Bug 1090496 - (CVE-2018-10126) VUL-1: CVE-2018-10126: tiff: NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c.
VUL-1: CVE-2018-10126: tiff: NULL pointer dereference in the jpeg_fdct_16x16 ...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Minor
: ---
Assigned To: Michael Vetter
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2018-04-23 06:34 UTC by Karol Babioch
Modified: 2018-11-14 07:48 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Reproducer (570.00 KB, image/tiff)
2018-04-23 06:34 UTC, Karol Babioch

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-04-23 06:34:31 UTC
Created attachment 767929 [details]

LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in

Comment 1 Karol Babioch 2018-04-23 06:36:33 UTC
Reproducer does not trigger for me (neither on SLE11 nor on SLE12). Was discovered with ASAN, so maybe can only be triggered/seen with ASAN.

valgrind tiff2pdf -j -o output.pdf poc.tif
==12881== Memcheck, a memory error detector
==12881== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==12881== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info
==12881== Command: tiff2pdf -j -o output.pdf poc.tif
==12881== HEAP SUMMARY:
==12881==     in use at exit: 0 bytes in 0 blocks
==12881==   total heap usage: 114 allocs, 114 frees, 2,164,714 bytes allocated
==12881== All heap blocks were freed -- no leaks are possible
==12881== For counts of detected and suppressed errors, rerun with: -v
==12881== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Comment 2 Petr Gajdos 2018-06-04 14:12:49 UTC

$ valgrind -q tiff2pdf -j -o output.pdf poc.tif
$ file output.pdf
output.pdf: PDF document, version 1.1


$ valgrind -q tiff2pdf -j -o output.pdf poc.tif
poc.tif: Invalid YCbCr subsampling.
TIFFReadDirectory: poc.tif: cannot handle zero strip size.
tiff2pdf: Can't open input file poc.tif for reading.

Reading comment #7 from the upstream bug it is possible that we are not affected at all.
Comment 3 Petr Gajdos 2018-11-13 09:50:54 UTC
I had neither a 'luck' with asan, which reports no error for both 4.0.10 and 4.0.9.
Comment 4 Karol Babioch 2018-11-13 09:58:35 UTC
Since I also couldn't reproduce this, let's close this as invalid then.