Bug#784795: gamera.plugins.tiff_support: out-of-bounds read

Jakub Wilk Fri, 08 May 2015 15:06:34 -0700

Package: python-gamera
Version: 3.4.1+svn1423-4
Usertags: afl


Gamera crashes when trying to load the attached image:

$ python -c 'from gamera.plugins.tiff_support import load_tiff; 
load_tiff("crash.tiff")'
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag 
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag 
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag 
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag 
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag 
ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "YResolution"; tag 
ignored.
Segmentation fault


GDB says it's an out-of-bounds read:

Program received signal SIGSEGV, Segmentation fault.
tiff_load_rgb<Gamera::ImageView<Gamera::ImageData<Gamera::Rgb<unsigned char> > > > 
(filename=<optimized out>, info=..., matrix=...) at include/plugins/tiff_support.hpp:193
193             (*mj).red(data[j]);
(gdb) print data[j]
Cannot access memory at address 0xad5000
(gdb) bt
#0  tiff_load_rgb<Gamera::ImageView<Gamera::ImageData<Gamera::Rgb<unsigned char> > > 
> (filename=<optimized out>, info=..., matrix=...) at include/plugins/tiff_support.hpp:193
#1  Gamera::load_tiff (filename=<optimized out>, storage=<optimized out>) at 
include/plugins/tiff_support.hpp:364
#2  0x00007ffff61968ea in call_load_tiff (self=<optimized out>, 
args=('crash.tiff', 0)) at 
/build/gamera-SFSMKM/gamera-3.4.1+svn1423/gamera/plugins/_tiff_support.cpp:85
#3  0x00000000004f60ca in call_function (oparg=<optimized out>, 
pp_stack=<optimized out>) at ../Python/ceval.c:4035
#4  PyEval_EvalFrameEx (f=<unknown at remote 0x2>, throwflag=-155381464) at 
../Python/ceval.c:2681
#5  0x00000000004f696b in PyEval_EvalCodeEx (co=0x7ffff7e911b0, globals=<unknown at 
remote 0x18060>, locals=<unknown at remote 0x147f0>, locals@entry=0x0, args=0x1, 
argcount=48688, kws=0xbe5e, kws@entry=0x0, kwcount=0, defs=0x7ffff7eac128, defcount=1, 
closure=0x0) at ../Python/ceval.c:3267
#6  0x0000000000461fcd in function_call (func=<function at remote 
0x7ffff6b792a8>, arg=('crash.tiff',), kw=0x0) at ../Objects/funcobject.c:526
#7  0x000000000042b54a in PyObject_Call (func=func@entry=<function at remote 
0x7ffff6b792a8>, arg=arg@entry=('crash.tiff',), kw=kw@entry=0x0) at 
../Objects/abstract.c:2529
#8  0x000000000043afcf in instance_call (func=<load_tiff() at remote 
0x7ffff6bc9cb0>, arg=('crash.tiff',), kw=0x0) at ../Objects/classobject.c:2153
#9  0x000000000042b54a in PyObject_Call (func=<load_tiff() at remote 0x7ffff6bc9cb0>, 
arg=<optimized out>, kw=<optimized out>) at ../Objects/abstract.c:2529
#10 0x00000000004f324a in do_call (nk=<optimized out>, na=<optimized out>, 
pp_stack=<optimized out>, func=<optimized out>) at ../Python/ceval.c:4253
#11 call_function (oparg=<optimized out>, pp_stack=<optimized out>) at 
../Python/ceval.c:4058
#12 PyEval_EvalFrameEx (f=<unknown at remote 0x1>, throwflag=-155411280) at 
../Python/ceval.c:2681
#13 0x00000000004f696b in PyEval_EvalCodeEx (co=0x7ffff7ee6930, globals=<unknown at remote 0x18060>, globals@entry={'__warningregistry__': 
{("Not importing directory 'gamera': missing __init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at 
remote 0x7ffff7fb1b08>, 'load_tiff': <load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', '__doc__': 
None}, locals=<unknown at remote 0x147f0>, locals@entry={'__warningregistry__': {("Not importing directory 'gamera': missing 
__init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at remote 0x7ffff7fb1b08>, 'load_tiff': 
<load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', '__doc__': None}, args=0x0, argcount=48688, 
argcount@entry=0, kws=0xbe5e, kws@entry=0x0, kwcount=0, defs=0x0, defcount=0, closure=0x0) at ../Python/ceval.c:3267
#14 0x00000000004f6a89 in PyEval_EvalCode (co=co@entry=0x7ffff7ee6930, globals=globals@entry={'__warningregistry__': {("Not 
importing directory 'gamera': missing __init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at 
remote 0x7ffff7fb1b08>, 'load_tiff': <load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', 
'__doc__': None}, locals=locals@entry={'__warningregistry__': {("Not importing directory 'gamera': missing __init__.py", 
<type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at remote 0x7ffff7fb1b08>, 'load_tiff': <load_tiff() at 
remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', '__doc__': None}) at ../Python/ceval.c:669
#15 0x00000000005206b3 in run_mod (arena=0x9dc7f0, flags=0x7fffffffe3c0, locals={'__warningregistry__': {("Not importing directory 'gamera': 
missing __init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at remote 0x7ffff7fb1b08>, 'load_tiff': 
<load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', '__doc__': None}, globals={'__warningregistry__': 
{("Not importing directory 'gamera': missing __init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at remote 
0x7ffff7fb1b08>, 'load_tiff': <load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', '__doc__': None}, 
filename=0x5c524d "<string>", mod=0x9fd940) at ../Python/pythonrun.c:1371
#16 PyRun_StringFlags (flags=0x7fffffffe3c0, locals={'__warningregistry__': {("Not importing directory 'gamera': missing 
__init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module at remote 0x7ffff7fb1b08>, 'load_tiff': 
<load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', '__doc__': None}, globals={'__warningregistry__': 
{("Not importing directory 'gamera': missing __init__.py", <type at remote 0x8d46c0>, 1): True}, '__builtins__': <module 
at remote 0x7ffff7fb1b08>, 'load_tiff': <load_tiff() at remote 0x7ffff6bc9cb0>, '__package__': None, '__name__': '__main__', 
'__doc__': None}, start=257, str=<optimized out>) at ../Python/pythonrun.c:1334
#17 PyRun_SimpleStringFlags (command=<optimized out>, flags=0x7fffffffe3c0) at 
../Python/pythonrun.c:975
#18 0x000000000053753a in Py_Main (argc=3, argv=0x7fffffffe588) at 
../Modules/main.c:584
#19 0x00007ffff6d11b45 in __libc_start_main () from 
/lib/x86_64-linux-gnu/libc.so.6
#20 0x000000000041859e in _start ()


This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/

-- System Information:
Debian Release: stretch/sid
 APT prefers unstable
 APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages python-gamera depends on:
ii  dpkg        1.17.25
ii  libc6       2.19-18
ii  libgcc1     1:5.1.1-4
ii  libgomp1    5.1.1-4
ii  libpng12-0  1.2.50-2+b2
ii  libstdc++6  5.1.1-4
ii  libtiff5    4.0.3-13
ii  python      2.7.9-1

--
Jakub Wilk

Bug#784795: gamera.plugins.tiff_support: out-of-bounds read

Reply via email to