Public bug reported:
Using afl-fuzz with bmp2tiff the program produced a crash, once the test
case was minimized it produced a segmentation fault with several
commands.
$ lsb_release -rd
Description: Ubuntu 16.04.2 LTS
Release: 16.04
$ apt-cache policy libtiff-tools
libtiff-tools:
Installed: 4.0.6-1ubuntu0.1
Candidate: 4.0.6-1ubuntu0.1
Version table:
*** 4.0.6-1ubuntu0.1 500
500 http://be.archive.ubuntu.com/ubuntu xenial-updates/universe amd64
Packages
500 http://security.ubuntu.com/ubuntu xenial-security/universe amd64
Packages
100 /var/lib/dpkg/status
4.0.6-1 500
500 http://be.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
## AFL-TMIN OUTPUT
$ afl-tmin -m 50 -i id\:000000\,sig\:11\,src\:000202\,op\:havoc\,rep\:64 -o
output.bmp -- bmp2tiff -c jpeg:r:50 @@ jpeg7.out
afl-tmin 1.95b by <lcam...@google.com>
[+] Read 1485 bytes from 'id:000000,sig:11,src:000202,op:havoc,rep:64'.
[*] Performing dry run (mem limit = 50 MB, timeout = 1000 ms)...
[+] Program exits with a signal, minimizing in crash mode.
[*] Stage #0: One-time block normalization...
[+] Block normalization complete, 1437 bytes replaced.
[*] --- Pass #1 ---
[*] Stage #1: Removing blocks of data...
Block length = 128, remaining size = 1485
Block length = 64, remaining size = 128
Block length = 32, remaining size = 128
Block length = 16, remaining size = 96
Block length = 8, remaining size = 80
Block length = 4, remaining size = 72
Block length = 2, remaining size = 68
Block length = 1, remaining size = 66
[+] Block removal complete, 1420 bytes deleted.
[*] Stage #2: Minimizing symbols (17 code points)...
[+] Symbol minimization finished, 7 symbols (7 bytes) replaced.
[*] Stage #3: Character minimization...
[+] Character minimization done, 8 bytes replaced.
[*] --- Pass #2 ---
[*] Stage #1: Removing blocks of data...
Block length = 4, remaining size = 65
Block length = 2, remaining size = 56
Block length = 1, remaining size = 54
[+] Block removal complete, 11 bytes deleted.
[*] Stage #2: Minimizing symbols (5 code points)...
[+] Symbol minimization finished, 4 symbols (4 bytes) replaced.
[*] Stage #3: Character minimization...
[+] Character minimization done, 0 bytes replaced.
[*] --- Pass #3 ---
[*] Stage #1: Removing blocks of data...
Block length = 4, remaining size = 54
Block length = 2, remaining size = 54
Block length = 1, remaining size = 54
[+] Block removal complete, 0 bytes deleted.
File size reduced by : 96.36% (to 54 bytes)
Characters simplified : 2696.30%
Number of execs done : 351
Fruitless execs : path=220 crash=0 hang=0
[*] Writing output to 'output.bmp'...
[+] We're done here. Have a nice day!
## NO ERROR
bmp2tiff -c packbits output.bmp jpeg9.jpg
bmp2tiff -c none output.bmp jpeg8.out
## ERROR
bmp2tiff -c jpeg:r:50 output.bmp jpeg10.jpg
## SEGMENTATION FAULT
bmp2tiff -c lzw:2 output.bmp jpeg10.jpg
bmp2tiff -c zip:2 output.bmp jpeg10.zip
## GDB OUTPUT
$ gdb bmp2tiff
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from bmp2tiff...done.
(gdb) run -c zip:2 crashes/output.bmp crashes/jpeg12.zip
Starting program: /usr/local/bin/bmp2tiff -c zip:2 crashes/output.bmp
crashes/jpeg12.zip
Program received signal SIGSEGV, Segmentation fault.
horDiff8 (tif=<optimized out>, cp0=<optimized out>, cc=<optimized out>)
at tif_predict.c:530
530 tif_predict.c: No such file or directory.
(gdb) bt
#0 horDiff8 (tif=<optimized out>, cp0=<optimized out>, cc=<optimized out>)
at tif_predict.c:530
#1 0x0000000000523de2 in PredictorEncodeRow (tif=0x761010,
bp=0x7ffff74e9010 "", cc=12288, s=<optimized out>) at tif_predict.c:689
#2 0x00000000004a6a35 in TIFFWriteScanline (tif=tif@entry=0x761010,
buf=buf@entry=0x7ffff74e9010, row=row@entry=0, sample=sample@entry=0)
at tif_write.c:173
#3 0x0000000000406cae in main (argc=<optimized out>, argv=<optimized out>)
at bmp2tiff.c:775
(gdb)
** Affects: tiff (Ubuntu)
Importance: Undecided
Status: New
** Attachment added: "File that causes the segfault"
https://bugs.launchpad.net/bugs/1685451/+attachment/4866371/+files/output.bmp
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to tiff in Ubuntu.
https://bugs.launchpad.net/bugs/1685451
Title:
bmp2tiff segmentation fault
Status in tiff package in Ubuntu:
New
Bug description:
Using afl-fuzz with bmp2tiff the program produced a crash, once the
test case was minimized it produced a segmentation fault with several
commands.
$ lsb_release -rd
Description: Ubuntu 16.04.2 LTS
Release: 16.04
$ apt-cache policy libtiff-tools
libtiff-tools:
Installed: 4.0.6-1ubuntu0.1
Candidate: 4.0.6-1ubuntu0.1
Version table:
*** 4.0.6-1ubuntu0.1 500
500 http://be.archive.ubuntu.com/ubuntu xenial-updates/universe amd64
Packages
500 http://security.ubuntu.com/ubuntu xenial-security/universe amd64
Packages
100 /var/lib/dpkg/status
4.0.6-1 500
500 http://be.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
## AFL-TMIN OUTPUT
$ afl-tmin -m 50 -i id\:000000\,sig\:11\,src\:000202\,op\:havoc\,rep\:64 -o
output.bmp -- bmp2tiff -c jpeg:r:50 @@ jpeg7.out
afl-tmin 1.95b by <lcam...@google.com>
[+] Read 1485 bytes from 'id:000000,sig:11,src:000202,op:havoc,rep:64'.
[*] Performing dry run (mem limit = 50 MB, timeout = 1000 ms)...
[+] Program exits with a signal, minimizing in crash mode.
[*] Stage #0: One-time block normalization...
[+] Block normalization complete, 1437 bytes replaced.
[*] --- Pass #1 ---
[*] Stage #1: Removing blocks of data...
Block length = 128, remaining size = 1485
Block length = 64, remaining size = 128
Block length = 32, remaining size = 128
Block length = 16, remaining size = 96
Block length = 8, remaining size = 80
Block length = 4, remaining size = 72
Block length = 2, remaining size = 68
Block length = 1, remaining size = 66
[+] Block removal complete, 1420 bytes deleted.
[*] Stage #2: Minimizing symbols (17 code points)...
[+] Symbol minimization finished, 7 symbols (7 bytes) replaced.
[*] Stage #3: Character minimization...
[+] Character minimization done, 8 bytes replaced.
[*] --- Pass #2 ---
[*] Stage #1: Removing blocks of data...
Block length = 4, remaining size = 65
Block length = 2, remaining size = 56
Block length = 1, remaining size = 54
[+] Block removal complete, 11 bytes deleted.
[*] Stage #2: Minimizing symbols (5 code points)...
[+] Symbol minimization finished, 4 symbols (4 bytes) replaced.
[*] Stage #3: Character minimization...
[+] Character minimization done, 0 bytes replaced.
[*] --- Pass #3 ---
[*] Stage #1: Removing blocks of data...
Block length = 4, remaining size = 54
Block length = 2, remaining size = 54
Block length = 1, remaining size = 54
[+] Block removal complete, 0 bytes deleted.
File size reduced by : 96.36% (to 54 bytes)
Characters simplified : 2696.30%
Number of execs done : 351
Fruitless execs : path=220 crash=0 hang=0
[*] Writing output to 'output.bmp'...
[+] We're done here. Have a nice day!
## NO ERROR
bmp2tiff -c packbits output.bmp jpeg9.jpg
bmp2tiff -c none output.bmp jpeg8.out
## ERROR
bmp2tiff -c jpeg:r:50 output.bmp jpeg10.jpg
## SEGMENTATION FAULT
bmp2tiff -c lzw:2 output.bmp jpeg10.jpg
bmp2tiff -c zip:2 output.bmp jpeg10.zip
## GDB OUTPUT
$ gdb bmp2tiff
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from bmp2tiff...done.
(gdb) run -c zip:2 crashes/output.bmp crashes/jpeg12.zip
Starting program: /usr/local/bin/bmp2tiff -c zip:2 crashes/output.bmp
crashes/jpeg12.zip
Program received signal SIGSEGV, Segmentation fault.
horDiff8 (tif=<optimized out>, cp0=<optimized out>, cc=<optimized out>)
at tif_predict.c:530
530 tif_predict.c: No such file or directory.
(gdb) bt
#0 horDiff8 (tif=<optimized out>, cp0=<optimized out>, cc=<optimized out>)
at tif_predict.c:530
#1 0x0000000000523de2 in PredictorEncodeRow (tif=0x761010,
bp=0x7ffff74e9010 "", cc=12288, s=<optimized out>) at tif_predict.c:689
#2 0x00000000004a6a35 in TIFFWriteScanline (tif=tif@entry=0x761010,
buf=buf@entry=0x7ffff74e9010, row=row@entry=0, sample=sample@entry=0)
at tif_write.c:173
#3 0x0000000000406cae in main (argc=<optimized out>, argv=<optimized out>)
at bmp2tiff.c:775
(gdb)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1685451/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
