gamera-SFSMKM/gamera-3.4.1+svn1423/gamera/plugins/_tiff_support.cpp:85
#3  0x00000000004f60ca in call_function (oparg=<optimized out>, 
pp_stack=<optimized out>) at ../Python/ceval.c:4035
#4  PyEval_EvalFrameEx (f=<unknown at remote 0x2>, throwflag=-155381464) at 
../Python/ceval.c:2681
#5  0x00000000004f696b in PyEval_EvalCodeEx (co=0x7ffff7e911b0, globals=<unknown at 
remote 0x18060>, locals=<unknown at remote 0x147f0>, locals@entry=0x0, args=0x1, 
argcount=48688, kws=0xbe5e, kws@entry=0x0, kwcount=0, defs=0x7ffff7eac128, defcount=1, 
closure=0x0) at ../Python/ceval.c:3267
#6  0x0000000000461fcd in function_call (func=<function at remote 
0x7ffff6b792a8>, arg=('crash.tiff',), kw=0x0) at ../Objects/funcobject.c:526
#7  0x000000000042b54a in PyObject_Call (func=func@entry=<function at remote 
0x7ffff6b792a8>, arg=arg@entry=('crash.tiff',), kw=kw@entry=0x0) at 
../Objects/abstract.c:2529
#8  0x000000000043afcf in instance_call (func=<load_tiff() at remote 
0x7ffff6bc9cb0>, arg=('crash.tiff',), kw=0x0) at ../Objects/classobject.c:2153
#9  0x000000000042b54a in PyObject_Call (func=<load_tiff() at remote 0x7ffff6bc9cb0>, 
arg=<optimized out>, kw=<optimized out>) at ../Objects/abstract.c:2529
#10 0x00000000004f324a in do_call (nk=<optimized out>, na=<optimized out>, 
pp_stack=<optimized out>, func=<optimized out>) at ../Python/ceval.c:4253
#11 call_function (oparg=<optimized out>, pp_stack=<optimized out>) at 
../Python/ceval.c:4058
#12 PyEval_EvalFrameEx (f=<unknown at remote 0x1>, throwflag=-155411280) at 
../Python/ceval.c:2681
#13 0x00000000004f696b in PyEval_EvalCodeEx (co=0x7ffff7ee6930, globals=<unknown at remote 0x18060>, globals@entry={'__warningregistry__': 
{("Not importing directory 'gamera': missing __init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at 
remote 0x7ffff7fb1b08>, 'load_tiff': <load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', '__doc__': 
None}, locals=<unknown at remote 0x147f0>, locals@entry={'__warningregistry__': {("Not importing directory 'gamera': missing 
__init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at remote 0x7ffff7fb1b08>, 'load_tiff': 
<load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', '__doc__': None}, args=0x0, argcount=48688, 
argcount@entry=0, kws=0xbe5e, kws@entry=0x0, kwcount=0, defs=0x0, defcount=0, closure=0x0) at ../Python/ceval.c:3267
#14 0x00000000004f6a89 in PyEval_EvalCode (co=co@entry=0x7ffff7ee6930, globals=globals@entry={'__warningregistry__': {("Not 
importing directory 'gamera': missing __init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at 
remote 0x7ffff7fb1b08>, 'load_tiff': <load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', 
'__doc__': None}, locals=locals@entry={'__warningregistry__': {("Not importing directory 'gamera': missing __init__.py", 
<type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at remote 0x7ffff7fb1b08>, 'load_tiff': <load_tiff() at 
remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', '__doc__': None}) at ../Python/ceval.c:669
#15 0x00000000005206b3 in run_mod (arena=0x9dc7f0, flags=0x7fffffffe3c0, locals={'__warningregistry__': {("Not importing directory 'gamera': 
missing __init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at remote 0x7ffff7fb1b08>, 'load_tiff': 
<load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', '__doc__': None}, globals={'__warningregistry__': 
{("Not importing directory 'gamera': missing __init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at remote 
0x7ffff7fb1b08>, 'load_tiff': <load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', '__doc__': None}, 
filename=0x5c524d "<string>", mod=0x9fd940) at ../Python/pythonrun.c:1371
#16 PyRun_StringFlags (flags=0x7fffffffe3c0, locals={'__warningregistry__': {("Not importing directory 'gamera': missing 
__init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at remote 0x7ffff7fb1b08>, 'load_tiff': 
<load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', '__doc__': None}, globals={'__warningregistry__': 
{("Not importing directory 'gamera': missing __init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module 
at remote 0x7ffff7fb1b08>, 'load_tiff': <load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', 
'__doc__': None}, start=257, str=<optimized out>) at ../Python/pythonrun.c:1334
#17 PyRun_SimpleStringFlags (command=<optimized out>, flags=0x7fffffffe3c0) at 
../Python/pythonrun.c:975
#18 0x000000000053753a in Py_Main (argc=3, argv=0x7fffffffe588) at 
../Modules/main.c:584
#19 0x00007ffff6d11b45 in __libc_start_main () from 
/lib/x86_64-linux-gnu/libc.so.6
#20 0x000000000041859e in _start ()


This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Debian Release: stretch/sid
 APT prefers unstable
 APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages python-gamera depends on:
ii  dpkg        1.17.25
ii  libc6       2.19-18
ii  libgcc1     1:5.1.1-4
ii  libgomp1    5.1.1-4
ii  libpng12-0  1.2.50-2+b2
ii  libstdc++6  5.1.1-4
ii  libtiff5    4.0.3-13
ii  python      2.7.9-1

--
Jakub Wilk

--- End Message ---

--- Begin Message ---

Source: gamera
Source-Version: 3.4.2+svn1431-1

We believe that the bug you reported is fixed in the latest version of
gamera, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 784...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Stender <deb...@danielstender.com> (supplier of updated gamera package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 14 May 2015 12:22:43 +0200
Source: gamera
Binary: python-gamera python-gamera-dbg python-gamera-dev gamera-gui gamera-doc
Architecture: source all amd64
Version: 3.4.2+svn1431-1
Distribution: unstable
Urgency: medium
Maintainer: Daniel Stender <deb...@danielstender.com>
Changed-By: Daniel Stender <deb...@danielstender.com>
Description:
 gamera-doc - documentation for the Gamera framework
 gamera-gui - GUI for the Gamera framework
 python-gamera - framework for building document analysis applications
 python-gamera-dbg - framework for document analysis applications (debug 
symbols)
 python-gamera-dev - framework for document analysis applications (header files)
Closes: 763440 784795
Changes:
 gamera (3.4.2+svn1431-1) unstable; urgency=medium
 .
   * Updated source to SVN r1431 (Closes: #763440, #784795).
Checksums-Sha1:
 96abb9c5b500e6330276ecd26857cb6dcd4a7b53 2538 gamera_3.4.2+svn1431-1.dsc
 49f0215b162a76a42f5495fe23a09b013fd47366 4630403 
gamera_3.4.2+svn1431.orig.tar.bz2
 1a296cc0bcbea2af8a3f2f936ee9648197ecbb06 31108 
gamera_3.4.2+svn1431-1.debian.tar.xz
 8544cb8d30d640fccb163ec51f85787f7f76fefb 158710 
python-gamera-dev_3.4.2+svn1431-1_all.deb
 b7dbcd9bee1a974cc4c07e6f411ab6381a0bf559 372486 
gamera-gui_3.4.2+svn1431-1_all.deb
 08fe3b060ebf08f82f0e363de98392cd98def3e0 2753262 
gamera-doc_3.4.2+svn1431-1_all.deb
 a64b42e396bc4099d4b77853e859688ed57a5b32 2364914 
python-gamera_3.4.2+svn1431-1_amd64.deb
 23e7e175345bee30ce05dc5fc4956cd59b872acb 45951474 
python-gamera-dbg_3.4.2+svn1431-1_amd64.deb
Checksums-Sha256:
 88a019c466e36918f24a06f5a53c09094ae5677ba48260ea3447d06633caf1e7 2538 
gamera_3.4.2+svn1431-1.dsc
 e6bb2eae2a2f42b21e7c2a534e1db44a3d8ed2d09f480020c61c3fc2b2c0048d 4630403 
gamera_3.4.2+svn1431.orig.tar.bz2
 4f711634e7f4ff0c988232be995594bae7f706c142ece608736f41f78139a361 31108 
gamera_3.4.2+svn1431-1.debian.tar.xz
 d1f785e1e210b896c2a471a13b786785d3533431bdf2a72e62d3bfc34a215b25 158710 
python-gamera-dev_3.4.2+svn1431-1_all.deb
 abe44edb2badeba93f5ff2bf0d6aba97616e393318328530597aaffd2f5ce8a2 372486 
gamera-gui_3.4.2+svn1431-1_all.deb
 433a211436e3eb2a9bc39b3cf3ac26284ed984d1056a7f858138e4d52529fb7d 2753262 
gamera-doc_3.4.2+svn1431-1_all.deb
 6fdcf7d86427c3e2346b7039cf5ea35cd5ec7c9c3ee1380943f0561c0573ed7a 2364914 
python-gamera_3.4.2+svn1431-1_amd64.deb
 3d514960c3d9de19ae6703feba88175be146046a3e330c223f4ea88103bb0b6a 45951474 
python-gamera-dbg_3.4.2+svn1431-1_amd64.deb
Files:
 371e0755747f69861761afffb8aed9c9 2538 python optional 
gamera_3.4.2+svn1431-1.dsc
 282d22ddae8beeff814d81baa1d96419 4630403 python optional 
gamera_3.4.2+svn1431.orig.tar.bz2
 e407d257d8e2d797054ed89f4ee9dbb7 31108 python optional 
gamera_3.4.2+svn1431-1.debian.tar.xz
 1db3286772ea8b985a8bcbf88f81711f 158710 python optional 
python-gamera-dev_3.4.2+svn1431-1_all.deb
 e23959be5a8a43caf0e91d8fe6b7dd00 372486 python optional 
gamera-gui_3.4.2+svn1431-1_all.deb
 5ebefd9942255d453c23f74909db7a7a 2753262 doc optional 
gamera-doc_3.4.2+svn1431-1_all.deb
 793f24532e1ece5f3cd092443d68f13a 2364914 python optional 
python-gamera_3.4.2+svn1431-1_amd64.deb
 c20285d9da010af474e365d5c4d28b47 45951474 debug extra 
python-gamera-dbg_3.4.2+svn1431-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVVHoCAAoJEBXgmvTfUYLI09sP+gOAyS4qor0xeX/cWTTZpqc2
/k5Z9lpTInf9z4eYCZn0RcjW7LtOQwe+YYk7/sayuKXc55C5LCl5gASm+Vu2Pyw1
CaDGp+dhbJ5/1eXbAy5F6T1kwoaf0bO/KIEW8oT2DQ2p2Jq0ZBeIvx26ZQbBcvmQ
pZGTotE54dphdPfF5xZKJ5mW83efxCsHryM9FHqt7ooJaIGUkzNGaaKhwlGGYXqf
LO5v9dlW/9XItejhJZxQAuEwd/bE5nk3W6tJlmeuzhRxnXCIIgtCeQorI1lBgW9f
Eoa7Gxx8OXZsh4077R4bY9hBX9w1jKIyvXZXgcyBqPams1btTnC0lyjloOlp5Sld
f3TCJAsiH2Ip0oJOwuZXwvL8ml55H+VoMjkuTKiZmIrS4bXzlJtVHkA6YzI1MNUa
xiI3gb/SU9JmRSbQ0y/9kglw2yMLGzi7CH62q/tplCKt/jhoq6G2JybQ+/SGpl/O
XGLfmjikd7n2c/hbGefcvHIX1MCpKq0AvB5PzSHWMZey3FDFmzRO7L7Mj3ed1AHx
32MFSNCLKFE5WORWCLsuvZJMjtcrd1j4FiRha0FYdZ2VC/MmGfLmLiNfa2dsFEOa
rAq0h+hOeuNu7bh0m/qWG9a1BpJrLxm2hGVt5o4XC7pnI4KnHaYqEEV3I0A4NXKs
BYRwePwRfe5wx625g52y
=y1R2
-----END PGP SIGNATURE-----

--- End Message ---