Bugzilla – Bug 1090496
VUL-1: CVE-2018-10126: tiff: NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c.
Last modified: 2018-11-14 07:48:19 UTC
Created attachment 767929 [details] Reproducer LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10126 http://www.cvedetails.com/cve/CVE-2018-10126/ http://bugzilla.maptools.org/show_bug.cgi?id=2786
Reproducer does not trigger for me (neither on SLE11 nor on SLE12). Was discovered with ASAN, so maybe can only be triggered/seen with ASAN. valgrind tiff2pdf -j -o output.pdf poc.tif ==12881== Memcheck, a memory error detector ==12881== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==12881== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info ==12881== Command: tiff2pdf -j -o output.pdf poc.tif ==12881== ==12881== ==12881== HEAP SUMMARY: ==12881== in use at exit: 0 bytes in 0 blocks ==12881== total heap usage: 114 allocs, 114 frees, 2,164,714 bytes allocated ==12881== ==12881== All heap blocks were freed -- no leaks are possible ==12881== ==12881== For counts of detected and suppressed errors, rerun with: -v ==12881== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
12,Tumbleweed/tiff $ valgrind -q tiff2pdf -j -o output.pdf poc.tif $ file output.pdf output.pdf: PDF document, version 1.1 $ 10sp3,11/tiff $ valgrind -q tiff2pdf -j -o output.pdf poc.tif poc.tif: Invalid YCbCr subsampling. TIFFReadDirectory: poc.tif: cannot handle zero strip size. tiff2pdf: Can't open input file poc.tif for reading. $ Reading comment #7 from the upstream bug it is possible that we are not affected at all.
I had neither a 'luck' with asan, which reports no error for both 4.0.10 and 4.0.9.
Since I also couldn't reproduce this, let's close this as invalid then.