Bug 1003874 - VUL-1: tiff: endless loop in tiff2rgba when reading fax3 data
VUL-1: tiff: endless loop in tiff2rgba when reading fax3 data
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Michael Vetter
Security Team bot
https://smash.suse.de/issue/173332/
maint:planned:update
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-10 09:12 UTC by Marcus Meissner
Modified: 2021-10-12 10:09 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
crash1.tif (352 bytes, application/octet-stream)
2016-10-10 09:12 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-10-10 09:12:45 UTC
Created attachment 696608 [details]
crash1.tif

spotted by AFL in tiff 4.0.6

QA REPRODUCER:
tiff2rgba crash1.tif output.tif

will loop endlessly without progress, output error messages.
Comment 1 Swamp Workflow Management 2016-10-10 22:01:01 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-10-12 13:00:06 UTC
will output endlessly:

Fax3DecodeRLE: Warning, Premature EOL at line 2392 of tile 0 (got 0, expected 32).
Fax3DecodeRLE: Bad code word at line 2393 of tile 0 (x 0).
Comment 3 Petr Gajdos 2018-11-20 15:13:39 UTC
Still reproducible with 4.0.10.
Comment 4 Petr Gajdos 2018-11-20 15:47:29 UTC
This is not indefinite loop. It is just too long, it is inside Fax3DecodeRLE():

        while (occ > 0) {
              
        }

where occ is very big.
Comment 5 Petr Gajdos 2018-11-20 15:49:45 UTC
Fax3DecodeRLE: Warning, Premature EOL at line 45579786 of tile 0 (got 0, expected 32).
Fax3DecodeRLE (tif=0x55555555b940, buf=0x7fffc1bec838 "", occ=891423036, s=0) at tif_fax3.c:1578
1578			(*sp->fill)(buf, thisrun, pa, lastx);
(gdb) set occ=25
(gdb) c
Continuing.
Fax3DecodeRLE: Bad code word at line 45579787 of tile 0 (x 0).
Fax3DecodeRLE: Warning, Premature EOL at line 45579787 of tile 0 (got 0, expected 32).
Fax3DecodeRLE: Bad code word at line 45579788 of tile 0 (x 0).
Fax3DecodeRLE: Warning, Premature EOL at line 45579788 of tile 0 (got 0, expected 32).
Fax3DecodeRLE: Bad code word at line 45579789 of tile 0 (x 0).
Fax3DecodeRLE: Warning, Premature EOL at line 45579789 of tile 0 (got 0, expected 32).
Fax3DecodeRLE: Bad code word at line 45579790 of tile 0 (x 0).
Fax3DecodeRLE: Warning, Premature EOL at line 45579790 of tile 0 (got 0, expected 32).
Fax3DecodeRLE: Bad code word at line 45579791 of tile 0 (x 0).
Fax3DecodeRLE: Warning, Premature EOL at line 45579791 of tile 0 (got 0, expected 32).
Fax3DecodeRLE: Bad code word at line 45579792 of tile 0 (x 0).
Fax3DecodeRLE: Warning, Premature EOL at line 45579792 of tile 0 (got 0, expected 32).
[Inferior 1 (process 4934) exited normally]
(gdb)
Comment 6 Petr Gajdos 2018-11-20 16:08:56 UTC
Breakpoint 3, _TIFFReadEncodedTileAndAllocBuffer (tif=0x55555555b940, tile=0, buf=0x7fffffffe0e0, bufsizetoalloc=1073742180, size_to_read=-1) at tif_read.c:1076
1076	    *buf = _TIFFmalloc(bufsizetoalloc);
(gdb) p bufsizetoalloc
$10 = 1073742180
(gdb)

This reminds me
http://bugzilla.maptools.org/show_bug.cgi?id=2675
http://bugzilla.maptools.org/show_bug.cgi?id=2725 (bug 1054594)
but as far as I marginally understand, the other dimension came into play.
Comment 7 Petr Gajdos 2018-11-20 16:12:29 UTC
$ /usr/bin/time -v tiffsplit crash1.tif 2>&1 | grep Maximum
	Maximum resident set size (kbytes): 1051404
$
Comment 8 Petr Gajdos 2018-11-21 08:13:23 UTC
Filled upstream bug report:
http://bugzilla.maptools.org/show_bug.cgi?id=2828